Comments on: Google Cloaking Hack Targeting WordPress & How to Fix It

By: PreservationNation » Blog Archive » Bad news: Our Blog was Hacked

PreservationNation » Blog Archive » Bad news: Our Blog was Hacked — Tue, 13 Jul 2010 13:01:18 +0000

[...] This kind of attack is called a “cloaking hack,” “pharma hack” or “injection hack.” If you are interested in more information on this, check out: http://wpblogger.com/google-cloacking-wordpress-hack.php. [...]

By: Mimi

Mimi — Mon, 05 Jul 2010 23:42:02 +0000

I host several WordPress sites as well a few HTML sites. The hack seemed to happen around the time that I tried to use the WPbook plugin (June 23-26) to link a site to a Facebook Page. Can’t be completely certain of the timing but that seems to make sense to me. The hacker got in and placed several PHP files in an old and definitely non-secure HTML site. The PHP files all had one piece of PHP code with tons of encrypted letter in between. They referred back to a directory called “set” which I found in an image file in the HTML site that had tons of HTML files that were all named with various pharma drugs and had links to other sites. Every single WordPress site I have had been cloned and given the extension .old – seems like all of the files in the .old extension are pretty clean but the newly cloned files had a new file called wp-includes>pomo>set.php. I assume it refers back to the set directory found in the HTML site. If having these files will help someone diagnose the hacker – please let me know. I am painstakingly going through each WP site, exporting current posts/pages and reinstalling databases and plugins. I don’t know enough about MySQL to search through tables and find offending files. Oh and I use Dreamhost.

By: Ben Wilcox

Ben Wilcox — Fri, 14 May 2010 02:28:31 +0000

Got hacked today, the default login account name was changed back to admin and from the logs it shows that the hacker was over in china. I saw the access in the raw http logs and they went directly to the admin site. They logged right in so there must be a script in the background that has hit the shared hosting box. WordPress 2.9.2

By: whyme

whyme — Sun, 09 May 2010 02:03:52 +0000

my site is down, i got hacked

i use wordpress with go daddy and i had an updated version of wordpress when it came out. but i still got hacked.

my dashboard is messed up….. and a website link shows up on the bottom of the left screen and disappears.

can someone stop whoever is doing this. wt…………….

By: Anonymous

Anonymous — Wed, 05 May 2010 09:28:39 +0000

Anyone checked the .htaccess file?

By: Ben Cook

Ben Cook — Sun, 02 May 2010 03:43:41 +0000

Eric, I don’t think the hack you’re discussing is quite the same one as we’ve been seeing discussing here. The hack this post was about is only visible when viewing your site in Google’s search results and (from what I’ve been told) hid the code in plugin folders, not injecting things into the bottom of your pages. Are you sure we’re talking about the same hack?

By: Eric Hamilton

Eric Hamilton — Sun, 02 May 2010 02:13:19 +0000

One more clue – a simple upload of WordPress 2.9.2 over-writing the files fixes the problems and removes the javascript from the bottom of the files. I haven’t searched the database files very thoroughly yet, though. It’s likely there are backdoors still hidden. I’m looking forward to a more permanent fix!

By: Eric Hamilton

Eric Hamilton — Sun, 02 May 2010 02:06:26 +0000

I have many WordPress 2.9.2 installs (currently latest and greatest) on Lunarpages shared hosting. Several of my sites got hit. Because several of them were hit (including one in development that should not even appear in Google search results), I believe that the exploit is gaining access to the filesystem (perhaps through php / wordpress vulnerability, perhaps not) and searching for other blogs to target.

Some of the sites were broken. Those ones spit out this error:

Parse error: syntax error, unexpected ‘<' in /home/train22/public_html/blog/wp-includes/default-filters.php on line 230

The ones, I believe, that were NOT running WP-Supercache plugins broke. The ones that were running it had obfuscated javascript code appended below the final /html tag at the bottom of the page. I was unable to find the source of the injection in the template files.

One of the broken target sites was running only one plugin – exclude pages. However, I believe it to be highly unlikely that it was the attack vector. I think one of the other sites was exploited, and they used a filesystem search to locate and attack the other installs.

By: Mike

Mike — Wed, 28 Apr 2010 05:48:20 +0000

Thanks for the clues, but none have removed the hack on my site, placed on behalf of a Turkish dating site.

I’m at MediaTemple with latest, greatest WordPress. App WP suggests is to scrub, backup and and reinstall everything (until this mystery hack strikes again. Nice work, WP!) Deliver me from cut, paste and post solutions.

I’m getting the same MySQL syntax error as Yohan Perera, above. Can anyone help?

By: How to Fix Your Hacked WordPress Blog

How to Fix Your Hacked WordPress Blog — Wed, 21 Apr 2010 03:09:10 +0000

[...] drug addiction. Your once mild-mannered blog is a now a nasty Hollywood tart, reeling around, blowing toxic breath in random stranger’s faces, accosting people in the street and making depraved sexual suggestions, showing up at high-society [...]