Comments on: WordPress hidden link injection FIX http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/ Just another WordPress weblog Sun, 02 May 2010 13:21:42 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Russ http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-482 Russ Sun, 02 May 2010 13:21:42 +0000 http://www.o3strategies.com/?p=712#comment-482 I appreciate your post on this. I couldn't understand how those trash links kept appearing in my header. It was the "feed-atom2.php" file that was doing it. I also found some other malicious code in my wp-includes folder. It was simply a directory with 3 or 4 random characters like "rldj" and within it was more infecting code. They are pretty easy to spot because all the other files have the same create date. The infected files and directories are easy to find now. I'm trying out the "Wordpress File Monitor" plug in. Thanks for the info. I appreciate your post on this. I couldn’t understand how those trash links kept appearing in my header. It was the “feed-atom2.php” file that was doing it.

I also found some other malicious code in my wp-includes folder. It was simply a directory with 3 or 4 random characters like “rldj” and within it was more infecting code. They are pretty easy to spot because all the other files have the same create date. The infected files and directories are easy to find now.

I’m trying out the “WordPress File Monitor” plug in. Thanks for the info.

]]> By: Luke - Inspired Portrait Photography http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-454 Luke - Inspired Portrait Photography Mon, 26 Apr 2010 18:39:17 +0000 http://www.o3strategies.com/?p=712#comment-454 Yeah...it definitely made it harder to find. I visually looked through the wp-includes folder and didn't have any luck. So that's when I decided I needed to compare it to a fresh wordpress file list to see if I could find anything. It has been a few days now and things still look good. I did download and install the File Monitor. It looks like it should be a great resource for monitoring this going forward. I'll stop back in if I discover anything more regarding this issue. Yeah…it definitely made it harder to find. I visually looked through the wp-includes folder and didn’t have any luck. So that’s when I decided I needed to compare it to a fresh wordpress file list to see if I could find anything.

It has been a few days now and things still look good. I did download and install the File Monitor. It looks like it should be a great resource for monitoring this going forward. I’ll stop back in if I discover anything more regarding this issue.

]]> By: Brian Onorio http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-441 Brian Onorio Fri, 23 Apr 2010 14:10:12 +0000 http://www.o3strategies.com/?p=712#comment-441 In addition, you may want to download and install Wordpress File Monitor plugin. It'll alert you when changes have been made to a file. It'll clue you in real quick if you've had an injected file. In addition, you may want to download and install WordPress File Monitor plugin. It’ll alert you when changes have been made to a file. It’ll clue you in real quick if you’ve had an injected file.

]]> By: Brian Onorio http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-440 Brian Onorio Fri, 23 Apr 2010 14:04:43 +0000 http://www.o3strategies.com/?p=712#comment-440 Luke, glad we could help. This is the first time I've heard that an injected file was put in the wp-uploads folder. I'll be on the lookout for this in the future. Luke, glad we could help. This is the first time I’ve heard that an injected file was put in the wp-uploads folder. I’ll be on the lookout for this in the future.

]]> By: Luke - Inspired Portrait Photography http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-439 Luke - Inspired Portrait Photography Fri, 23 Apr 2010 13:54:36 +0000 http://www.o3strategies.com/?p=712#comment-439 I just wanted to say thanks for publishing this post. I spent the last 2 months dealing with this very issue and could not figure out what was happening. I upgraded the installation and kept deleting the injection code, but it kept returning after several days. After reading your post, I copied done my entire site down through ftp and used WinMerge (awesome program by the way) to compare my installation to a fresh download of wordpress(it compares file by file/directory by directoy). Sure enough, in my wp-content/uploads/2009/03 folder had two oddly named files: "wp-inclode.php" and "fotter.php" (also cleverly named). They contained what appeared to be a single variable declaration: $o=(some long hash string...i think). It is a little early to tell if I got all of the malicious code, but I was grasping at straws till I read this. Thanks again. I just wanted to say thanks for publishing this post. I spent the last 2 months dealing with this very issue and could not figure out what was happening. I upgraded the installation and kept deleting the injection code, but it kept returning after several days.

