WordPress Hack Alert: sattan.org spam redirect in wp-blog-header.php files
Hey fellow bloggers — if you are using WordPress for your blog beware of hackers getting you like they got several of my blogs last week.
The scheme is pretty clever. Apparently what they do is hack into your WordPress site via FTP somehow or other (likely via a vulnerability in older versions of WP), then they modify your wp-blog-header.php file. The purpose of the hack is to siphon off all of your search engine traffic to their spam sites. The way it works is the new code placed in your header file reads the source of the incoming traffic and if the visitor is coming from a search engine the script directs that visitor to their spam sites before the visitor ever sees your site at all.
So for instance as a part of my day job I help administer an FHA mortgage blog designed to help people with government-backed mortgages. That site does pretty well at the search engines. But because of the hack when visitors found the site at a search engine and clicked on the link they instead ended up at some spammy/scummy fake Google page or at one of those fake virus alert sites.
How To Fix It
Well I can only hope I really have it fixed. Here are the steps I recommend:
1. Turn off the ability to anonymously access your blog via FTP just in case. This is done through your host.
2. Change your passwords.
3. Go fix your file access permissions (One of the tricks the script uses is to change permissions so that the “write” function is disabled and you can’t write over the hacked files without enabling that function again)
4. Remove the offending code from your wp-blog-header.php file. (The scheme is pretty clever but the hack at least is nice enough to include a “start” and “stop” note in the hack code so it isn’t that hard to delete)
5. You can also look at upgrading to the newest version of WordPress. I suspect it is more immune to this particular hack.
As I said it is a pretty clever scheme because blog owners will see that their search engine placement is not changed. Plus the hackers mask which files they hacked by changing the dates on the last access (back dating). So the only way most users will discover the problem is to actually click on the links to their site in a search engine and notice that they end up somewhere else (specifically at some sattan.org sub site). I suspect they are making a killing by stealing a lot of traffic from a lot of people. Hopefully you are not a victim who has a blog that is getting killed because of it.
[Update 1 (Dec. 2)]
As one of the commenters predicted, the changes above only temporarily solved the problem. By this evening the hackers (or at least the malicious scripts) had reinserted the offending codes in the header file and re-changed the permissions. As my next attempt I am trying the various cleanup steps found here. Plus I plan to upgrade a few of my blogs to see what happens.
[Update 2 (Dec 3)]
More than 24 hours later the extra fixes found here (including going in and removing fake users from the database and other crap from the back end) seem to be working. The offending code in the header file has not popped back in yet. I also upgraded some of my blogs so we will see if that adds extra protection.
[Update 3 (Dec. 8)]
[Ok, the steps I have taken seem to be holding. After following the steps above and upgrading my blogs to the newest version (2.6.5 as of this posting) I have not seen any more problems. Wit any luck that will continue.]
[Update 4 (Feb. 6, 2009)]
It’s baaaack. Apparently I needed to do more. I am trying the ideas at these two sites now:
Link 1
Link 2
We’ll see if that works.
Thank You !!!
They were killing me for a few weeks now. I saw my adsense trickle down. The readership on my blog went from 180 to 7 and I couldn’t figure out why until I discovered sattan.org. It took me a couple of days to find this post and now I’m out of the jam … I hope
Thank you again.
die sattan.org die !!
Comment by David — December 1, 2008 @ 10:25 am
You’re very welcome David. I hope it helps.
Comment by Geoff J — December 1, 2008 @ 10:32 am
There is a special place in hell for hackers who do stuff like this.
Comment by Jacob J — December 1, 2008 @ 11:26 am
Geoff,
Any evidence it was done via FTP?
I’m looking for the code of this exploit. Could you send it to me if you still have it? (This is my contact form http://www.unmaskparasites.com/contact/ )
Comment by Denis — December 1, 2008 @ 1:30 pm
Denis,
When I went and looked in my cPanel I found an unauthorized FTP connection that I had to disconnect. But it is possible they got in through the host or something I suppose.
PS – I just uploaded the offending code at your site.
Comment by Geoff J — December 1, 2008 @ 1:38 pm
Thanks for the code.
I saw it was changing the search string on every load but I thought the code would be somehow encrypted.
Comment by Denis — December 1, 2008 @ 1:50 pm
There is more that needs to be done to fix this bug. I have tried the above and it was only scratching the surface, it still came back. Check the post my name links to.
Comment by Andrew — December 1, 2008 @ 3:07 pm
Interesting feedback Andrew. I checked for all that other stuff in the database and didn’t see any signs of it in my case. Perhaps I detected the hack early on or cjust got hit with a different variation of the hack or something…
Comment by Geoff J — December 1, 2008 @ 3:22 pm
Ok, so it turns out Andrew was right and there were several other step that I needed to take. This is the same WordPress hack that has happened to a lot of other blogs already — just a variation on the theme it seems. I had to go in and clean up the database and make other changes. I am in the process of upgrading all my blogs as well.
Comment by Geoff J — December 2, 2008 @ 9:29 am
Anyone know if it was FTP or not? It seems to me like its an “old wordpress” problem. I’ve removed all remnants of the hack that I can find, and have upgraded all my sites to the latest version of WP.. I’m hoping this fixes things, as we’re on shared hosting (Dreamhost), and if its an FTP issue, it’s going to be a little hard to fix…
Comment by Dusty — December 3, 2008 @ 9:37 am
I’m not at all convinced it is an FTP problem after all Dusty. When I was initially researching I suspected it was but now I think it has more to do with a backdoor security hole in older versions of WordPress as you mentioned.
Comment by Geoff J — December 3, 2008 @ 10:11 am
Interesting posts.. I found looking for something else.. isn’t that how we find most good information on the web?
I have not seen any mention of the versions of WP that got hacked… would you mind posting that info..
Thanks,
Lee W.
Comment by Lee W. — December 20, 2008 @ 10:29 pm
It looks like the hack was back this morning so I have not yet figured out how to avoid repeat attacks.
Comment by Geoff J — February 5, 2009 @ 9:33 am
Alright, here are a few more useful links I’m trying out this time around:
Link 1
Link 2
Comment by Geoff J — February 5, 2009 @ 7:57 pm
Hi Geoff, I found your site while searching for a solution to this… do you think you can help? All my blogs (a dozen of them) are facing a redirect :(
Comment by doris — February 7, 2009 @ 5:29 am
Hi Geoff.. just to let you know that I’ve got the prob fixed via my hosting company… thanks anyways.
Comment by doris — February 8, 2009 @ 6:16 am
That’s a good thing Doris. I didn’t have much advice to offer beyond the links I already gave.
Comment by Geoff J — February 8, 2009 @ 9:30 am
Hi Geoff, can i ask you to contact me via email. i have a bits of code that was uploaded and some ideas. thanks, oxyk
Comment by oxyk — February 18, 2009 @ 7:17 pm
not enough but useful.
keep updating thanks
Comment by hamza khan — February 21, 2012 @ 2:02 am
Spot on with this write-up, I truly believe that this website needs far more attention. I’ll probably be back again to see more, thanks for the information!
Comment by ????? — April 6, 2012 @ 8:42 pm