Anatomy of my site hack

As you know my site was hacked recently, and here’s some background into what happened and how I dealt with it.

I first discovered that the admin page had lost it’s stylesheet and was not displaying correctly. I posted a question to AskMetaFilter and did some investigation based on the answers. Someone had modified almost every PHP file in my installation, adding a large eval() block that created some strange HTML when run. It was breaking almost every page of the admin interface.

If you’re not already aware, PHP is a programming language used to generate web pages “on the fly”, rather than the usual method of creating them and storing them on the server to be used later. It’s most often used with a database that acts as a storage area for data that PHP will format as part of the web page generation process. WordPress, along with a lot of other web site software, is built on top of PHP.

The hack took advantage of PHP’s ability to take an arbitrary string of binary code and turn that into HTML which would be sent to your browser and executed. A more technical description of the exploit is here.

I ran the WordPress Exploit Scanner and it popped up a bunch of errors about PHP files containing that eval() block. All of the modified files had the same block and were modified in the same way. But the numbers of files was large and spread over WordPress core files, plugin files and theme files. There was no simple way of fixing this other than the following.

To fix it I had to:

  • Reinstall WordPress 3.3.1 from scratch
  • Edit the bogus code block out of some other files that weren’t updated with the WordPress reinstall
  • Delete all of my plugins and themes (too many files to fix by hand)
  • Change the password on my account, my database and my CPanel interface
  • Delete the default admin user
  • Reinstall all my plugins and themes

It’s been enlightening, although I hope I don’t have to do this again.

Please note that this is hardly the only active WordPress hack. This one was slick in that it was only obvious in the admin interface, regular site visitors would not have noticed anything (but their browsers would be executing the malicious code). One of the MetaFilter site members, kalessin, suffered an attack that also targeted his database. The attack and what he had to do to fix it are detailed in Part 1, Part 2 and Part 3.

Interestingly, my home email account was recently hacked as well, by someone in China. I’ve gone through a lot of my accounts recently and updated the passwords, it’s something everyone should do on a regular basis.

Leave a Reply