So you might have noticed I was hacked prettily nastily on this site and a couple of others. I’d taken my eye off the ball and not done a really close inspection of my WordPress installs in a while, as well as being a bit lax in updating the moment a new version was out.
So What Actually Happened?
A couple of files have been snuck into theme and plug-in directories that allowed upload and editing of other files. If you find the files r.php
or temp.php
anywhere in your WordPress install you might want to check on them.
Through these, a file called function.php
was added, full of evals
and base_64
encrypted code. The regular WordPress functions.php
and load.php
had been modified to include the function.php
file. This then replaced the normal blog content with all manner of spam.
The Cleanup
With the help of the fine folks at Sucuri, all the corrupted files were put back to normal and the backdoors plugged. I also deleted all unused themes & plugins (unfortunately the otherwise very useful Dreamhost One Click Installs do litter the place with “extras” you might neither want nor need).
For anyone investigating similar hacks, the Linux command to find recently edited files is find . -mtime -1
. This will show you anything edited in the last day (replace the 1 with a different number to give different number of days). Though there are ways around the Linux file times, a cron job checking for recently modified files is helpful to keep an eye on things.
Useful Links
- Sucuri’s Advice for After the Cleanup
- Dreamhost’s advice on troubleshooting hacked sites
- Sucuri’s explanation of the recent pharma hacks and how to clean it
- Tips for searching for backdoors in a hacked WordPress install