WordPress MySQL Injection – Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]
Just want to write up a quick post on the latest WordPress MySQL Injection that has seemed to attack many of the WordPress blogs - including several of my own.
I found out about this problem last night when an email came to me from GetResponse notifying that my blog announcement feeds are no longer working.
I quickly went over to my blogs and noticed my permalink structure has been changed.
Diagnosis:
Put your mouse cursor over a permalink (or over a post title) and see if it has the following string appearing in the URL:
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%
If so, you have been hacked!
How to Fix:
Login to your WordPress dashboard and go to Settings -> Permalinks
Change your permalink structure to what you had before.
Now from a SEO stand point of view I had to absolutely make sure that my permalink structure was the same as before, and if you don't remember what your permalink structure was for your site, simple got to Google and type in:
site:yoursite.com
Then look at one of your blog posts and see how the permalink URL is structured.
Then you want to remove a hidden admin user to your blog. You will most likely not be able to see who this is if you go to Users tab:
As you can see there are 2 Administrators, but I only see myself in the list.
To remove the uninvited guest you are going to have to login to your MySQL (cPanel -> MySQL -> phpMyAdmin) and go to your wp_users table, and sort the ID column to see the latest registered user:
You will notice a user without an email address. To further verify that this user has Administrator privilege, go to wp_usermeta table and verify that this user_id has wp_user_level of 10:
Prevention:
I'm still keeping an eye out for future attacks. The same attacked happend to one of my WordPress blogs that has the latest 2.8.4 version on it so I don't think upgrading to latest version will help prevent this attack from happening to you (but highly recommended to run latest WordPress version anyway).
September 4th, 2009 at 11:27 am
[...] Just want to give you guys a heads up for those who run WordPress blogs: WordPress MySQL Injection – Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER] Thanks, [...]
September 4th, 2009 at 2:38 pm
[...] http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/ tweetmeme_url = ‘http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/'; digg_url = ‘http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/'; url_site = ‘http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/'; submit_url = ‘http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/'; var dzone_url = ‘http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/'; var dzone_title = ‘Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/’; var dzone_blurb = ‘Hey Guys, Just realized that a lot of people were hit with this latest WordPress Blog Attack – Its a MySQL Injection that screws up your permalinks and in turn makes you blog post links not work! So I figured i’d write up this quick post to help some people out! It appears that yesterday, many wordpress [...] ‘; var dzone_style = ’1′; url_site=’http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/’; [...]
September 4th, 2009 at 10:32 pm
[...] attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ Leads to explanation WordPress MySQL Injection – Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER] Here is another report of a previous attack. Help! My Blog Posts Now Have Weird Code on the [...]
September 4th, 2009 at 11:07 pm
[...] attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ Leads to explanation WordPress MySQL Injection – Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER] Here is another report of a previous attack. Help! My Blog Posts Now Have Weird Code on the URL [...]
September 5th, 2009 at 9:07 pm
[...] WordPress MySQL Injection – Permalink hack %&({${eval(base64_decode($_SERVER[HTTTP_REFFER] [...]
September 6th, 2009 at 11:52 pm
[...] AND it brings me to http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/ [...]
September 8th, 2009 at 8:32 am
[...] attack on WordPress managed sites can be found: http://mashable.com/2009/09/05/wordpress-attack/ http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/ [...]
September 9th, 2009 at 7:10 pm
[...] http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/ [...]