I’ve been neglecting things here at Magpiebrain Towers since my move to San Francisco. Blame the sunshine, a demanding new client, or just a relapse of extreme apathy. Whatever the cause, it seems that my inattention has been rewarded.
Simon sent me an email the other day, wondering where the blog had gone. I brought up Firefox and checked – “No, the site is still there” I said. But it wasn’t as far as Google search was confirmed.
Redirection based on Referer
It turned out that via Google search, when you clicked on links for Magpiebrain then you were redirected to a suspected malware site called ‘your-needs.info’. I immediately blamed Google. Luckily, calmer heads prevailed, and someone far more knowledgeable than me pointed me at these interesting results:
$ curl -I http://magpiebrain.com HTTP/1.1 200 OK Date: Thu, 29 May 2008 18:00:52 GMT Server: Apache X-Pingback: http://www.magpiebrain.com/xmlrpc.php Vary: Accept-Encoding X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff Served-By: TextDrive Content-Type: text/html; charset=UTF-8
$ curl -I -H "Referer: http://www.google.com/search?q=sam+newman" http://magpiebrain.com HTTP/1.1 302 Found Date: Thu, 29 May 2008 18:00:57 GMT Server: Apache Location: http://your-needs.info/search/index.php?q=sam+newman Vary: Accept-Encoding X-Powered-By: The blood, sweat and tears of the fine, fine TextDrive staff Served-By: TextDrive Content-Type: text/html; charset=UTF-8
So, it seems that if google is the referer, then the browser is redirected to some shitty spam site.
Cunning barstweards.
Lax WordPress Upkeep to blame?
When I found out that it was my site that was to blame, I immediately started poking around. I checked my .htaccess file – thankfully this was clear. Next, I disabled all the plugins in WordPress, but still the redirect worked. Finally, I moved index.php out of the way – thereby stopping wordpress from being invoked – and surely enough the redirection stopped. So WordPress was to blame.
However, my inaction in writing posts for the site has also extended to not actually keeping WordPress up to date. So my first course of action was to upgrade from 2.3.3. to 2.5.1. The upgrade process was seemless as always, but the referer hack remained.
Fix
A recent thread over at wordpress.org helped me find the solution. By poking around in wp_options and removing a row with an option_name of rss_f541b3abd05e7962fcab37737f40fad8 the problem went away. Right now it isn’t clear which exploit was used, or how many sites were affected, but the thread I found was pretty recent which implies this may be a new issue.
Insidious Hack
This really is quite a good use of what appears to be a WordPress exploit. The only way in which this hack becomes apparent is if you check your analytics frequently (which I don’t – my ego is already big enough without stoking it by looking at hits) or if so perform a google search for your own content, which happens rarely. What is in it for the hackers is harder to see, other than driving traffic to a bogus search engine that pushes prescription drugs.
magpiebrain 
16 Responses to “WordPress Site Hacked”
[…] WordPress hack (although he was not the first). Apparently somebody hacked his WordPress Blog to redirect readers, who reach it via a Google search, to your-needs.info. Luckily my blog has not been hit […]
[…] konnte ich es sogar nachstellen und eine kurze Recherche ergab auch eine (mögliche?) Problemlösung. Erste Versuche verliefen zufriedenstellend, ich lande wieder da, wo ich hin […]
Thanks for posting this. I have been trying to find a fix to this problem for close to a week now. Is this just a temp fix? or is there any other way to prevent this from happening? Cause I already upgraded to 2.5 before this and had the same problem. Thanks for your time.
Hi Jason,
I’m not sure if this fix is temporary or not. I’m hoping that whatever security hole they sued was plugged when I upgraded to 2.5.1 (although as I don’t know what hole they used I can’t confirm this) so I hope what I’ve done is remove the result of the exploit.
If the hole still exists of course, it seems very likely that I’ll get hacked again – perhaps in a less pleasant fashion!
My plan is to reinstate mod_security for my domain (which I had disabled as it improperly blocked some comments) and keep a much closer eye in the future.
If I get any more information I’ll be sure to update this post.
Just a thought — anyone dealing with this hack might want to advise their Windows-based readers to redirect your-needs.info to 127.0.0.1 using the system32driversetchosts file in the Windows directory. Just add the line
127.0.0.1 your-needs.info
to hosts and the redirect is defeated locally.
Note that on Vista, you need to run your text editor as Administrator in order to edit the hosts file.
Obviously, if the exploit moves to another site, so should your hosts line entries.
Probably, if you only detele the rss input at your MySQL, the hack can attemp again. Try to do all the things thah I describe in the WordPress support, and find in your active-plugins into the wo_options table in the MySQL database for a image used as plugin.
If you have them, try to delete and deactive and active again all the plugins, this is for update the list of active plugins witouth deleting lines in your MySQL.
Have a nice day.
http://www.marlexsystems.org
I am getting killed by this thing. I have 20-25 blogs getting roughly 10k per day total. I’ve dropped to 4k a day over this week. I’ve upgrade a lot of them to the latest wp, but traffic is still dipping like crazy. I’ve checked for “rss_f541b3abd05e7962fcab37737f40fad8” and I don’t have that line. Now, I don’t even know what to look for. I’m almost ready to change them all out to a different blog platform. What’s nuts is I was able to see this landingpage “your-needs.info”, then all of a sudden, I don’t see it, but my traffic is still wayyyy down. This thing has to be still popping up. Can anyone tell me how I can see what my google ref should see without actually going through google? Just want to make sure it’s not a cookie thing. This royally sucks.
Thanks for the info. I did as you instructed. I am soooo ticked. This has been going on for a week and someone just told me today after hundreds of dollars lost…grrr. I hope this gets rid of the issue….for awhile.
Good to see the site back – and good to see a post on it, too! 😉
[…] Magpie Brain – WordPress Site Hacked […]
[…] Magpie Brain – WordPress Site Hacked […]
[…] Magpie Brain – WordPress Site Hacked […]
Thanks, that fixed my problem, took me ages to find out what was causing it and ran into this page/site, applied it, and got my blog(s) back.
Thanks good posting that fixed my problem
thanks for post.. fixed problem..
[…] Switching from joomla to wordpress, my hacker followed me. I tend to get hacked (wonder if it is because dreamhost.com is lame). Fortunately, I found a site that gave me a one-liner to fix said bullsnap. Thanks to magpiebrain. […]