After reading your post, I copied done my entire site down through ftp and used WinMerge (awesome program by the way) to compare my installation to a fresh download of wordpress(it compares file by file/directory by directoy). Sure enough, in my wp-content/uploads/2009/03 folder had two oddly named files: “wp-inclode.php” and “fotter.php” (also cleverly named). They contained what appeared to be a single variable declaration: $o=(some long hash string…i think).

It is a little early to tell if I got all of the malicious code, but I was grasping at straws till I read this. Thanks again.

]]> By: Brian Onorio http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-431 Brian Onorio Fri, 16 Apr 2010 12:57:10 +0000 http://www.o3strategies.com/?p=712#comment-431 You can change your admin password by browsing the wp_users table and finding the row with username admin (should be ID 1). The password is an MD5 hash. Go to http://www.miraclesalad.com/webtools/md5.php which will generage an md5 hash of a password that you choose. If you choose the password hello (don't do this by the way) the MD5 hash will be 5d41402abc4b2a76b9719d911017c592. Insert that string into the password field of the database row with admin as the username. You can change your admin password by browsing the wp_users table and finding the row with username admin (should be ID 1). The password is an MD5 hash.

Go to http://www.miraclesalad.com/webtools/md5.php which will generage an md5 hash of a password that you choose.

If you choose the password hello (don’t do this by the way) the MD5 hash will be 5d41402abc4b2a76b9719d911017c592.

Insert that string into the password field of the database row with admin as the username.

]]> By: Alex http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-430 Alex Fri, 16 Apr 2010 11:10:59 +0000 http://www.o3strategies.com/?p=712#comment-430 I need to know how to change my admin password, as i can´t log in. My website has been injected with this iframe sh%t that links to mainnetsoll idiots, and i found in the db where to take that away wp-options table, but the theme and login still doesn´t work. What can i do? or what i already did is no use? Thanx I need to know how to change my admin password, as i can´t log in. My website has been injected with this iframe sh%t that links to mainnetsoll idiots, and i found in the db where to take that away wp-options table, but the theme and login still doesn´t work.
What can i do? or what i already did is no use?
Thanx

]]> By: Brian Onorio http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-355 Brian Onorio Sat, 13 Mar 2010 16:22:08 +0000 http://www.o3strategies.com/?p=712#comment-355 Apparently, there was a hole in Wordpress 2.8.x that allowed outside users to hijack the wp-admin/upload.php file using password hashes. Since that file controls all of the uploads from the control panel, I'm guessing that's how they got in. With 2.9.0, it should have been fixed. Apparently, there was a hole in WordPress 2.8.x that allowed outside users to hijack the wp-admin/upload.php file using password hashes. Since that file controls all of the uploads from the control panel, I’m guessing that’s how they got in. With 2.9.0, it should have been fixed.

]]> By: tony http://www.o3strategies.com/2010/03/wordpress-hidden-link-injection-fix/comment-page-1/#comment-354 tony Sat, 13 Mar 2010 15:03:06 +0000 http://www.o3strategies.com/?p=712#comment-354 The question I have is, how to people get these files into your installation? Not that I want to know how so I can do, but to prevent. I guess that's the question: how to prevent insertion of such files in the first place. I have linux servers, and no anonymous ftp. It should be relatively difficult to insert them, no? I checked my install for the files you mention, and do not find them. I get lots of spam comments, but all comments are moderated, so I just "spam" them. It's almost sickening how much time I waste fending of spam comments on my blog and in my forums. The question I have is, how to people get these files into your installation? Not that I want to know how so I can do, but to prevent. I guess that’s the question: how to prevent insertion of such files in the first place.
I have linux servers, and no anonymous ftp. It should be relatively difficult to insert them, no?
I checked my install for the files you mention, and do not find them. I get lots of spam comments, but all comments are moderated, so I just “spam” them. It’s almost sickening how much time I waste fending of spam comments on my blog and in my forums.

]]>