Sips from the Firehose
A blog that seeks to filter the internet into a refreshing, easily-gulped beverage

Apr 21

How to Fix Your Hacked WordPress Blog (part 2)

Posted: under Blogging, Blogs.
Tags: ,

A 12-step program to get your blog so’s it can go out in public again

…when last we left the hacked blog, it had managed to delete the phony users and admins, and the permalinkspam was gone.

Jump ahead to last week, when I noticed that my Google AdSense boxes were always full of creepy advertising for boner pills.  I have been playing with all kinds of plug-ins lately, trying to find something that will work well to “mobilize” this site.  I wondered if any of them had done something to my header, so I clicked on “View page source” to see …

evil javascript code

The list of links to sites underneath the noxious javascript ran for page after page. No woder my site loaded so sluggishy!

Great. Just great.

I know enough about Javascript to recognize when someone is being deliberately tricky about what they’re doing. The code in the window above uses the “Array” function, where all manner of short codes are stuffed in there to make nasty function calls and run a script that pulls in content and hides it out of sight in my header.  This code then puts in the hypertext links such as the ones shown above (to some poor sap at a school whose computer is being used as a relay station for porno-pharma traffic).

Time to move to the next step in the program:

8. Made a list of all the plug-ins and started deleting them one by one

One of the really good rules for trying to fix something going heinously wrong on your computer is to start backtracking. Figure out what the last thing you did was, and try to undo it.

In this case, it was the plug-ins. I figured maybe someone had either gotten hacked, their plug-in was the way for a ‘sploit (hacker-speak for an “exploit” — a vulnerability in the software that they can worm their way through) to get into my scrupulously up-to-date blog.  So I cacked all the plug-ins, and the next morning, opened up the Dashboard to find that the evil code was back in the header file.

9. No amends – only more evil code in the header

This happened two more times. It was time to start going through the PHP code line-by-line to try to figure out what the hell was going on.  I used the editing tools that are integrated into the Dashboard on WordPress — to little avail.

I was starting to really wonder if the infection had reached the core PHP server, which would be epically bad news.  I fired up my FTP program and started going through the library files. And there, I worked the next step:

10. I inventoried the files in the php-admin folder and admitted I had missed some pieces of the infection

I had to go through all the images for my blog postings, month by month, to find these little files.  Even so, I damn near missed them – except that their edit dates were out of step with the dates that I uploaded the images.

Deliberately misspelled -- but fiendishly close enough to actual words so that you might just miss them.

Check it out – they spelled “footer” as “fotter.php” so that it kinda blends in, but won’t break the blog. Like any good parasite, it knows that if it kills the host, then the blog won’t be up and functioning, and the little baby tapeworms won’t get to feast on the ill-gotten pharamaspam revenues that come from the links stuffed into my blog.

I also found a .gz file deep in a totally separate subdirectory under my wp-admin folder.  I won’t show you the screengrab of that one, since it has some other identifying information in it.  But again, as you look through all your folders and subdirectories, just keep an eye out for something that looks like it doesn’t belong.  Think of the method that astroners use to find comets: they alternately flash big pictures of the sky, and look for the little dots that are strobing.  Those are the points of light that are in slightly different positions from one frame to the next.

The problem also goes a bit deeper into some of the files on the PHP server; the links in the previous post will take you to pages that explain, far better than I could, how you can search for the vile infected strings of Javascript. Part of the problem is that they take advantage of a “reverse” function – where the commands are spelled out backwards, and then the server is instructed to read them that way. It looks again like gibberish to human eyes, but to a machine, it means “Stuff the trojans in here!”

Look for files that are wildly differing in size than they should be.  If you do open them up, do it in a Text reader – not a Word document. Word probably won’t execute the Java code if it’s just pasted into a page as pure text, but man, with this stuff, it pays to be careful.

11. Prayed and meditated that I had at long last, cleansed the scourge from my blog

At this point, I’ve spent more than three days in all, fine-tooth-combing my blog and all the associated PHP, HTML and image files, folders, subcategories and god knows what all. I’m beat. Either I’ve gotten it or I haven’t, and it’s time to call in someone who is better at this than me.

And then on Sunday – I opened up the blog in my browser and hit “Page Source” … CLEAN!

And now for the last step (and I have tried to keep these steps at least vaguely in line with the instructions for AA and other 12-step programs):

12. Having had a blogging awakening, I try to carry this message to other bloggers, and practice the following principles with all my WordPress installs

I hope you’ve managed to get some learnings out of this strange screed. I know the presentation has been a bit quirky, and to be honest, about halfway through I realized I was pretty much beating the metaphorical dead horse into goo. But the point of all this is that I could have avoided all this pain, not had about 6 months of blog postings tainted and probably really awful Google page-rankings, if I had just kept the site properly updated.

When WordPress or other software does a critical release – for God’s sake, download and update it. The thing is, when they do a major release and bugfix, they have to publish exactly what bugs they are fixing. Which is like a paint-by-numbers for the hackers out there. They know exactly where and what the hole in the software was, and can start churning out botcode to take advantage of updating sluggards (like me).

Well, I have seen the light. no more slacking off on updating – and no more willy-nilly experimentation with fancy plugins on a site that I use for my business.

Comments (0)

Apr 20

How to Fix Your Hacked WordPress Blog

Posted: under Blogging, Blogs.
Tags: ,

A 12-step program to send your out-of-control blog to rehab

If your blog has been hacked, your first indication is when it starts acting like it’s in the late stages of particularly noxious drug addiction. Your once mild-mannered blog is a now a nasty Hollywood tart, reeling around, blowing toxic breath in random stranger’s faces, accosting people in the street and making depraved sexual suggestions, showing up at high-society events and flashing its naughty bits, and letting complete strangers fondle its database and cram noxious javascript code into its secret places.


