magpiebrain

Sam Newman's site, a Consultant at ThoughtWorks

I’ve been neglecting things here at Magpiebrain Towers since my move to San Francisco. Blame the sunshine, a demanding new client, or just a relapse of extreme apathy. Whatever the cause, it seems that my inattention has been rewarded.

Simon sent me an email the other day, wondering where the blog had gone. I brought up Firefox and checked – “No, the site is still there” I said. But it wasn’t as far as Google search was confirmed.

Redirection based on Referer

It turned out that via Google search, when you clicked on links for Magpiebrain then you were redirected to a suspected malware site called ‘your-needs.info’. I immediately blamed Google. Luckily, calmer heads prevailed, and someone far more knowledgeable than me pointed me at these interesting results:

$ curl -I http://magpiebrain.com
HTTP/1.1 200 OK
Date: Thu, 29 May 2008 18:00:52 GMT
Server: Apache
X-Pingback: http://www.magpiebrain.com/xmlrpc.php
Vary: Accept-Encoding
X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff
Served-By: TextDrive
Content-Type: text/html; charset=UTF-8
$ curl -I -H "Referer: http://www.google.com/search?q=sam+newman"
http://magpiebrain.com
HTTP/1.1 302 Found
Date: Thu, 29 May 2008 18:00:57 GMT
Server: Apache
Location: http://your-needs.info/search/index.php?q=sam+newman
Vary: Accept-Encoding
X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff
Served-By: TextDrive
Content-Type: text/html; charset=UTF-8

So, it seems that if google is the referer, then the browser is redirected to some shitty spam site.

Cunning barstweards.

Lax WordPress Upkeep to blame?

When I found out that it was my site that was to blame, I immediately started poking around. I checked my .htaccess file – thankfully this was clear. Next, I disabled all the plugins in WordPress, but still the redirect worked. Finally, I moved index.php out of the way – thereby stopping wordpress from being invoked – and surely enough the redirection stopped. So WordPress was to blame.

However, my inaction in writing posts for the site has also extended to not actually keeping WordPress up to date. So my first course of action was to upgrade from 2.3.3. to 2.5.1. The upgrade process was seemless as always, but the referer hack remained.

Fix

A recent thread over at wordpress.org helped me find the solution. By poking around in wp_options and removing a row with an option_name of rss_f541b3abd05e7962fcab37737f40fad8 the problem went away. Right now it isn’t clear which exploit was used, or how many sites were affected, but the thread I found was pretty recent which implies this may be a new issue.

Insidious Hack

This really is quite a good use of what appears to be a WordPress exploit. The only way in which this hack becomes apparent is if you check your analytics frequently (which I don’t – my ego is already big enough without stoking it by looking at hits) or if so perform a google search for your own content, which happens rarely. What is in it for the hackers is harder to see, other than driving traffic to a bogus search engine that pushes prescription drugs.

Advertisements

16 Responses to “WordPress Site Hacked”

  1. Jason

    Thanks for posting this. I have been trying to find a fix to this problem for close to a week now. Is this just a temp fix? or is there any other way to prevent this from happening? Cause I already upgraded to 2.5 before this and had the same problem. Thanks for your time.

    Reply
  2. sam

    Hi Jason,

    I’m not sure if this fix is temporary or not. I’m hoping that whatever security hole they sued was plugged when I upgraded to 2.5.1 (although as I don’t know what hole they used I can’t confirm this) so I hope what I’ve done is remove the result of the exploit.

    If the hole still exists of course, it seems very likely that I’ll get hacked again – perhaps in a less pleasant fashion!

    My plan is to reinstate mod_security for my domain (which I had disabled as it improperly blocked some comments) and keep a much closer eye in the future.

    If I get any more information I’ll be sure to update this post.

    Reply
  3. Rob

    Just a thought — anyone dealing with this hack might want to advise their Windows-based readers to redirect your-needs.info to 127.0.0.1 using the system32driversetchosts file in the Windows directory. Just add the line

    127.0.0.1 your-needs.info

    to hosts and the redirect is defeated locally.

    Note that on Vista, you need to run your text editor as Administrator in order to edit the hosts file.

    Obviously, if the exploit moves to another site, so should your hosts line entries.

    Reply
  4. Marlex Systems

    Probably, if you only detele the rss input at your MySQL, the hack can attemp again. Try to do all the things thah I describe in the WordPress support, and find in your active-plugins into the wo_options table in the MySQL database for a image used as plugin.

    If you have them, try to delete and deactive and active again all the plugins, this is for update the list of active plugins witouth deleting lines in your MySQL.

    Have a nice day.

    http://www.marlexsystems.org

    Reply
  5. Max

    I am getting killed by this thing. I have 20-25 blogs getting roughly 10k per day total. I’ve dropped to 4k a day over this week. I’ve upgrade a lot of them to the latest wp, but traffic is still dipping like crazy. I’ve checked for “rss_f541b3abd05e7962fcab37737f40fad8” and I don’t have that line. Now, I don’t even know what to look for. I’m almost ready to change them all out to a different blog platform. What’s nuts is I was able to see this landingpage “your-needs.info”, then all of a sudden, I don’t see it, but my traffic is still wayyyy down. This thing has to be still popping up. Can anyone tell me how I can see what my google ref should see without actually going through google? Just want to make sure it’s not a cookie thing. This royally sucks.

    Reply
  6. Tiffany

    Thanks for the info. I did as you instructed. I am soooo ticked. This has been going on for a week and someone just told me today after hundreds of dollars lost…grrr. I hope this gets rid of the issue….for awhile.

    Reply
  7. the english guy

    Thanks, that fixed my problem, took me ages to find out what was causing it and ran into this page/site, applied it, and got my blog(s) back.

    Reply
  8. » Hax0rz again reneduquesnoy.com

    […] Switching from joomla to wordpress, my hacker followed me. I tend to get hacked (wonder if it is because dreamhost.com is lame). Fortunately, I found a site that gave me a one-liner to fix said bullsnap. Thanks to magpiebrain. […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Basic HTML is allowed. Your email address will not be published.

Subscribe to this comment feed via RSS

%d bloggers like this: