Wordpress Plugins

Script Injection Attack

16 Comments

Update: I cleaned this up. There should be no malware threat.
======
I was hacked!

Script Injection
Script Injection

Thank you Stuart and Jonathan for alerting me that their browsers warned them that my site hosted malware. Stuart was the first to alert me and Jonathan gave me the tip that the problem was somethign to do with “odmarco.com”. I hunted around, and found a link to odmarco.com after the html closes in wordpress.

I knew I had to get that out. But how?

My first bet was this was caused by a new plugin…wrong!

So, then I checked the index file of my theme. That’s editable from inside the wordpress plugin panel. I found a script injection in that index.php file. I removed it.

That should have fixed it… so I thought. But no. The script was still in some of my files.

I switched themes: Still there.

So, I went to Dreamhost and checked the fulll wordpress installation, looked at the /index.php file and found that somehow a image had been added after the closing html tag in the file.

If you are a blogger, I advise viewing your file source, and looking for “odmarco”. If it’s there, you’ll need to examine your very short /index.php file at your hosting service and your theme. If you find an iframe at the end of the file, similar to the one I circled above take it out.

For anyone who wants to search the web or help other bloggers, you can view their source and see if you find a string resembling their content: odmarco.com/arwe/?736361acd09ca9717c9462514beb5205

I don’t know when or how malware was introduced, but I suspect a Script Injection Attack. To help me detect any future hacks quickly, I have installed “Paranoid”

Update

Googling around I discovered:

  1. The problem may (or may not) originate with some bug at Dreamhost that permits attacks. (People like me could be helpful and make load of files not-writable. But.. well.. customers don’t always think of these things.
  2. The script supposedly tries to exploit a problem with Adobe Acrobat. I don’t know what it does.
  3. The script is injected on html files and some php files. I have it totally off my blog and this site. I sent a note to Dreamhost because my knitting site is totally infested, and I’m not sure how to quickly get it off the static php files. All the html sites on my knitting blog have mod-dates of May 28, which means the script hit my sites on May 28.

Update II

You have to do more!

The script managed to add that bit of code to every single index.php and index.html file at my site. This means it’s sometimes in various plugin files, templates etc. To protect visitors, one should get them all out, no matter how unlikely they are to ever be loaded.

Fortunately, a nice script is available here. To run it, I:

  1. Changed the name of the string after the bit of code that says: protected $string_to_clear = ‘XXX’; You need to put the string you want found and between the ” where I placed XXX. Odmarco is changing their string from time to time.
  2. Save the file as with some useful name like “clearOutJunk.php”.
  3. Upload that to the top directory of your site. (I put it right up under rankexploits.com.
  4. Point your browser to http://yourdomain.com/clearOutJunk.php . The script will pause while it’s reading every file in every directory. It will echo names of files and tell you if it found anything. If it found the string you told it to eliminate, it will remove that string from the file and replace it.
  5. This worked like a charm.

Update II

Other issues remained. Dreamhost advised me that I should search all my files to find anything that had been installed or modified recently. (Evidently, the hackers like to hid file with innocuous names and just re-install later!)

I found two batches of suspicious files. One set of changes were made on May 28. Those changes are what alerted Jonathan and Stuart. But another set of changes were made way back on April 7. That’s sufficiently far back that you can’t count on WordPress having old enough back ups to just replace all old files with new ones.

Anyway, I ran the script discussed above to clean out the injected script from all html and php files containing that. I also searched for all files from April 7, checked they weren’t right and deleted those. I also checked looked at everything between April 7 and today and deleted anything and everything I no longer need.

I should be totally clean now.

16 thoughts on “Script Injection Attack”

  1. Kind of interesting that suspect domain odmarco.com name was registered in “Sverdlovsk” because the official city name was changed in 1991 back to the pre-Soviet name “Yekaterinburg”.

    Maybe site owner is a die-hard Bolshevik attacking running dogs of imperialism like lucia …

  2. Well…. a lot of spam originates from the former Soviet Union. But I think that’s because they are gung-ho capitalists.

  3. “Maybe site owner is a die-hard Bolshevik attacking running dogs of imperialism like lucia …”

    I swear I’ve never even heard of Sverdlovsk.

  6. Lucia,

    As you know, something similar and way more destructive happened to CA and WUWT over the past 18 months. The hits were different, the ultimate effect the same.

    Not to put too fine a point on it, but the RC side of the fence has some very influential backers [Messrs Soros and Gore being amongst the more readily identifiable].

    Disrupting, temporarily shutting down and more subtly, perniciously using the target as a manipulated source of “dis/mis”-information [as would appear to be your case] is classic “disinformatia” modus operandus [ref: “disinformatia/ex-USSR] to disrupt/shut down the other side’s “voice[s]”.
    In the case of AGW/ACC, that includes “lukewarmers” like you, when you systematically get to close to the bone, as you do at the Blackboard…
    cheers.

  7. Tetris–
    Many totally unrelated sites were hit by this. There is an long discussion at the forum at Dreamhost. I’m just trying to search through my entire site to make sure there are no hidden scripts. But, it is occupying my time today.

    Pain in the butt!

  9. Hello Lucia,

    if I browse to your Side with Firefox the main Side is always blank, and I cam only navigate with the Sidebar. If I use Safari everything is okay.

    I hope this can be fixed, too.

  10. Luclog, I use FF and I have no problems with that. Are you sure you haven’t accidentally Adblocked it?

  11. Luclog–
    Can you take a screenshot and send it to me? Click the contact lucia link below to email me. That way, I can see the display issue which will help me fix it.

  12. @ Ryan

    Thanks for your help Ryan. That fixed it.

    @ Lucia

    It was Adblocked. Thanks for all. I hope i have made no effort.

  13. Hi Lucia, I’ve been dealing with the same thing on my VPS. Every single index.html and index.php on the entire VPS, across different sites hosted on the VPS, have been injected with two different scripts now, one on June 6 and the next on June 10. It does not include the odmarco script but clearly the (apparently automated) injections are using the same exploit, whatever it is. It’s only a matter of time before it happens again, of course. I’ve been surfing across the web and came across your site first when I googled “script injection index.php”. I’m posting this here to hopefully help others when they see it. The first thing I was warned of, and checked, was the register_globals setting. It appears to be off, though I will check thoroughly everywhere to make sure a setting of “on” somewhere isn’t overriding the “off.” Hopefully I can post back if I learn more on how to block this injection attack.

  14. Amber–
    Thanks Amber. Since I blog, but don’t set up my server, I had to google a bit to learn what register_globals is.

    I did find some information here: http://drupal.org/node/210311 I’m going to see if I can adjust this in htaccess for my sites etc. If I can’t I’ll ask Dreamhost. But ultimately, I’m not sure if I’ll be able to control that. Let me know if you happen to be familiar with solutions.

  16. Pingback: The Blackboard » Hacking is non-partisan.

Comments are closed.