Google Cloaking WordPress Hack

Google Cloaking Hack Targeting WordPress & How to Fix It

by Ben Cook on April 15, 2010

Update IV: If your WordPress installation has been hacked and you need help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here for more details.

Update III: Chris Pearson has published a guide on how to diagnose and fix this hack. If you’ve been hit by this thing, this is how to get your site back. However, the vulnerability that allowed the hackers in is still unknown. It has hit multiple sites across all sorts of web hosts and servers.

Update II: The RSS file seems to have been the culprit for several other sites as well. Christopher Penn (it seems this hacker picked the wrong Christophers to mess with) has a tip on how to fix it.

“Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:SELECT *FROM `wp_options` where option_name like ‘rss%’ ORDER BY `wp_options`.`option_name` ASC

What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:

FFPJ1JpnyfUnpDzz3h9tfaI92uDvyD/Of+r4XyJ2f2Uev6U539WDM39kP10QFLP53+Y5BaX3+0/a03rZ0
0nKX5Na27hXdOSw17TGuO7pDWt/+Na0+lVHHdrWrScqzVqdysqybmiWvILqqXzn5L+ehyvSzriIZHsf
oIiUKwlJvcjvH69FR7SHB4UNXyXOaZw+ivT8dhjkZ6rtGj+PPJRMlCW5ePEZVlLOj8YkgL80/26Luefq
VXgStMY/Afw/

Delete this entry.”

You’ll want to be sure to back up your site before making any changes, and after making the fix, change your passwords for your WordPress installation, the FTP password, and even the database password.

There’s still no word as of yet on HOW the hackers gain access to the sites, but this should at least remove the issue and hopefully prevent it from recurring.

Update: Chris Pearson seems to have found the offending code, at least in his case. The injection point seems to have been an RSS magpie widget, however that’s not necessarily the point of vulnerability. He recommends looking “in your wp_options table for the following option name: rss_f541b3abd05e7962fcab37737f40fad8.” Please note this is ONLY a single case and from what I understand it’s quite common for hackers to use multiple or varying file names. If you’ve been hacked, I would again urge you to contact security@wordpress.org so we can find a fix for this issue as soon as possible. Thanks!

There’s an incredibly nasty hack hitting WordPress sites right now, even sites that are running the latest most up to date version (2.9.2).

What makes this hack so mean is that it is only viewable to search engine spiders AND it apparently has a high rate of recurrence. Detecting the hack is fairly simple, just do a site:yourdomain.com search in Google for your site. If you see title tags involving all sorts of pharmaceuticals, you’ve been hit. I don’t have an answer for you on how to fix it. I wish I did, but hopefully this post will help lead to a resolution.

Several prominent sites including the WPquestions.com blog, Chis Pearson’s (creator of the Thesis theme) personal blog, and dozens if not hundreds of others have been hit. Plus, the hack was covered on ThemeLab.com, discussed in a WPtavern thread, and apparently submitted a couple of times to the WordPress support forums.

Despite the well documented security issues WordPress has had over the last year, the resounding sentiment seemed to be “It’s not my problem until you can prove it’s my problem.” In the WPtavern thread, members were quick to argue that it wasn’t necessarily a WordPress issue and basically argued that if it were a WordPress issue, more sites would have been hacked by now. In the WordPress.org forum, it appears the thread received an even cooler reception, being deleted all together.

Don’t get me wrong, I have no doubt everyone on the WordPress team wants the platform to be as secure as possible. But the reaction we’re seeing to this significant problem is baffling to me. Whether WordPress is the source of the vulnerability or not, the hack is obviously targeting WordPress sites and making life difficult for a LOT of WP users.

WordPress Developer Mark JaquithAs WP developer, Mark Jaquith pointed out via Twitter, they receive hack reports on a daily basis and try to track down all actionable security information. While I’m sure that’s the case, this specific hack is very easy to miss if you’re not actively checking out your search engine listings. A vast majority of these site owners probably have no idea their site’s been hit, and that’s going to make it tough for them to raise the issue to the WordPress team directly.

Even though I’ve been lucky enough to not have any of my sites affected (knock on wood), I was able to find and point Mark to thousands of examples the WordPress team can take a look at to find any possible patterns.

Looking at a hacked site from the outside in, however, isn’t nearly as helpful as having access to the behind the scenes info. Providing things like:

  • a list of what plugins you’re running
  • what version of WP you’re running
  • what theme you’re using
  • who your hosting provider is
  • and a list of any other applications installed on your account

would GREATLY increase the WordPress team’s ability to narrow down the list of possible culprits.

If you’re site has been hacked (again you can find out by going to Google and typing site: before your url) please send those details in an email to security@wordpress.org and feel free to post them in the comment sections below.

This issue is a particularly nasty one and the sooner we can nail down the vulnerability, the sooner it can be eliminated!

Note: If your WordPress installation has been hacked and you need help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here for more details.

Image source: ICanHasCheezburger.com

{ 42 comments… read them below or add one }

Previous post:

Next post: