Trojan on this website
I just received an e-mail from a reader of this blog, who pointed out that his virus scanner went mental when trying to access this blog, stating that the web page was infected with an Exploit-IFrame.gen.c virus.
At first, I thought this was completely ludicrous, and that the good man was completely a) insane, b) computer illiterate and c) on a spamware-infested computer. Upon closer examination, however, it turns out that I was, indeed, the culprit.
It turns out that there is a security flaw in Wordpress – the nature of which I haven’t quite been able to identify – which managed to insert a snippet of obfuscated Javascript code into the header of the blog. I had a look at the header file in my new theme template, and there was a block with the header ‘Searchbot_111’, which inserted an encoded block of JavaScript, which in turn pulled in the malicious code.
I have no idea what Exploit-IFrame.gen.c actually does, and there’s not a lot of information on the internet with specifics.
I’ve removed the offending code from my blog and I’ve locked down my file permissions – it turns out they were set to ‘world write’ (or 777 in octal, if you’re into that kind of thing), which is of course a complete beginner’s mistake – for which I hope you’ll be able to forgive me: Trust it won’t happen again.
I know most of you will be doing this already, but please remember to update your anti-virus software, ensure that you use a decent browser (use IE7 if you must, Firefox or Safari if you can, and trash IE6 if you’re still using that).
My apologies again,
- Haje
PS: I endeavour to track down how this happened in the first place and update this post with a guide as to how it can be avoided if possible and removed if necessary
Additional information about this server
This site is running the latest stable Wordpress release (2.7)
I’m running a series of plug-ins to WordPress: Adsense-Deluxe v0.8 (ad serving), Akismet v2.2.3 (Spam blocking), Democracy v2.0.1 (voting/polls), Digg This v1.0.1 (social network promotion), FeedBurner FeedSmith v2.3.1 (RSS feeds), FlickrRSS v4.0 (Flickr pics in the sidebar), Google Sitemaps v2.7.1 and WP Super Cache v0.9 (caching)
In addition, I’m running a series of widgets: Democracy Widget 1.0 (voting/polls), KB Advanced RSS widget v2.1.2 (Twitter feeds) and PHP.Text widget v1.3 (To show the FlickrRSS as widgets).
The server is running a Ubuntu 8.04.1 (Hardy Heron) LTS virtual shared server hosted on a 1GB slice at Slicehost. I’m running PHP Version 5.2.4 hardened with Suhosin Patch 0.9.6.2 and MySQL 5.0.51a on an Apache 2.2.8 server.
Update
The symptom of this problem can definitely be removed by deleting any lines you don’t recognise from your header file. It’s likely to be right before the </head> tag. Look for a PHP snippet which appears to be trying to identify search engines.
It appears that the cause of this issue is an cross server scripting vulnerability in the RSS/Atom engine in Wordpress, which appears to have come to light late in 2008. There is quite a bit of information about this all around the internet, but the technobrabble is a little bit beyond me. I’ll try and put together an understandable explanation for what’s going on as soon as I figure it out myself.
If I grok this correctly, It appears that the exploit is fixed in versions of Wordpress beyond 2.6.5, but that the WP Super Cache plug-in continues to allow the exploit somehow.
If you’re affected by this, fix the issue, and then read Hardening Wordpress and Did your Wordpress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening again.
There’s also a plug-in which can help you scan your Wordpress for exploits.
More updates to follow as the investigation continues
My day job, if it can be called that, is being a writer. I've got one book out there so far and it's awesome, so go ahead and buy a copy! It's available from 
In front of you, five hyperactive men with guitars, drums, and microphones. Behind you, five thousand fans. In your hands, a camera... You're going to need more than just a little bit of good luck to pull this one off. That's where this book comes in.
Take a Canon EOS 450D. Attach a Canon 50mm f/1.4 lens. Hit the streets of London. See what happens.
Insights, suggestions and comments
You might want to replace “octagonal” by “octal” ;)
patpro: Jeez, can you tell I typed this up in a rush?
I obviously ought to have my have my webmaster pass revoked on a permanent basis…
This does not necessarily have to be connected to file permissions or your webmaster. There are tons of ways how wordpress can become vulnerable. For example, there are quite a few plugins which can be a security risk, so you should keep those up to date as well.
Flo: Yeah, that’s what I’m afraid of too, but I do trust most of the plug-ins quite well, and they are all (with two notable exceptions, which I’ll fix tonight) completely up to date.
I’ve had issues with odd things showing up on my blog before, but all rootkit checking in the world doesn’t indicate that the server itself is compromised – and the passwords are as hardened as I can make them with paranoia levels turned to 11 (passwords are many digits, completely random, with upper and lower, numerals and obscure punctuation symbols), no FTP access, each site on the server lives in its own silo, etc.
Apart from my octal n00b mistake, I am genuinely surprised how the site still ended up hacked – I’ve genuinely done everything in my power to keep it completely safe… I guess I’ll just have to start doing more.
interesting post
today (10th feb) at 0205 UK time, my wife wordpress site got hacked too.
same snippet of code placed in every header.php file underneath the themes folder
nothing obvious in httpd logs, i am very confused
Hi same thing has just happened with my site – I googled Exploit-IFrame.gen.c and found you.
Hopefully I can follow what you did and deal with this…
in case it is of any use
the httpd log from the time of the hack
87.118.120.36 – - [10/Feb/2009:02:05:43 +0000] “POST /wp-atom.php HTTP/1.1″ 200 32 “-”
87.118.120.36 – - [10/Feb/2009:02:05:43 +0000] “POST /wp-atom.php HTTP/1.1″ 200 – “-”
ip is in germany
Lee: is your wife’s website hosted by 1&1 (mine is)
Haje: only plugin which we have in common is akismet
I was looking into a WP hack for a friend and this whitepaper was very helpful:
http://blogsecurity.net/wordpress/wordpress-security-whitepaper/
I’ve seen two classes of WP hacks:
•Something getting inserted into the page template. I think that WP stores each theme separately, so you might be able to restore back to a known-good copy of your theme if you’ve got extra stuff inserted.
•Alternatively, I’ve seen a tiny iframe added to one or more posts, generally linking to a malicious site. This is easier to fix; just search for an iframe tag on each post and if you see one that shouldn’t be there, nuke it.
My wife’s site (wordpress as a CMS) is a self hosted wordpress 2.7 on an easyspace Virtual private server, where i control the security, and left the themes folder writable to apache after tweaking her latest theme of choice
Glad you got your site fixed.
WP-Super-Cache allowed a different bug to happen, but so would any other caching plugin. Security Focus mentioned that plugin because it’s the most used..
Can you email security@wordpress.org with everything you’ve found? I have a feeling it’s an old bug though.
i am not convinced this is related to the XSS pre 2.6.5
http://wordpress.org/development/2008/11/wordpress-265/ says
“only affects IP-based virtual servers running on Apache 2.x.”
and (in my opinion) does not seem to allow code to be written back to the web server
my setup is name-based-virtual hosted 2.7 and it still got in !!
Another reason to read by rss, I guess. Best of luck getting it all worked out, but don’t hold off on new posts too much. The last one on breaking photographers block was fantastic.
Toujours de tres bonne info , merci
Share your wisdom