Wordpress hidden link injection FIX
The Wordpress Hidden Link Injection exploit has been the cause of concern for many users who use Wordpress on a daily basis. For those unfamiliar with the issue, the attack inserts links into the files of your active Wordpress theme mostly pointing to adult material elsewhere on the web. The links are completely hidden from view so you may never know about them and nor will your visitors. But the search engine spiders will certainly pick them up – and penalize you for it.
Detection
Seeing if your Wordpress install has been compromised is easy. Simply view the source of your homepage and look for any code that does not belong. Check near the top and near the bottom of the file as this is the place I’ve found the hidden links to mostly exist. They’re also usually wrapped in HTML comments.
<!--s-->
<u style="display: none">
<a href="some_url">Some website 1</a>
<a href="some_url">Some website 2</a>
...
<a href="some_url">Some website n</a>
</u>
<!--e-->
If you see code like that, chances are, you are a victim of the Wordpress Hidden Link Injection exploit.
How are “they” doing this?
Apparently, there was a security hole in Wordpress versions 2.8.x that allowed outside users to hijack the /wp-admin/upload.php file and insert files on your server that could be used for all sorts of malicious purposes. One of those purposes is the hidden link injection. Wordpress 2.9 fixed this hole, however, simply upgrading is not enough. Outside users will no longer be able to hijack upload.php but the files that they have already inserted will still orchestrate the attack.
That’s why simply removing the links from header.php or footer.php (the two places I’ve seen the links) is not enough. You’ll notice that the links will simply reappear. We’ve got to treat the disease now, not just the symptom.
Fixing the problem
First and foremost, always keep your Wordpress install up-to-date! Updating could not be any easier. Simply click on the alert that appears at the top of your Dashboard and follow the instructions. It takes literally 10 seconds.
Next, change the admin Wordpress user’s password. Also change your MySQL user’s password.
Lastly, find the files that have been inserted by the exploit via upload.php. I have found two separate instances of these files, both located in the wp-includes folder. Check the permissions of each of the files in wp-includes and investigate any file that has 777 permission (that’s your first clue that something is wrong). class-rss.php and feed-atom2.php are two files that I have seen cause issues. Cleverly named files. These two files are not native to the Wordpress codebase and can be safely removed. If you were to open either of these files and know a bit of PHP, you’ll see that these files are certainly the culprit.
Going through these steps should safeguard your Wordpress installation against the hidden link injection exploit.
Stay vigilant
Just because we’ve fixed this does not guarantee that you’ll be immune forever. Hackers are constantly looking for newer and better ways to tear stuff up. Wordpress has been exceptionally good at patching security issues, but someone somewhere has to be the guinea pig to get hit with an attack – and then report it to Wordpress.
One great plugin I’ve begun to use is Wordpress File Monitor. This plugin scans your Wordpress installation and reports if any files have been added, deleted, or changed. The plugin is customizable to run on a schedule that you set. You can also exclude directories from the plugin’s reporting so that you’re not alerted every time you upload a picture to insert into a post. I, however, recommend that you do not exclude directories as that directory may be the next location of the next exploit.
9 Responses
-
March 13th, 2010 at 10:03 | #1
The question I have is, how to people get these files into your installation? Not that I want to know how so I can do, but to prevent. I guess that’s the question: how to prevent insertion of such files in the first place.
I have linux servers, and no anonymous ftp. It should be relatively difficult to insert them, no?
I checked my install for the files you mention, and do not find them. I get lots of spam comments, but all comments are moderated, so I just “spam” them. It’s almost sickening how much time I waste fending of spam comments on my blog and in my forums. -
March 13th, 2010 at 11:22 | #2
Apparently, there was a hole in Wordpress 2.8.x that allowed outside users to hijack the wp-admin/upload.php file using password hashes. Since that file controls all of the uploads from the control panel, I’m guessing that’s how they got in. With 2.9.0, it should have been fixed.
-
April 16th, 2010 at 06:10 | #3
I need to know how to change my admin password, as i can´t log in. My website has been injected with this iframe sh%t that links to mainnetsoll idiots, and i found in the db where to take that away wp-options table, but the theme and login still doesn´t work.
What can i do? or what i already did is no use?
Thanx -
April 16th, 2010 at 07:57 | #4
You can change your admin password by browsing the wp_users table and finding the row with username admin (should be ID 1). The password is an MD5 hash.
Go to http://www.miraclesalad.com/webtools/md5.php which will generage an md5 hash of a password that you choose.
If you choose the password hello (don’t do this by the way) the MD5 hash will be 5d41402abc4b2a76b9719d911017c592.
Insert that string into the password field of the database row with admin as the username.
-
April 23rd, 2010 at 08:54 | #5
I just wanted to say thanks for publishing this post. I spent the last 2 months dealing with this very issue and could not figure out what was happening. I upgraded the installation and kept deleting the injection code, but it kept returning after several days.
After reading your post, I copied done my entire site down through ftp and used WinMerge (awesome program by the way) to compare my installation to a fresh download of wordpress(it compares file by file/directory by directoy). Sure enough, in my wp-content/uploads/2009/03 folder had two oddly named files: “wp-inclode.php” and “fotter.php” (also cleverly named). They contained what appeared to be a single variable declaration: $o=(some long hash string…i think).
It is a little early to tell if I got all of the malicious code, but I was grasping at straws till I read this. Thanks again.
-
April 23rd, 2010 at 09:04 | #6
Luke, glad we could help. This is the first time I’ve heard that an injected file was put in the wp-uploads folder. I’ll be on the lookout for this in the future.
-
April 23rd, 2010 at 09:10 | #7
In addition, you may want to download and install Wordpress File Monitor plugin. It’ll alert you when changes have been made to a file. It’ll clue you in real quick if you’ve had an injected file.
-
April 26th, 2010 at 13:39 | #8
Yeah…it definitely made it harder to find. I visually looked through the wp-includes folder and didn’t have any luck. So that’s when I decided I needed to compare it to a fresh wordpress file list to see if I could find anything.
It has been a few days now and things still look good. I did download and install the File Monitor. It looks like it should be a great resource for monitoring this going forward. I’ll stop back in if I discover anything more regarding this issue.
-
May 2nd, 2010 at 08:21 | #9
I appreciate your post on this. I couldn’t understand how those trash links kept appearing in my header. It was the “feed-atom2.php” file that was doing it.
I also found some other malicious code in my wp-includes folder. It was simply a directory with 3 or 4 random characters like “rldj” and within it was more infecting code. They are pretty easy to spot because all the other files have the same create date. The infected files and directories are easy to find now.
I’m trying out the “Wordpress File Monitor” plug in. Thanks for the info.
