Google Cloaking WordPress Hack

Google Cloaking Hack Targeting WordPress & How to Fix It

by Ben Cook on April 15, 2010

Update IV: If your WordPress installation has been hacked and you need help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here for more details.

Update III: Chris Pearson has published a guide on how to diagnose and fix this hack. If you’ve been hit by this thing, this is how to get your site back. However, the vulnerability that allowed the hackers in is still unknown. It has hit multiple sites across all sorts of web hosts and servers.

Update II: The RSS file seems to have been the culprit for several other sites as well. Christopher Penn (it seems this hacker picked the wrong Christophers to mess with) has a tip on how to fix it.

“Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:SELECT *FROM `wp_options` where option_name like ‘rss%’ ORDER BY `wp_options`.`option_name` ASC

What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:

FFPJ1JpnyfUnpDzz3h9tfaI92uDvyD/Of+r4XyJ2f2Uev6U539WDM39kP10QFLP53+Y5BaX3+0/a03rZ0
0nKX5Na27hXdOSw17TGuO7pDWt/+Na0+lVHHdrWrScqzVqdysqybmiWvILqqXzn5L+ehyvSzriIZHsf
oIiUKwlJvcjvH69FR7SHB4UNXyXOaZw+ivT8dhjkZ6rtGj+PPJRMlCW5ePEZVlLOj8YkgL80/26Luefq
VXgStMY/Afw/

Delete this entry.”

You’ll want to be sure to back up your site before making any changes, and after making the fix, change your passwords for your WordPress installation, the FTP password, and even the database password.

There’s still no word as of yet on HOW the hackers gain access to the sites, but this should at least remove the issue and hopefully prevent it from recurring.

Update: Chris Pearson seems to have found the offending code, at least in his case. The injection point seems to have been an RSS magpie widget, however that’s not necessarily the point of vulnerability. He recommends looking “in your wp_options table for the following option name: rss_f541b3abd05e7962fcab37737f40fad8.” Please note this is ONLY a single case and from what I understand it’s quite common for hackers to use multiple or varying file names. If you’ve been hacked, I would again urge you to contact security@wordpress.org so we can find a fix for this issue as soon as possible. Thanks!

There’s an incredibly nasty hack hitting WordPress sites right now, even sites that are running the latest most up to date version (2.9.2).

What makes this hack so mean is that it is only viewable to search engine spiders AND it apparently has a high rate of recurrence. Detecting the hack is fairly simple, just do a site:yourdomain.com search in Google for your site. If you see title tags involving all sorts of pharmaceuticals, you’ve been hit. I don’t have an answer for you on how to fix it. I wish I did, but hopefully this post will help lead to a resolution.

Several prominent sites including the WPquestions.com blog, Chis Pearson’s (creator of the Thesis theme) personal blog, and dozens if not hundreds of others have been hit. Plus, the hack was covered on ThemeLab.com, discussed in a WPtavern thread, and apparently submitted a couple of times to the WordPress support forums.

Despite the well documented security issues WordPress has had over the last year, the resounding sentiment seemed to be “It’s not my problem until you can prove it’s my problem.” In the WPtavern thread, members were quick to argue that it wasn’t necessarily a WordPress issue and basically argued that if it were a WordPress issue, more sites would have been hacked by now. In the WordPress.org forum, it appears the thread received an even cooler reception, being deleted all together.

Don’t get me wrong, I have no doubt everyone on the WordPress team wants the platform to be as secure as possible. But the reaction we’re seeing to this significant problem is baffling to me. Whether WordPress is the source of the vulnerability or not, the hack is obviously targeting WordPress sites and making life difficult for a LOT of WP users.

WordPress Developer Mark JaquithAs WP developer, Mark Jaquith pointed out via Twitter, they receive hack reports on a daily basis and try to track down all actionable security information. While I’m sure that’s the case, this specific hack is very easy to miss if you’re not actively checking out your search engine listings. A vast majority of these site owners probably have no idea their site’s been hit, and that’s going to make it tough for them to raise the issue to the WordPress team directly.

Even though I’ve been lucky enough to not have any of my sites affected (knock on wood), I was able to find and point Mark to thousands of examples the WordPress team can take a look at to find any possible patterns.

