Hey fellow bloggers — if you are using WordPress for your blog beware of hackers getting you like they got several of my blogs last week.
The scheme is pretty clever. Apparently what they do is hack into your WordPress site
via FTP somehow or other (likely via a vulnerability in older versions of WP), then they modify your wp-blog-header.php file. The purpose of the hack is to siphon off all of your search engine traffic to their spam sites. The way it works is the new code placed in your header file reads the source of the incoming traffic and if the visitor is coming from a search engine the script directs that visitor to their spam sites before the visitor ever sees your site at all.
So for instance as a part of my day job I help administer an FHA mortgage blog designed to help people with government-backed mortgages. That site does pretty well at the search engines. But because of the hack when visitors found the site at a search engine and clicked on the link they instead ended up at some spammy/scummy fake Google page or at one of those fake virus alert sites.
How To Fix It
Well I can only hope I really have it fixed. Here are the steps I recommend:
1. Turn off the ability to anonymously access your blog via FTP just in case. This is done through your host.
2. Change your passwords.
3. Go fix your file access permissions (One of the tricks the script uses is to change permissions so that the “write” function is disabled and you can’t write over the hacked files without enabling that function again)
4. Remove the offending code from your wp-blog-header.php file. (The scheme is pretty clever but the hack at least is nice enough to include a “start” and “stop” note in the hack code so it isn’t that hard to delete)
5. You can also look at upgrading to the newest version of WordPress. I suspect it is more immune to this particular hack.
As I said it is a pretty clever scheme because blog owners will see that their search engine placement is not changed. Plus the hackers mask which files they hacked by changing the dates on the last access (back dating). So the only way most users will discover the problem is to actually click on the links to their site in a search engine and notice that they end up somewhere else (specifically at some sattan.org sub site). I suspect they are making a killing by stealing a lot of traffic from a lot of people. Hopefully you are not a victim who has a blog that is getting killed because of it.
[Update 1 (Dec. 2)]
As one of the commenters predicted, the changes above only temporarily solved the problem. By this evening the hackers (or at least the malicious scripts) had reinserted the offending codes in the header file and re-changed the permissions. As my next attempt I am trying the various cleanup steps found here. Plus I plan to upgrade a few of my blogs to see what happens.
[Update 2 (Dec 3)]
More than 24 hours later the extra fixes found here (including going in and removing fake users from the database and other crap from the back end) seem to be working. The offending code in the header file has not popped back in yet. I also upgraded some of my blogs so we will see if that adds extra protection.
[Update 3 (Dec. 8)]
[Ok, the steps I have taken seem to be holding. After following the steps above and upgrading my blogs to the newest version (2.6.5 as of this posting) I have not seen any more problems. Wit any luck that will continue.]
[Update 4 (Feb. 6, 2009)]
We’ll see if that works.