I was hacked!

by sam on 08/22/2009

I didn’t think this blog was popular enough to actually get hacked, but I was apparently wrong.

Evidence the first – For some reason it was taking a really long time to load, even though I had cleaned out a lot of extraneous crap code recently.

Evidence the second (and, really obvious) – I was going through the source code because I wanted to add a graphic to my header, and I was trying to find the right spot. In doing so, I noticed a bunch of weird links to external sites that I certainly hadn’t put in there. Online pharmacies and whatnot. So I went into the header file in wordpress, and found extraneous code pointing to a .ru site. yeah. Not so much evidence as, well, concrete proof. I also did a google search for the code, and discovered that it appears on many other sites.

I don’t know how it got seeded (perhaps through a plugin?), but the code to search for in your header.php file in wordpress is “alkoltashov (dot) narod (dot) ru / sites.txt”. This apparently pulls in the multiple http addresses.

I’m off to go search for more strange code to make sure my site is actually clean. I’ll post an update if I find anything else.

Update: Found another one – in the footer.php file, somehow the link to demus design, which designed my template, got switched to “elavil lab”, with another link to an online pharmacy. And the link to wordpress.org linked to some third-party site rather than the real wordpress. I’m off to change my password as well!

Update further: from a little searching online, it appears to be a vulnerability of wordpress 2.8.1, which is the latest version available by my hosting provider (although the latest available overall is 2.8.4). looks like I’m going to have to keep a close eye on things until they upgrade further over at network solutions. I also found a few other small things. My only advice is to go through all of your template files and look for code that doesn’t belong. This is so annoying.

Tags: , ,