View Full Version : Blog was compromised by somebody from Russia - Is a custom theme to blame?

27-09-2010, 08:53 AM
So, kind of embarrassing, but rather amusing too. A PF1'er was polite enough to PM me informing me that my Blog was being blocked by NOD32. Surely enough, I went there, and they were right, NOD32 stopped me.
Jumped on the wifeys machine with Security Essentials and it let me go there, but the site was basically down, PHP complaining of a "<" in the wrong place or something.

Long story short, there was about 2 dozen files, all with this added as the last two lines:

<script type="text/javascript" src="http://worstheat***/Affiliate.js"></script>
.ru replaces ***, and I've modified the comment after a little too.

Anyway, I'm running the latest stable version of Wordpress from wordpress.org and have little else enabled except for a custom theme.

Is that the likely culprit? I've got websites elsewhere using themes from the same author that have been OK, so I've not been able to come to any conclusions about anything, but yeah ...

The next question: I've cleaned out all the crap, but am reluctant to put it back live, for fear that something similar will happen again. Is there any kind of steps I should be taking to ensure it doesn't?

Also thought I'd just post here so you guys could have a bit of a laugh, that a tech-ish blog got taken out, I'm looking at the funny side of it too ;)



27-09-2010, 08:59 AM

27-09-2010, 10:20 AM

Yes, my thoughts exactly ;)

27-09-2010, 11:35 AM
Oops - that wasn't supposed to happen, I was reading it on my phone, but certainly didn't intend to post anything.

Re your problem:

...Blog was compromised by somebody from Russia...How do you know this? Whichever log gave you this information probably also tells you something about how they got in - if not directly, then by inference. Once you know how they got in, that's half your battle won.

...but am reluctant to put it back live, for fear that something similar will happen again. Is there any kind of steps I should be taking to ensure it doesn't?Yep - there are definitely steps to take; doing nothing means that you're still vulnerable to the same problem reoccurring.

Which steps need to be taken depends on what level of access they had to your server - if you don't know how far they got, I'd start by booting a known clean kernel with an alternative init, or booting from a livecd, and having a good poke around the system for anything untoward. Rkhunter is a good first step in this case.

Feel free to give me a call / email / whatever if you want a hand :).

27-09-2010, 12:45 PM
It's hosted with a 3rd party hosting provider on a shared web-host. I'm presuming it was through a poorly written 3rd party theme, as I've got other almost identical wordpress setups, and it certainly wasn't a vulnerable password.
Wordpress was fully up-to-date.

I'm just guessing russia coz the link was to .ru
The only traces I could find were of the additional two aforementioned lines added to about 2 dozen index.php files in the /blog/ and subdirectories.

27-09-2010, 05:40 PM
I spent a good chunk of yesterday afternoon cleaning up after some spammers got past anti-bot protections on a website I manage for a non-profit organisation. Hundreds and hundreds of comments being posted by people claiming to have "stumbled" upon the site and making some random observation, but the URLs all went back to the same place.

Chill: Wordpress theme files usually aren't too complex, and since you have some understanding of PHP it may be worth having a glance through them to see if there is a back door or similar deliberately coded into them.

kahawai chaser
27-09-2010, 08:26 PM
Maybe try a wordpress security plug in, e.g. exploit scanner (http://wordpress.org/extend/plugins/exploit-scanner/), or theme checker (http://builtbackwards.com/projects/tac/) for malicious codes.

I long stopped using other themes for my blogger blogs (except from Google's approved themes) but learnt some basic coding from tutorials. I found display issues sometimes, and also a lot of url "ad" type references in the comments coding.

What visitor stats package are you using? Google Analytics can trace regions and cities, ISP providers, etc that may help tracking. Can also set up advanced segmentation (http://www.kaushik.net/avinash/2008/10/google-analytics-releases-advanced-segmentation.html) for specific and granular tracking if you want.