chrisaskew

After much around-poking, I found a fix which clears up the immediate symptoms. I will have to leave to those who understand the code better to say whether it also removes any trace of the threat.

1. As above, delete the WordPress Hit Counter Plug-in

2. Find and change the permissions on the directories under wp-content/cache/hookd/DOMAINNAME.com from at least /hookd on down to 777.

In my case the hack created a separate wp-content tree at the top (WP) level, so I just deleted the whole tree. If the bogus stuff got put under the real wp-content directory (as it seems for LFGabel above), you’ll have to sort out what’s real and not.

3. Delete the bogus directories and their contents.

4. In WP-Admin/Edit Links, remove the link “www.onlinegambling.eu”. If it doesn’t appear there, delete its record in the WP database table wp_links.

5. In the WP database table wp_options delete the 4 records left by the Hit Counter (wp_version and three wphc records with consecutive option ids)

I am hoping this gets rid of any traces of the exploit, and that the wp_footer action and $buffer line become moot once the evil code (as listed in LFGabel’s initial post on this thread) is gone with the deleted directories/files.

In any case, this relieves the immediate symptoms in my installation. If someone else can shed more light on the rest of this (I don’t really understand the code or the execution model here) or let me know if I’ve done something really stupid and destructive, I’d greatly appreciate it.

One other thing that appears to link the hack to the WordPress Hit Counter plug-in. The bogus directories initially couldn’t have their permissions changed (it appeared to recreate them if changes were made). After I deleted the plug-in, I could change the permissions and delete the directories.

Sadly, the code to insert the unwanted Blogroll entry was already hidden somewhere, so deleting the directories didn’t fix the problem.

Can someone who knows about these things tell me where and how what kind of code can be hidden to have this effect?

Thanks.

I assume this is WordPress related and not just a general PHP hack because it recreates a portion of the WP file structure and only appears in the WP-based website. It also coincides with the installation of the WordPress Hit Counter plug-in.

Further to that, after uninstalling the WordPress Hit Counter plug-in, I was able to delete the bogus directories; however, the bogus Blogroll section still shows up on my site. I assumed from that that the original hack made some changes to the standard files. I looked through all the files, however, and found no modifications on or after that date except for two error logs. One of these indicated several database access errors on th 22nd, the date these problems appeared, which opens the possibility that the database was changed. I’m shooting in the dark here, though – this is not my area of expertise.

Pardon me if I stepped on anyone’s toes, but that is a serious question. I’m new to WP (which is a godsend on many ways) and I don’t know if there is any way for a WP installation in normal operation to phone home (as other software packages do) or otherwise have a line of contact with the mother-ship that might be hijacked. After my further investigations, however, it seems more likely that the Hit Counter plug-in is responsible.

I would still appreciate it if you or someone could address this hack directly and pass on any help or direction in cleaning it up.

Further to above, my site had a bogus wp-content directory installed at the same level as the wordpress directory. When I try to reset permissions, it creates a duplicate directory the next level up, but doesn’t change permissions on the original. I can rename the bogus directory, but that doesn’t affect it.

Also, I reiterate that my site is a sandbox; its URL has never been published and it has never been publicly accessed. is there some hook in the WordPress code that allows hacking?

BTW – the bogus files are dated 6/22/10. The plug-in I installed closest to that date is the WordPress Hit Counter v. 2.3 by Gary-Adam Shannon.

I have this problem also (v 2.9.2), and my website is not published. Any explanation/resolution?