Is your blog hacked?

Posted on Oct 03 in Blogging, info for small business webmasters, personal stories, technologyby PrintText Resizer Text Resizer

WordPress Attack Underway: WordPress Users Must Upgrade [ALERT] – http://bit.ly/Cu3c7 (via @mashable)

Mashable writes “WordPress has responded to news today that outdated versions of the popular blogging software are vulnerable to a new attack. The attack affects only self-hosted versions of WordPress, not those at WordPress.com. The organization’s advice is simple: if you aren’t using the most recent version (2.8.4), upgrade now to avoid problems.”

Lorelle writes on her WordPress-centric blog:

There are two clues that your WordPress site has been attacked:

First, there are strange additions to permalinks, such as: example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize.

If you noticed some 404 pages here earlier it is because I was under attack… I had an invisible administrator as described above and I also noticed the weird permalink stuff last night. Initially I thought the permalink funky stuff was related to the new theme. So I’ve upgraded as wordpress recommends but I still had the invisible administrator to figure out.

Anyway, if you are under attack and wondering how to get rid of the invisible administrator here is what I did:

After logging in to phpMyAdmin I browsed user tables and found that on both mine and N’s blogs there was a user with a blank user_email. Once that use was deleted the invisible administrator dissappeared.

Updated Oct 3th 2009:

Noticed a drop in traffic after you’ve reclamied your blog from the wordpress hacking? I did. Be sure you’ve checked your permalink structure and that it’s been restored to what it was before.

Just removing this junk (%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/) isn’t enough, I know from experence. You see my permalink structure was set to just display as /%postname%/ so when I simply snipped off the extra junk that was added in the hacking I didn’t notice that the /%category%/%postname%/ was different that what I had always had my permalink structure set as…

Changing your permalink structure means changing your ranking in the search engines and if you care about search traffic this is bad for you. Is your permalink structure back to how it used to be prior to tha hacking? You might want to take a look.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
Entry Details: This entry was posted on Saturday, October 3rd, 2009 at 6:07 pm, by Talina, and is filed under Blogging, info for small business webmasters, personal stories, technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. Print This!
Post comment as
twitter logo facebook logo
Sort: Newest | Oldest
Karen

I just hate when I am hacked.
.-= Karen´s last blog ..Fun With Bread =-.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
witchypoo

You're welcome!
.-= witchypoo´s last blog ..Grace the Fourteenth =-.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Back to Top