Anatomy of a blog hack

While WordPress is great software, its ubiquity means that a lot of script-kiddies and general hackers like to attack it. All of the different settings, options, plugins and the rest mean that it takes quite a bit of work to balance letting people participate (through comments, postings) while keeping spammers and hackers out.

About a year and a half ago, my blog was hacked. I was notified of it by Google’s webmaster tools, and it took quite a while to go through all the different files to find the offending code and strip it out. It ended up being located in a number of different places, so it took a few go-through’s re-submitting the site to Google before the hack-detection software declared it clean.

I was always a little worried that I hadn’t gotten it all. Recently, I came across a great couple of blog posts that I highly recommend:

— — — — — — — — — — —

Files that were uploaded:
fx_akismet.php
fx_blogger.php
fx_I10n.php
fx_menu.php
fx_wp-config.php
fx_wp-db-backup.php
… and a folder of 70 html files and a javascript file meant to steal Google PageRank

All the php files were nearly identical. Here’s the code:

I don’t code in php, so I don’t really know what this says, but hopefully it might be useful to anyone afflicted by the same script.

I highly recommend if any of you have WordPress blogs to take these same steps to see if you’ve been hacked.