At this point, you can either choose to slaughter and revive your blog (i.e. delete everything and do a clean re-install), or roll up your sleeves and start hunting down the rogue bits of code that are turning your blog into Britney/Lindsay/Paris. No matter what, you should back up your WordPress blog by using the WP-DB-Backup plugin.

However, there is no guarantee that even if you go for the nuclear option, that the virus snippets won’t have wormed there way somewhere into your database, and will just pop up again (which is what they did to me – repeatedly) when you restore from the backup. This is why I reluctantly armed myself with some PHP manuals and started digging around in the guts of my blog.

If your blog has been infected for a while, it may have already affected your Google page rankings; in some of the links above, you’ll see that they started getting de-listed by Google because they looked to the bots like pr0n0 spammers. It can take quite a while to recover from that; the whole thing reminded me so much of the by-now ubiquitous Hollywood paradigm of getting clean & sober that I broke it down into a 12-step program.

Step 1: Realize that we have a problem; then admit that we are powerless over what our blog is doing, and that is has become unmanageable

The first notice I got that some of the WordPress blogs that I use (and administer for others) had been hacked was when this strange code started showing up in the permalinks.

Kinda strange, right? Looks at first glance like some little bug with the extended permalinks function...


Usually, when you choose long permalinks, that’s to give Google’s bots the chance to find & index your content correctly.  But no prob, I thought: just go on in to Edit Post mode, and delete the code and re-save it.

Curious. I saved it with the real permalink and it turned up with some strange gobbledygood at the end anyway. Wonder if that’s having any kind of effect on the blog. Better check it in Google Reader.

Step 2: Come to believe that we are going to have to take serious action to restore the blog to sanity

Holy Sh-Nikes! Where did this come from?

Man, you never want to see this associated with your blog. This is screaming sirens, flashing lights, all spelling out "VIRUS ALERT!"

If you don’t get a jolt of adrenaline at seeing something like this where your blog contents are supposed to be, you don’t understand the gravity of the situation. This kind of pharmaspam is absolutely deadly; it usually comes from Eastern European hackers, and it means that the infection is serious.

Step 3: Made a decision to appeal to the higher powers – Google (and the WordPress codex, as we understand it) to find the answers

One of the first things that I found was a long thread about how hackers register themselves as users.

Sure enough, look at the number of users. Also look at the number of admins.

Step 4: Made a searching and fearless inventory of the renegade users

I went through page after page, hoping that I would be able to figure out which were the responsible, decent users, and which ones were the identities of the various spambots that were using my blog like a passed-out sorority girl in Satan’s frat house.

A lot of them were easy to spot – they had the various names for the erectile dysfunction drugs as their “@blahblah” addresses.

5. Admitted to ourselves that we had been remiss in updating the blog

OK. I admit it. I was afraid to update the blogs because we’d installed some customized plugins, and I didn’t want to have to futz with them if they broke. Saved some real time, eh? Now I was spending hours going through my blog(s) trying to figure out what had happened.

As you can see, I started this whole process back when WordPress was still at revision 2.8.4.  Oh, the shame!

6. Became entirely ready to get rid of these freeloaders

Cry havoc! And set loose the delete function!

7. Ruthlessly removed the false admins

These were where the hackers put their admin identities. All the way down at Z, where I had to trudge through hours of checking and deleting the other users to get to them. While I was in here, the hackers were trying to get back in to add more users. It was a race to see who was faster...

I couldn’t believe that the hackers were trying to add more users to the pile, to slow me down. I managed to delete enough of them to get down to the Z’s, where their admin identities were hidden. And then I deleted those. Success!

…or so I thought.


Comments (0)

Apr 13

Hypnotic Motion

Posted: under Video.

This is an experiment to see if adding some video files to posts is at all workable when this site is accessed via the mobile web. Please stand by.

Hypnotic Motion

Comments (0)

Apr 12

Gentle Persuasion

Posted: under Amusing Nonsense.
Tags: , , , , , , , , , ,

Gentle Persuasion

Spent this past weekend at a “Pick Your Part” junkyard in NorthEast L.A., with greasemonkey-for-a-day Mack Reed, in search of pristine parts from Ford Econoline vans for the xylovan project.

Here, we see Mack wrenching on a particularly obstreperous and tricky bolt, one that steadfastly refused to loosen.

The evil substance crusted to his knees was later taken into captivity and flown to Area 51, where it was quarantined for further study by the SETI teams.

Comments (0)

Apr 07

BitTorrent Pirates My Book Before I’ve Written It

Posted: under Uncategorized.

Just got a Google Alert that told me that RapidShare and BitTorrent sites are advertising that they have “Mobile Web Design for Dummies” for immediate download.

Which is interesting, since I’m currently just finishing chapter 10.  Apparently, they’ve managed to create some sort of space-time discontinuity, whereby they can offer pirated intellectual property before it has actually been created.  Which is a good job, because I’d kinda like to get the damn book so I can see how I handled the chapter on backwards-compatible WAP sites, and my wife, partner & co-author Janine Warner would dearly love to be able to shortcut the whole author-review process on the heavy-duty CSS chapters.

The only thing I can think of is that this is some botfarm/malware site that has set up scrapers to get the titles for every Dummies book published, and then Blackhat SEO this shit out of the vaporware books to try to hoodwink content would-be content pirates into downloading some kind of heinous Trojan virus. I’d be tempted to pronounce a pox on all their houses, but I’ve found through my work internationally that many of the people who download the e-books for free later want to have a hardcopy to refer to.

UPDATE: Just tried to download my own book, and found a screenful of gibberish like: 5DAH4UCCHGQQ

Comments (0)