Last week DragonBlogger.com had been hacked and it was first brought to my attention by one of my own writers that they had a ‘malicious site’ message when bringing up the homepage in a browser. After digging I found malicious source code in my index.php that looked like this:
After doing some searching I found that this is the symptoms of the RemoteViewPHP hack and there are several files that are uploaded that need to be deleted as well including:
[easyazon_image asin=”B004UW29IK” alt=”WordPress Power Guide – Using WordPress to Blog Your Way to Success – Blogging Guide” src=”http://ecx.images-amazon.com/images/I/51JUWmy1MIL.jpg” align=”right” width=”250″]The primary source of this infection and hack comes from a vulnerability in a WordPress plugin or permissions incorrect for files on your WordPress server. You need to make sure all files in your WordPress hosted environment are 644 or 744 only, to prevent any word write access (or even group write access).
Using a plugin like WP-Security is ideal in helping you find and lock down your WordPress installation. However in this case I found my source of infection came from a plugin which WP-Security was not able to solve.
I had done more reading and found that the timthumb.php which is used by many themes and some plugins is also one of the highest risks of vulnerability for the RemoteViewPHP attack. It turns out back in July 2011 I had replaced my Yet Another Related Posts Plugin, with the IGIT Related Post with Thumbnails plugin which happens to use the timthumb.php.
I found that the file date stamp of the timthumb.php for this plugin was matching exactly the file date time of the udp.php, common.php and config.php files which were uploaded from the hack. I scanned every single plugin on my site and each file for date changes and for any code linking to any of those files or to superpuperdomain.com and this was the only compromised plugin I could find.
After clearing out all files, cleaning up my index.php and removing the offending plugin (as there is no patch for the plugin, it is still vulnerable).
You should always update the TimThumb php according to the latest version which can be found by clicking on the link. This will help reduce the risk of using older TimThumb code.
In doing research I found that various plugins are at risk especially those using older timthumb.php files.
Here are some recommendations and tips for dealing with a hacked WordPress site.
Prior to Attack
These should be the steps you take when you have a WordPress site and should be done prior to any attack. These will help reduce your risk of attack and speed up your ability to recover from a hack.
Use WP-Security Scan
Use the WP-Security Scan plugin and close any vulnerabilities disclosed, this will help reduce your risk of attack from non-plugin sources based on file permissions and directory exposure.
Take Regular Backups of your Site
This doesn’t just include backing up your database, but you should have backups of all your theme files and custom files taken monthly and at least every time you update any files manually. If your theme is hacked you can instantly restore by putting the backup in place again without having to dig through all your files.
Know Your WordPress Plugins
Jot down all of your WordPress plugins by name and keep this handy. If your site is hacked you are going to want to disable all plugins immediately and in case they are all infected which happens pretty common you want to delete them all and know which ones you want to put back.
These are the steps that should be taken the moment you determine your site has been compromised or hacked.
Disable all WordPress plugins
Disabling all WordPress plugins can help prevent instant re-infection as plugins are most likely the source of the attack.
Find any files with recent date stamp changes.
Find any php, html or js files which have been updated recently and you know you haven’t updated them. The only files that should have recent date stamps are cache related plugin files where cache gets rebuild properly. Look at your index.php, single.php, sidebar.php in your theme and in the root folder to see if files are updated. Identify which files are recently updated and start looking at them for injected code.
View Source Code
This will help find out where the infected source is located, look for all tags starting with <script> as nearly all attacks will be a source script loading. Identify the source of every script tag and start searching your php files to see where they are being called.
Restore back up theme
Restoring your working backup theme will clear out any infected files almost immediately. Make sure you have cleaned up any risky files and disabled plugins though or you could cause immediate re-infection.
Re-install WordPress Plugins
Unless you want to go through every plugin manually to find which ones are infected or not, you are better off deleting all your WordPress plugins and reinstalling them from the WordPress codex.
In general this should solve nearly all hacks, but this isn’t 100% comprehensive. DragonBlogger.com was hacked 4 times in 3 years and this latest time was the only time I saw RemoteViewPHP was the hack. In previous attempts I saw compressed encoded data in all my site php files and I had to literally restore every single php file from a backup in order to be 100% sure I cleaned up my site.
Some excellent articles that helped me find and learn more about the RemoteViewPHP, TimThumb and how to clean it include these 2 resources: