Symptoms of a Wordpress hack
Posted on 2009-11-02 - Comments
I came to my site on Sunday morning ready to write the latest in my PHP tutorial, only to find a nasty looking 500 server error. I couldn’t even log into the admin panel.
After a while tinkering with various configuration settings and trying to get something to come up, I started searching the web. Turns out, earlier versions of WordPress were vulnerable to specific hacks that could let attackers create their own admin users.
Looking in the WordPress users table, three new users had been created. Their first names were set to the following: (note: code deliberately broken so I don’t trigger security protections)
Note the three periods on the first line? Ingeniously, when you look at the records directly in the database using a tool like phpMyAdmin, it defaults to only showing the first line. This makes the field appear as ‘…’ – you only see the actual evil payload if you activate the full text view.
Magic! Three extra users have appeared!
Once a malicious user is logged in as an adminstrator, they have free reign to do as they please – including directly modifying PHP code in the WordPress admin panel. It turns out that the server 500 errors were due to the hackers modifying the theme files I was using. It took a clean install of the theme before I could get into the blog again. Hopefully, I’ll do a post-mortem on the theme and post any malicious findings here.
The moral of the story? Keep your WordPress install up to date and keep an eye on the users table.
- Next generation console wishlist 2013-02-18
- Digital conversations preserved 2011-02-21
- Pastel de Nata recipe 2011-01-10
- Fixing a bricked D-Link DSL-G624T 2010-01-22
- Learning PHP - Part 6: functions 2009-11-03
- Learning PHP - Part 5: your first dynamic web page 2009-11-03
- Learning PHP - Part 4: controlling flow 2009-11-02
- Symptoms of a Wordpress hack 2009-11-02
- Learning PHP - Part 3: array basics 2009-10-26
- Learning PHP - Part 2: variable basics 2009-10-25
- Learning PHP - Part 1: introduction 2009-10-24
- Unsetting HTTP headers in PHP 2008-08-06
- Intermittent 1px gap in Firefox 3 2008-07-30
- Understanding Linux file permissions 2008-07-29
- Step by step: Moving code between Subversion repositories 2008-07-23
- Novell client on OpenSuse 10.3 2007-10-08
- Removing Windows from Apple's Bootcamp 2007-10-01
- HTTP authentication in PHP 2007-06-12
- Microformats and me 2007-06-11