Devious WordPress Hack Using wp_remote_fopen

A blog I had running WordPress 2.6.5 was hacked to include a truckload of pharmaceutical links. That was nothing new. I’ve seen that on my blogs and on others.

What was different this time, though, was the method for including the links. I won’t republish the code, but here are enough of the functions and variables it used for someone to find this post when searching for more information or to determine if their blog was hacked using the same method:

  • wp_remote_fopen
  • cache_vars
  • update_option
  • hide_text
  • $blarr

The links all point to http://nbjr.speakupwny.com/index.php?forum_id=XXXX (where XXXX changes for each link).

Here’s the other really interesting part. If I hit any of the links directly, I get a 404 error. If I hit the same exact URL from a Google search, however, I end up on an online drug store site as the link intended. And it’s not a direct route, either. Check out the HTTP headers for my click through from Google. I’ve never seen anything like that.

One final piece: the hack initially pulls the list of links from http://qwetro.com/ss/test_3.txt — a domain ostensibly owned by a “Uwe Braun.”

Has anybody else seen this before? Is this a new exploit? An old exploit?

(To see if you’ve been hacked, search Google for adipex site:mydomain.com (obviously replacing “mydomain” with your domain name).)


Comments


  • Matthew Swanson

    February 26, 2009
    at 8:04 pm

    Great summary man – couple questions: 1. Was the site temporarily removed from the Google index and 2. did WebMasterTools alert you to the hack at all – Matt has an interesting post regarding “Helping Hacked Sites” – thanks for the great info Shane!

    Swanny


     

  • Shane

    February 27, 2009
    at 8:21 am

    Great questions:

    1. No. In fact, I found lots of sites that have been hacked but not removed. I also know of one major site, though, that not only was removed but that still isn’t back in the index. So it seems you better fix it before it does get you kicked out.

    2. No. This particular site wasn’t set up there. Definitely sounds like it would have been a good idea, though.


     

  • TRaef

    February 27, 2009
    at 9:37 am

    We have seen this before. Where the links only work when the referrer is Google. We believe this is so that when the googlebot hits your site, probably a popular, highly ranked site, it records those links to their site which boosts their rankings.

    Can you share the code offline?

    If not, you’ll probably find that there might be some check to see where the link came from. We’ve seen this with MSN and Yahoo as well.

    Let me know if you’d like to share the code.


     

  • Jake

    February 27, 2009
    at 6:45 pm

    This one just hit one of our sites. Have you tracked down the point of entry? Our wp-admin dir is password protected, so I was a bit surprised to see this.


     

  • Shane

    February 27, 2009
    at 7:53 pm

    Regrettably no, Jake. Still looking 🙁


     

  • kdogg

    March 3, 2009
    at 2:20 am

    havent seen this on any of my blog networks being successful.. i always run either the latest trunk, or development 2.8-bleeding edge or the latest 2.7.* dev versions though..


     

  • Redmanthatcould

    March 5, 2009
    at 5:28 pm

    Thanks for the heads up, Shane. Will keep a look out and hopefully we don’t get hit.

    Jeff


     

  • Sire

    March 18, 2009
    at 10:52 pm

    This is very interesting as I know of a user who visits some of my blogs that complains of being taken to another site automatically. I know it’s not because of anything that I’ve done and it has always mystified me. I’ve tried the adipex site but it couldn’t find anything?


     

  • TRaef

    March 18, 2009
    at 11:02 pm

    Sire, if you’d like to mention your site, we would be happy to scan it for you at no charge and send you the report.


     

  • Sire

    March 18, 2009
    at 11:14 pm

    It was one of two sites and I’m not sure which. It was either http://www.blogsire.com/myblog/ or http://www.theelusivepotofgold.com/MyBlog/

    Do you think there was a possibility that it was hacked?


     

  • TRaef

    March 19, 2009
    at 6:39 am

    We’ll check them both out later today and I’ll let you know.

    Shane, can we take this off-line? Or if Sire doesn’t mind we’ll continue this in this blog.

    Let me know…


     

  • Eric Marden

    May 15, 2009
    at 3:41 am

    Just investigated an instance of this on a new client’s existing WordPress blog, and wanted to add a couple more details:

    In my instance he was up to http://qwetro.com/ss/test_23.txt
    The contents of this file (as well as the link to it) were base64 encoded. Decoding them revealed the link and the spam contents.

    The spam was what looked like serialzed php.

    There was also a remv.php script that was essentially a backdoor (remote viewer). It was in wp-content/themes.

    @TRaef – i’ll show you the code. contact me thru my url.


     

  • Jonty

    May 21, 2009
    at 6:44 am

    We were also hacked two days ago. They got into the headers.php file in the template. We are still looking at how, but it may have been through not having chmod settings too low.

    Possible that it came in through a plugin or from bbpress. We are examining all of these.


     

  • Andrew A. Peterson

    June 20, 2009
    at 4:51 am

    I just got done dealing with this one.
    The code is squirted into the bottom of the header.php files of all uploaded themes.
    I recommend:

    -WP Security Scan (a plugin that double checks for vulnerabilities like bad permissions settings and can even auto rename your database table prefixes for you which is apparently a common security problem)

    -Cookies For Comments (a plugin that makes it so commenters must have loaded the Stylesheet… Seems like some of these things get in thru unmoderated comments.)

    -Not having a User named “admin”

    -Having a strong password (numbers and both capital and lower case letters)

    -Staying on top of deleting spam comments (most of the attacks I’ve seen were on blogs that don’t keep up with their moderation… Maybe this is a chicken and egg thing)

    -Of course, Akismet

    Finally, I think certain hosting companies are more susceptible to attacks than others. Any thoughts?