Looking at a hacked site from the outside in, however, isn’t nearly as helpful as having access to the behind the scenes info. Providing things like:

  • a list of what plugins you’re running
  • what version of WP you’re running
  • what theme you’re using
  • who your hosting provider is
  • and a list of any other applications installed on your account

would GREATLY increase the WordPress team’s ability to narrow down the list of possible culprits.

If you’re site has been hacked (again you can find out by going to Google and typing site: before your url) please send those details in an email to security@wordpress.org and feel free to post them in the comment sections below.

This issue is a particularly nasty one and the sooner we can nail down the vulnerability, the sooner it can be eliminated!

Note: If your WordPress installation has been hacked and you need help fixing it, I would highly recommend talking to  Michael VanDeMar. He’s written a great guide to cleaning up WordPress hacks and offers a cleaning service if you’d rather not do the work yourself.  Contact him here for more details.

Image source: ICanHasCheezburger.com

{ 42 comments… read them below or add one }

Brian Fegter April 6, 2010 at 11:07 am

I was hacked and fixed the problem. There were a few areas where I was vulnerable.

1. I had GoDaddy shared hosting. This is the main problem. It can actually someone on your same shared host getting into your files/db.

2. I used Intense Debate and it happened almost immediately. Since ID syncs comments/comment authors, I am almost positive someone found a way in there. My spam subscribers was about 100-200 per day.

3. I didn’t have a secure enough password. Hackers will work for days or weeks to break a high traffic site pw. Wordpress admins are famous for keeping vulnerable passwords.

4. Cloaking agents use the uploads folder for their scripts. They will disguise malicious scripts as image looking file names. Check your uploads and delete every corrupted thumbnail as well.

I fixed this by switching to MediaTemple. I also but a ban on commenting on my site for six months to clear out the clutter. I created a good admin password. All of my cloaking indexes went away within a month. My traffic also took a hit, but it’s back up to normal with legit users.

Ben Cook April 6, 2010 at 11:14 am

Brian,
The person in the WPtavern thread that had the issue was actually on Media Temple. You were on Godaddy, I believe Chris Pearson uses VPS.net. That’s 3 different web hosts already.

That would seem to suggest that if it’s a server problem, it’s a wide-spread one.

Brian Fegter April 6, 2010 at 11:17 am

It’s getting to the point where if you want site security, you need to spend a bit more per month on a VPS.

Ben Cook April 6, 2010 at 11:46 am

Brian, I’m not certain but I think that’s what Chris Pearson has & he still got hit with it so I’m not so sure that would even solve this one. In general though, shared definitely comes with some added risk.

H April 6, 2010 at 11:46 am

My site hasn’t been hit and I’m on shared hosting over at site5.com. I’m more than happy to post plugins and other stuff I’m using. I must admit I don’t run a high volume site and use secure passwords.

Doug Waltman April 6, 2010 at 11:51 am

I could not agree with Brian more. We have not been hit as far as I can tell, and I attribute it to being on a secured VPS. From what I have read, the people being hit were on shared hosting. If you haven’t been hit, be thankful, and then go change your admin passwords to something strong to be safe.

Ben Cook April 6, 2010 at 12:07 pm

H, I don’t think that’s necessary if you’ve not been affected. Thanks for the offer though!

Doug, again, I’m not sure we can narrow it down to shared hosting just yet. And, as I’ve said on Twitter, if it IS shared hosting, it’s hitting a lot of shared hosts all at once. And, since the majority of the WordPress sites out there are on shared hosting, that’s going to be a major issue.

Jay April 6, 2010 at 12:25 pm

Note too, that some of these hacks can be spread via FTP. I am with DreamHost and while I didn’t sustain the hack that creates all of the medicinal Google references, it did do damage to my blog to the point where links from Google were referring to it as a dangerous site. They were able to access via FTP using that so don’t just change your WP admin password. Many of these issues are with the hosts as well so I would be sure to change your FTP password.

Ben Cook April 6, 2010 at 12:50 pm

Jay, changing all passwords associated with your site (WP, FTP, hosting account login etc) is a great first step. Without knowing exactly where the vulnerability is, it always pays to be super vigilant.

Rahul Pathak April 6, 2010 at 12:53 pm

I had this issue on our blog. Check your wp-header.php file and compare it to a clean install. You’ll see some zipped javascript in there that doesn’t exist in the reference file. If you delete that code, or replace the file with a clean one, you’ll be back to normal. This may not address the root cause of the exploit however. I’d also consider turning off XML/RPC posting if you haven’t already.

