Our Google searches found her blog posting (we have many keywords setup for Google Alerts). She had a few different websites and was considered by many to be an expert in her field, but admitted that all the technical jargon "sounded like Greek to me."

She found out that her Wordpress blog wouldn't let her access her site so she asked her son to try it. Same result.

When she contacted her hosting provider, she was told that her version of Wordpress wasn't updated and they thought that's how her site had been hacked. The only problem with this advice was that she had other non-Wordpress sites that were "hacked" as well.

She was at a loss.

We reviewed everything she had stated in the blog post so we could make some recommendations.

Here's what we knew from her posting:

  • Her site used Wordpress (according to the hosting provider - an outdated version)

  • It wasn't just something from her computer (her son had tried from a different location as well)

  • Her site had been hacked for about a week before she realized it

  • She was admittedly not a "techie type"

  • Her hosting provider had run virus scans on her site and found nothing

  • The blog post she made had 58 comments about what she could do and others who had their sites "hacked" at one time or another

  • Many of the people who posted comments couldn't understand why hackers do this

  • A few people stated that they dedicate time everyday to check their websites. They mentioned that watching their sites is just part of their everyday work now

  • One lady commented, "Oh Lord, another thing to do every day or so."

  • Other sites of the original poster were compromised as well. Even non-blog oriented websites

The Clean-up When we contacted this blog poster we offered our help. She emailed us off-list and we obtained access to her cPanel account, administrator access to her Wordpress blog and FTP access to her website.

Our initial thought from the information obtained from her original blog posting was a virus on her PC. When faced with situations like this we always look for the common denominator. In this case, her other websites were hacked as well so it appeared to us that the common denominator was the source - her PC. We were right.

Although her Wordpress blog did have multiple infections, they all happened on the same day as her other non-Wordpress blogs were hacked.

Apparently, this hacker, or hackers, used the FTP access to her websites to find what other software was running on each site and actually performed a targeted attack on each type of software. For her Wordpress blog the hacker, or more correctly, their automated programs, knew how to infect a Wordpress blog.

When we logged into the Wordpress blog with admin rights, we went to the dashboard and looked at the SPAM comments. Many of these we deleted, just to help clean things up. Next we examined the users. What we saw was difficult to believe.

The number of users showed 4, and for a split second, the list showed 4 as well, but one almost instantly disappeared. All we could read was Geoffrey. That was strange. We refreshed the screen multiple times and each time a user would appear, then disappear.

That was strange.

Using phpMyAdmin, we exported the entire SQL database so we could examine it further. Searching through the file for Geoffrey we found "him" listed in the wp_usermeta table. Here is the information from the database:

  • INSERT INTO `wp_usermeta` VALUES (120, 28, 'nickname', 'GeoffreyOverby75');
  • INSERT INTO `wp_usermeta` VALUES (121, 28, 'rich_editing', 'true');
  • INSERT INTO `wp_usermeta` VALUES (122, 28, 'admin_color', 'fresh');
  • INSERT INTO `wp_usermeta` VALUES (123, 28, 'wp_capabilities', 'a:1:{s:13:"administrator";b:1;}');
  • INSERT INTO `wp_usermeta` VALUES (124, 28, 'first_name', '<script LANGUAGE="JavaScript">function Decode(){var temp="",i,c=0,out="";var ...</SCRIPT>');
  • INSERT INTO `wp_usermeta` VALUES (125, 28, 'wp_user_level', '10');

We're not showing the exact javascript that was inserted so that people viewing this page will not be blocked by their anti-virus programs. However, know that it was maliciously hiding the user's name in the list of administrators in the Wordpress blog.

In addition, dear Geoffrey was also inserted into the wp_users table with no email address.

Our clean up included removing Geoffrey from the database by using the phpMyAdmin interface, search for any remnants of user ID 28 as listed above and then upgrading the WordPress blog software to version 2.8.4, changing all passwords and then proceed to check all the files on the website.

We found that our work was not complete just yet.

While we did not find any iframe injections or other malicious javascript inserted into any webpages, by searching for any .php files with base64 in them, we found a file in the /wp-content/uploads/2009/09 folder. The name on the file was 857233.php

Inside the file was a cleverly disguised (obfuscated) piece of code. It started with: #####e##############################v###a####l(b########a####s###e###########6##4##########_##d###eco###d####e#######(#\

If you remove all the "#'s" you'll see it starts with 'eval(base64_decode(...' which is what the code does itself - it replaces the each "#" with nothing, thus removing those and then running the code.

This .php file was giving the hacker a remote shell into the website. This way, they wouldn't have to be worried about their activity being recorded in an FTP log. Besides, who's going to go looking for a malicious .php file? (we did)

Summary
While it may appear that this was just another WordPress blog being hacked by the "worm" that was working it's way through the Internet, we have proof in the logs that the malicious .php file was uploaded via FTP and that gave the hacker(s) access to the entire website where they injected their code into the SQL database and left themselves a back-door into the site for future sessions.

This case would not have been "cleanable" by our automated process. This particular case required hands on and some real focus on the issues while still being open minded about how the attack was successful. By having the opportunity to work with website owners, we can share our knowledge and hopefully help others in the process.

If you have a case you'd like us to work on, please send us an email to: casestudies@wewatchyourwebsite.com

As you can see, we do not disclose any information about the website, the website owner or any other personal information. This is in accordance with our privacy policy.
WeWatchYourWebsite © 2009 • Privacy PolicyTerms Of Use