Comments on: WordPress hacked: googlerank.info

By: Kevin S

Kevin S — Mon, 22 Jun 2009 11:31:09 +0000

This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

The specfic hack code is:
“

This code often overwrites the ending php tags in the file and thus brings the site down.

I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

* Gauge how often it’s happening
* Share solutions
* Expose the culprits, if possible
* Alert WP team so they can review possible core level security measures

As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.

For permanent solution read more @ http://annanta.com/?p=338

By: John

John — Thu, 04 Jun 2009 03:32:51 +0000

Sorry, I meant 2.7.1.What bothers me is that I had upgraded to the new version recently and only then made the last post (which was one of two that were infected). The second post was made with an older version. Just like before, it was embedded right into the post. Not much info available on this for the new version. Your post was on top when I googled, only noticed the post was old when I started reading.

By: Rick

Rick — Wed, 03 Jun 2009 20:18:39 +0000

Are you sure you haven’t got a hacked copy of Wordpress? The latest legitimate version is only 2.7.1.

But anyway, there are a lot of other ways into web hosting sites now – exploits of PHP, Apache and other stuff so I would check all of those as well.

By: John

John — Wed, 03 Jun 2009 05:39:33 +0000

I’m running 2.7.2 and AVG just flagged my site. I checked the source and found an iframe. But it wasn’t from tinymce. It was embedded right into my post :S I’ve since updated the post and it seems to be clear. Still a bit worried though.

By: E-TARD

E-TARD — Sun, 05 Apr 2009 16:42:35 +0000

Hmm interesting

By: Katalogs

Katalogs — Thu, 05 Mar 2009 08:37:47 +0000

This is interesting

By: iCarly cds

iCarly cds — Mon, 26 Jan 2009 23:35:43 +0000

Crazy what wordpress has involved into

By: Rich B

Rich B — Tue, 20 Jan 2009 21:36:09 +0000

The bug may have reared it’s ugly head again. Was at a site this morning, no problems, just returned to it and my AVG cut me off with the message of Virus name JS/Psyme.QM as a trojan so someone may have re-introduced it or else upgraded it to get in to the current version of Wordpress.

By: FMS GROUP

FMS GROUP — Wed, 30 Jul 2008 22:51:06 +0000

Thanks for the heads up :)

By: Niyaz

Niyaz — Wed, 23 Jul 2008 10:46:14 +0000

Well New Versions of WP are out now with more security .. Like People Say until there is the software.. hackers will be too :D