Please backup your blog and use the above fix at your own risk. I used it on our blog to resolve the issue but no guarantees it will work for you.

Google Webmaster tools will allow you to view the site as Googlebot so you can verify that the fix works.

Hope this helps.

Rahul

PS: I’m no expert so this is the limit of my knowledge 🙂

Tony April 6, 2010 at 12:58 pm

It’s been frustrating. A site was hit with this without any real fanfare. It doesn’t contain ANY of the plug-ins mentioned thus far. Similarly to what happened to someone mentioned above, the site is on Media Temple. MT didn’t seem to know about this at all and simply told me that we must have had a post on the site mentioning viagra and that since it’s only showing up in Google site results that it’d clear up. I knew better than that.

At the time it didn’t appear to be a huge issue yet. There wasn’t a lot of content online about it. Some people mentioned they had new files on their server that they just deleted or an edited htaccess file. There’s nothing new on the server that I can find and the htaccess is unmodified.

Somehow these people got into the database and added this material. That only became clear when looking through a mySQL database export. I’m surprised by this given that the username and password are overly complex and not based upon anything related to the site.

It’s been frustrating.

Ben Cook April 6, 2010 at 1:01 pm

Tony, that’s the same experience that Chris has described. One place I’d check was mentioned earlier in the comments, your images (specifically your uploads folder). There might be something hiding in there.

fakhri Me April 6, 2010 at 1:17 pm

@Rahul thanks for your info
i’ll do that.and look’s at my traffic’s site, then block those IP immediately..
can someone here, reccomend me to any wordpress malware scanner which work well?

Doug Waltman April 6, 2010 at 2:22 pm

Ben: After some more poking around, I think I found a few VPS websites that look like they’ve been hit as well. I think I was a bit too hasty in my conclusion. I wish they would hack one of my personal sites just so I could see what’s going on and get my hands dirty finding a solution.

Ben Cook April 6, 2010 at 2:24 pm

Doug, lol well I’ll leave that to you. I’m still hoping I dodge the bullet this time around. As an SEO my rankings & Google results are near & dear to me 🙂

Gordon April 7, 2010 at 1:37 am

One of my blog hosted on HostNine (Ubiquity LA facilities) was hacked last week, now I’ve moveed to another hosting company
The hacker search from bing with the keyword: “ip:123.123.123.123 wordpress” find my site, and change my admin account (I’ve renamed to another name) and password, then login to my dashboard to add some code on my theme files
Here is my Apache log: http://gordon168.tw/download/hack.txt
And now I use .htaccess to restrict IPs of my dashboard, and that’s works!
put these code in your wp-admin directory:

order deny,allow
deny from all
allow from 123.123.123.123 (change this to your IP)

Be carefull !

Christopher S. Penn April 7, 2010 at 8:03 am

I got nailed by this as well – the RSS option_name is randomized, but there’s a HUGE chunk of encoded script in it.

Use this query in PHPmyAdmin:

SELECT *FROM `wp_options` where option_name like ‘rss%’ ORDER BY `wp_options`.`option_name` ASC

and you should be able to check out the few that result.

Les April 7, 2010 at 12:00 pm

I’m confused. How does this help the spammers? Near as I can tell the links still point back to the blogs in question and I don’t see anything in the Google search results that lists the spammer’s site.

Are they just trying to poison the page ranks of popular blogs to try and get their pages listed higher up? I don’t get how this benefits them.

Ben Cook April 7, 2010 at 12:14 pm

Les, if you look closely, you’ll see that there are in fact links off to several other sites where it says “Similar Posts:”

Brian Fegter April 7, 2010 at 12:26 pm

Cloaking can come in the form of .htaccess rewrites or JS snippets. So, my logically speaking, a plugin has the most access to your database and can write to files on your server. I don’t know about anyone else, but I don’t vet the code of each plugin that I install. Plugins are a full-access back-door to your DB and your WP install.

My practice as of late is to at least take a quick peek at the code and see if there’s anything fishy going on behind the scenes at a glance. The best way to check is to look at what hooks the plugin is using. If the hooks are out of scope of the plugin, chances are it’s not safe.

