Hey everyone – did you get any kind of malware warning when visiting my site anytime over the last month or so? I’m curious to see how many people have proper malware detection in their browsers.
Here’s what happened:
- My wordpress installations have all been hacked. I have several running on this hosting account.
- The most likely source of infection was an older version of TimThumb.php, which is part of the WP theme.
- The attacker comes in and drops in some kind of PHP code to attack your files even after you fix the original exploit.
- I’ve never seen the warning on my end at all, but I use a Mac and the code may be targeting IE specifically. I’m not sure yet because I haven’t bothered to decode it yet.
- If I clean up the infected index files, my site shows as being clean when scanned at Sucuri.net – but a few hours later the hack returns, and the base64 encoded stuff is back. So it’s being re-written by other bad files on my server.
- I’ve seen these hacks before, and can usually find modified files by looking at server file timestamps. But this time the bugger is modifying the timestamps so files don’t appear to have been changed.
- For now, my band-aid solution (thanks Val) was to change permissions to read only on the affected files. It seems to have worked, but it’s by no means foolproof. The hacker has my MySQL passwords (which I’ll change), and may still have access to my SSH password (although I don’t think so, already changed).
This particular hack had no visible external indicators to me. So I don’t actually know how long it’s been in place on my server … which is why I’m curious if you’ve seen any malware warnings from your browser / AV software.
It’s a royal pain in the ass, although the silver lining is that I’ve cleaned up a lot of crap on my server that I really didn’t need anymore. Sorta like losing your car keys in a messy room and being forced to clean house to find them.
The only “real” solution to this kind of hack is to completely wipe out all of my files and upload new, clean versions of WordPress and other scripts that I’m running. Then I have to scrub my databases to make sure there weren’t any iframe injections or other crap.
I tell ya … I never thought I’d need to learn about this stuff.