Grrrr

If you’ve bothered coming round these parts lately, you’ll have noticed that things were loading excruciatingly slowly, a problem for which I was starting to blame my hosting provider. But this morning, for whatever reason, I decided to take a look at my code and see whether one of the scripts I’m running in the background here might be responsible.

And lo but the source code for my index page had a buttload of spam links embedded in it. And so I set about searching through my php, trying to figure out which file was generating these links.

Both index.php and wp-content/themes/MY THEME/header.php appear to have been hacked, and a very long bit of base64 code embedded in them, which was apparently what (a) was generating the links, and (b) was causing the page to load so slowly.

But there are also a few mystery files that have popped up in my directories, about which I can find no information online. I’m waiting on a response from my hosting provider’s support folk, to see if one of these files belongs to their one-click install process. If not, I may have to do a fresh WP installation, just to be sure that nothing else has been compromised.

And of course, the ritual changing of passwords.

So, word to the wise: if you’re running WP, and things seem to have gotten oddly slow, it might be worth a sec to check your source code.

2 thoughts on “Grrrr

  1. Its called the wonder of WordPress – which is constantly hacked because of supremely poor coding standards.

    Having been through this before, my advice would be:

    1- Save your theme and comb through it for anything that looks weird ( any urls or things that look like base64 or other sort of escaped stuff )
    2- Export your WordPress blog to an xml document on the admin interface; if you can also do a raw database dump, that’s good too.
    3- Install a new , upgraded , latest copy of wordpress
    4- Cross your fingers that there’s no bad stuff in the wordpress database. they store some weird stuff in the dashboard and meta tables. if you fear that, you can always try installing it to a new clean database, then importing the xml document.

  2. I’ve had this happen with WP before, too, so I sorta knew what was going on. But I’m more than a little concerned about this mystery file that has appeared in my wp-content directory. Googling the filename produced no results. (Now, googling it produces my query on the WP forum.) And though I can’t tell what the code is doing, it’s clearly up to No Good. And its last modification date is about ten days ago — and I hadn’t upgraded anything in the system (WP itself, or any plugins, or my theme, or anything) for weeks before that. Bastards.

Leave a Reply

Your email address will not be published. Required fields are marked *