Les April 7, 2010 at 1:10 pm

Ah! I see it now. Very clever. Thanks Ben, I was a little clueless.

Tony April 7, 2010 at 2:16 pm

Something I’m curious about… The site that was affected had Remote Publishing enabled in the Writing options. Has this been enabled for everyone else with this problem?

I’m just guessing, but it seems like having that on leaves you semi-vulnerable to something like this. Might be an avenue worth investigating?

Maciej (ma-chi) April 7, 2010 at 3:07 pm

Yeah it is really important to make that password really unique because if it’s weak they will make it through at some point and that can cause some real problems for people. On a side not is anybody else excited for version 3.0?

Matthew Arndt April 7, 2010 at 3:07 pm

We do a lot of Wordpress development, and one of the precautions we ALWAYS take is to DELETE the admin account.

We had a bunch of our sites hacked before we implemented this. We always create an alternate username to be admin and then delete the old admin account. Since then, we haven’t had any problems. Also, its important to make sure that you have a strong password with uppercase letters, lowercase letters, special characters like $&#*, and numbers.

Ben Cook April 7, 2010 at 4:24 pm

Yeah, it’s always good to take proper precautions, in fact, I’ve blogged before about 6 Easy Steps to Securing WordPress.

However, we’re still not sure how this hack’s point of entry. It sounds like people are leaning towards a plugin but no one I know has found anything conclusive yet.

Michelle Salater April 7, 2010 at 5:25 pm

Thanks so much for this informative post. I have nothing brilliant to contribute, just wanted to thank you for being proactive about this situation. I’m an avid WP user and thank God, I haven’t been hacked. Now I know where to turn if I am.

Derick Schaefer April 8, 2010 at 2:07 pm

This is a healthy discussion. “Most” shared hosting is a problem and VPS brings up a totally different level responsibility and management. We’ve actually had the least problems on GoDaddy and the most problems on Media Temple (shared). Still, I like both providers for various reasons and would recommend to others.

On our big blogs, we use VPS from Media Temple. We lock this down at the file system level and run SecurePress . We also use our own plugin, WP-MalWatch to look for “Evidence” that someone has been in. We are currently adding more functionality to it. One I’m immediately thinking of is the ability to search for strings that people report on blogs like this.

Christopher S. Penn April 9, 2010 at 8:15 am

I made some updates based on guesses – short version, update TimThumb and the rss functions of Wordpress. We’ll see what happens.

Yohan Perera April 10, 2010 at 6:39 am

I am getting this error…

#1064 – You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%’ ORDER BY `wp_options`.`option_name` ASC LIMIT 0, 30’ at line 1

Paul J. Reber April 12, 2010 at 2:01 pm

We got hacked this way last week. I just found the following fragment hiding in my header.php file:

Not sure how it got there. I’m setting up the recommended .htaccess on the wp-admin directory as a precaution.

Paul J. Reber April 12, 2010 at 2:03 pm

My comment awaiting moderation has the php code fragment in it, but I don’t see it in the comment. I guess it should be modified to be rendered harmless just in case (sorry).

Brian April 13, 2010 at 3:16 pm

Here’s the official WP schmooze on the issue:
http://wordpress.org/development/2010/04/file-permissions/

I don’t understand why Matt has to always be so cocky about everything. These discussions are good for the user base. I understand if a host is blaming Wordpress for loose practices, but get classy Matt and stay professional in how you address the situation.

Ben Cook April 13, 2010 at 3:46 pm

Brian, I have to be a bit careful here as I’m actually a Network Solutions employee. However, the opinions and statements on this blog are strictly my own and do not represent Network Solutions in any way.

That being said, I would agree with you.

Also, I believe this only addresses the Network Solutions hack issue, NOT this Google Cloaking hack issue. As far as I know the exact cause or vulnerability of this hack has not been found. Chris Pearson has been tweeting that he suspects a Magpie RSS widget or plugin but I’m not sure if that holds water across all the affected sites for this particular hack or not.

Basically, I think Matt didn’t like the amount of press that’s been going around about different WordPress hacks and wanted to try and clear the air about it.

Gus April 14, 2010 at 9:26 am

Hi all,

One of my websites also suffered from that cloaking hack a few weeks ago.
I’m sure if it could be related but a few weeks earlier I discovered a php backdoor file in my wp-content directory. I removed it but couldn’t find how the hacker managed to upload it there.
Script was named tu145.php
Wordpress wasn’t up to date, I can only blame myself!

