homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

New Wordpress Hack?

 1:22 am on Apr 15, 2012 (gmt 0)

A blog I admin triggered a "Trojan.Malscript.html" warning when I loaded its home page with Norton running. I immediately checked Google Webmaster Tools and a number of web-scanners like AVG and others. They all gave the site a clean bill of health. It was still causing Norton to go off, so I looked at the source code.

I found a link to a javascript file hosted on an Australian "organicfoodmarkets" domain. Digging into the theme files, I found that some had been modified to include a line of code that included "gzinflate(base64_decode" followed by a long string. This was translated into the bogus script load code when the page was displayed.

The odd thing was that the files had apparently been modified over a month earlier, and GWT, along with everyone else, didn't catch it. Another machine running TrendMicro let me load the page without objection.

I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.

So, it's a good idea to keep your eye on file dates and, of course, exercise normal security precautions for logins and passwords. Had it not been for Norton, this might have persisted a lot longer without my knowing it. Checking your files for the base64 code above would disclose an identical exploit, though if the hacker has FTP access any number of nasty things could be done.



 2:02 am on Apr 15, 2012 (gmt 0)

Thanks for the info rogerd. I haven't come across this personally but will be looking out for it now.


 2:17 am on Apr 15, 2012 (gmt 0)

I think this was most likely a server side hack, i.e., via compromised FTP or Wordpress login, vs. some kind of code vulnerability.

Probably got in via Wordpress would be my guess as it's always responsible for some vulnerability somewhere, or even your hosted control panel as there have been some recent vulnerabilities in those as well.

However, if you're on shared hosting, they could've gotten in on any account and escalated privileges and performed that little trick server wide.


 5:16 pm on Apr 16, 2012 (gmt 0)

The intrusion seems to be confined to a single domain on that VPS. I had some work done on the site a few days before the files changed, and I'm guessing that there was some vulnerability on the coder's end. Even if he wasn't the source, he may have been hacked himself, had his login compromised, etc.

I deleted the coder's credentials once the work was complete and stable, but the intrusion (whether related or not) happened before that deletion.

Could be a coincidence, of course, and I don't rule out other possible hacks.


 11:07 am on May 2, 2012 (gmt 0)

i have a website, i was using word press, But now i have no website because my website was hoicked...


 6:37 am on May 3, 2012 (gmt 0)

Some more info about base64_decode hacks here-

The one I found on a shared hosting server had a "double secret" key file hidden with a non obvious file extension -- any time the corrupted file was deleted, the second file would replicate it.

Grep is your friend...

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved