Tuesday December 11th 2018

Your Wordpress Blog Has Been Hacked!

Students at Macintosh computers. University of New Mexico, Albuqueque, New Mexico, Dec, 2010.
Photo courtesy Standard Travel Photos

The first indication that there was a problem was when traffic dropped sharply. November 27, 2012 had 245 visitors. By December 5, 2012, traffic had fallen to just 43 visitors. After that, traffic stayed well below 100 daily visitors. These figures were from Google Analytics.

It was a mystery until eight months later, on August 31, 2013 we received email from Google with the subject “Suspected Hacking”

Google has detected that some of your pages may contain hidden text or cloaking, techniques that are outside our Webmaster Guidelines.
Specifically, we detected that your site may have been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
Sample URLs:

(suspected urls)

Recommended action
Clean up the hacked content so that your site meets Google’s Webmaster Guidelines.
If you have any questions about how to resolve this issue, please visit the Webmaster Help Forum.

So Google detected some hacking. The website in question is a Wordpress blog. I visited the blog and loaded the pages listed. Everything looked to be in order. Could Google be mistaken?

A couple of weeks later, on September 12, 2013 someone tried to visit the blog and e-mailed us that their AVG systém anti-virus system would not let them view the page. So the site was being blocked by anti-virus software: Blacklisted! This was not good.

Digging for Clues
I was assigned to the task and started investigating to see if the blog had indeed been hacked. I followed the Google instructions link Cleaning your site in the email.

Go to Google Webmaster Tools and click on the site. From there you can do a lot of different things. View Site Messages to see the message “Suspected hacking”. Crawl>Fetch as Google lets you see what the site looks like to Google.

In Google’s Webmaster Help Forum under the heading Malware & Hacked sites you can read several threads about being hacked. In one of the threads, I found a link to Sucuri SiteCheck, a free website malware scanner.

Sucuri: Scanning for Malware
I enter the blog’s domain name and scanned it. Sure enough, Sucuri found malware on the wordpress blog pages. Every page had invisible advertising text with links to a pharmaceutical company in the U.K. It also reported that the site had been blacklisted.

I opened the pages in the Safari web browser. To view the page source, use menu item Develop>Show Page Source. Sure enough, there was the same hidden pharma advertising text that Sucuri had found. But how did that text get there?

Visit the Sucuri blog for many article about malware, being blacklisted and security in general. This is a valuable resource.

Pharma Hack
I found an article that described various kinds of Wordpress hacks: Common WordPress Malware Infections. The Pharma Hack seemed to match what I was seeing. It’s not really malware, but is actually SPAM. The phama SPAM injection adds invisible text to each page in order increase the Google pagerank of the spammer.

The spammer replaces some of you wordpress php files with their own files that contain the spam. PHP files that output html are the usual targets. They replace index.php, header.php and footer.php, usually in your wordpress/wp-content/themes/ directory.

Finding and Fixing the Files
So we had to find which files contained the hidden text. It turned out that the spam code was in the header.php file in the /themes/antisnews/ directory. This file had been recently added on 8/11/2013. This may have been only the most recent version of the spam file. They may have changed it multiple times, to change the spam text. The spammers are probably selling the link to customers who want to improve their Google pagerank. It’s business, but a shady business.

Replacing the bad header.php file with the original installation header.php got rid of the hidden text.

Re-running Sucuri SteCheck showed that the spam was gone. However it still had status: Site blacklisted.

The next question was, how was the spammer able to replace that header.php file? They would have to be able to write in the directory.

The blog is on a shared host with GoDaddy. That means there are websites from different users on the same server. The permission on the directory was 755 (rwe=111,101,101). Basically it means that Group and World can read, but only the Owner can write in the directory.

Looking further, we found another suspicious file in wordpress/wp-admin/includes named class-ftp-acrimony-connotation.php. I couldn’t find such a file in the original installation. It was just one line of php code with an empty statement. This file had also been changed recently. It looked suspicious, so I deleted the file.

Maybe the hackers are using wordpress ftp capability to install the spam files? When they want to change the spam text, they just ftp a new header.php file.

mySQL Database Hacked?
One other odd thing I noticed was that I could not log into the mySQL database using phpMyAdmin. The password didn’t work. Then I noticed that the wp-config.php had been updated with a different password on 2/26/2013. Nobody recalls changing the password at that time. Also, the password was a total random set of characters that no one here would have chosen. So someone must have changed the mySQL password and updated the wp-config file.

Mysteries Remain
It is still not clear how the hackers were able to replace files in the directories. Also, how were they able to change the mySQL password?

One possibility was by posting article comments. I observed some very long spam comments that were detected by Akismat. One old-time hack was to write very long message, longer than the program’s buffer length, with executable code at the end. Over-running the buffer allowed code to be executed. Maybe this is possible with Wordpress?

Another possibility is that the GoDaddy server has been hacked. I’ve read a few articles implicating the lax security at GoDaddy. GoDaddy always lays the blame on the user, pointing to out-of-date versions of Wordpress, and they look no further. It’s called passing the buck and is common with lazy system administrators.

Heightened Vigilance
At this point, all we can do is be vigilant. We’ll have to keep checking to see if the site gets hacked again. It’s possible that whatever backdoor they originally used to replace those PHP files is still in place. Or if the GoDaddy server or passwords have been hacked, there is really nothing we can do to prevent another hacking.

Here is an article about finding Wordpress backdoors:
How to search for ‘backdoors’ in a hacked WordPress site

More from category

Fixing Wireless Access Point Problems
Fixing Wireless Access Point Problems

Is it time to upgrade your router and/or WAP? [Read More]

Why Do I have to Restart my Router?
Why Do I have to Restart my Router?

Annoying router problems [Read More]

Is Youtube Broken?
Is Youtube Broken?

Disable DASH for better youtube streaming. [Read More]

Looming Capacity Problem of Wi-Fi
Looming Capacity Problem of Wi-Fi

Too many wireless devices. [Read More]