About the cloaking thing, it was generated via a modified wp-includes/bookmarks.php where hackers added a function called encoded_optimal(). This could have probably been done by the above backdoor…
This function, when UA was recognized as non-human, was including this file in the footer of the page: http://nadoelo.cn/baza4/7.txt
I still have a backup of that modified bookmark.php file if needed.

Hope this help!
Gus

Mike April 28, 2010 at 12:48 am

Thanks for the clues, but none have removed the hack on my site, placed on behalf of a Turkish dating site.

I’m at MediaTemple with latest, greatest WordPress. App WP suggests is to scrub, backup and and reinstall everything (until this mystery hack strikes again. Nice work, WP!) Deliver me from cut, paste and post solutions.

I’m getting the same MySQL syntax error as Yohan Perera, above. Can anyone help?

Eric Hamilton May 1, 2010 at 9:06 pm

I have many WordPress 2.9.2 installs (currently latest and greatest) on Lunarpages shared hosting. Several of my sites got hit. Because several of them were hit (including one in development that should not even appear in Google search results), I believe that the exploit is gaining access to the filesystem (perhaps through php / wordpress vulnerability, perhaps not) and searching for other blogs to target.

Some of the sites were broken. Those ones spit out this error:

Parse error: syntax error, unexpected ‘<' in /home/train22/public_html/blog/wp-includes/default-filters.php on line 230

The ones, I believe, that were NOT running WP-Supercache plugins broke. The ones that were running it had obfuscated javascript code appended below the final /html tag at the bottom of the page. I was unable to find the source of the injection in the template files.

One of the broken target sites was running only one plugin – exclude pages. However, I believe it to be highly unlikely that it was the attack vector. I think one of the other sites was exploited, and they used a filesystem search to locate and attack the other installs.

Eric Hamilton May 1, 2010 at 9:13 pm

One more clue – a simple upload of WordPress 2.9.2 over-writing the files fixes the problems and removes the javascript from the bottom of the files. I haven’t searched the database files very thoroughly yet, though. It’s likely there are backdoors still hidden. I’m looking forward to a more permanent fix!

Ben Cook May 1, 2010 at 10:43 pm

Eric, I don’t think the hack you’re discussing is quite the same one as we’ve been seeing discussing here. The hack this post was about is only visible when viewing your site in Google’s search results and (from what I’ve been told) hid the code in plugin folders, not injecting things into the bottom of your pages. Are you sure we’re talking about the same hack?

Anonymous May 5, 2010 at 4:28 am

Anyone checked the .htaccess file?

whyme May 8, 2010 at 9:03 pm

my site is down, i got hacked

i use wordpress with go daddy and i had an updated version of wordpress when it came out. but i still got hacked.

my dashboard is messed up….. and a website link shows up on the bottom of the left screen and disappears.

can someone stop whoever is doing this. wt…………….

Ben Wilcox May 13, 2010 at 9:28 pm

Got hacked today, the default login account name was changed back to admin and from the logs it shows that the hacker was over in china. I saw the access in the raw http logs and they went directly to the admin site. They logged right in so there must be a script in the background that has hit the shared hosting box. Wordpress 2.9.2

Mimi July 5, 2010 at 6:42 pm

I host several WordPress sites as well a few HTML sites. The hack seemed to happen around the time that I tried to use the WPbook plugin (June 23-26) to link a site to a Facebook Page. Can’t be completely certain of the timing but that seems to make sense to me. The hacker got in and placed several PHP files in an old and definitely non-secure HTML site. The PHP files all had one piece of PHP code with tons of encrypted letter in between. They referred back to a directory called “set” which I found in an image file in the HTML site that had tons of HTML files that were all named with various pharma drugs and had links to other sites. Every single WordPress site I have had been cloned and given the extension .old – seems like all of the files in the .old extension are pretty clean but the newly cloned files had a new file called wp-includes>pomo>set.php. I assume it refers back to the set directory found in the HTML site. If having these files will help someone diagnose the hacker – please let me know. I am painstakingly going through each WP site, exporting current posts/pages and reinstalling databases and plugins. I don’t know enough about MySQL to search through tables and find offending files. Oh and I use Dreamhost.

Previous post:

Next post: