update: I probably won’t be posting anything new for a few days until I track this down, but I’d appreciate continuing the conversation in the comments of this page. Right now, I can’t even find the posts on the site using my FTP program. I was going to download them and attack the code with a text editor, but I’m not seeing them as files, so I’m not sure how one goes about this. Anyway, I’m going to be working on the problem….sigh…why me…. (whine whine whine. :D)
I don’t know how it’s ultimately going to manifest, but The Captain has some very unpleasant-looking html in his gullet right now. Thanks to one of you, I became aware of the problem and I’m trying to figure out what to do about it.
I don’t see anything on the blog itself, in IE or Firefox, but if you look at the source code, there are about a gazzilion links imbedded into every expletive deleted page, along with some script. I don’t know what that means about visitors’ protection. Any of you computer gurus out there who have some idea what it might be all about, I’d sure appreciate your advice. I also have no idea how long it’s been there.
I really don’t get it. I don’t see what it’s accomplishing, but then I don’t understand the script code surrounding the links either. I’d REALLY appreciate any help and would like to know if I should, like, shut the blog down or something.
Gawd…I’m so depressed. I don’t need this! You hackers are icky!!!!!
I see what you are talking about in your code, but I don’t see it in my browser (latest Firefox) and my virus protection has not thrown up a flag either. Maybe you caught it in before it was able to completely take over and it is only half Borg-ified.
I haven’t done anything yet, so I don’t know how I could have stopped anything. I just don’t know how to even go about it. The posts somehow create subpages for each post and those subpages have all been “infected” as…
Whoa, wait a minute. I wonder if earlier pages have that code in them….
(Going to download a few of them and take a look at the code….)
I do see that others are suffering from the same bad code recently:
http://www.getafreelancer.com/projects/Website-Security-Wordpress/Get-rid-virus-worm-Wordpress.html
Not sure what their solution was though. Still looking…
http://www.mistersoft.org/freelancing/getafreelancer/2009/12/Website-Security-Wordpress-Get-rid-of-virus-worm-on-my-Wordpress-blog-nbsp-579718.html
No solution yet, but check back there as there might eventually be one.
This might be related to your problem.
http://www.downloadtube.com/blog/2008/09/12/a-new-powerful-virus-could-affect-millions-of-wordpress-blogs/
You, my dear, are a priceless gem. I’m looking into the suggested security critturs before I go to bed.
At least it’s cheap software and not viagra being offered!
Contact WordPress? They should be able to tell you whether users are at risk. (I’m getting no warnings from my antivirus, either.) And WordPress ought to be able to tell you what steps to take to clean things up–or they could just fix things themselves, if necessary. After all, isn’t it their security that’s been breached?
They’re constantly creating security patches. It’s as bad as IE! It’s such a widely used format, it’s a prime target for the Ickies-at-large.
I’m going to see about cleaning that code out.
My web site delivered to IE (and sometimes Firefox) users a message that it was a “dangerous” site. My solution: Chenge my password on my host server and re-upload EVERYTHING from my hard drive. It was the host’s copy that was corrupt, not mine. So when I looked at mine it was fine.
Such fun.
I was sorry to hear of your loss.
I actually do everything online. Probably not the smartest, considering this newest twist. But that means I don’t have a copy on my HD. There are backup programs. Think I’m going to start making a regular thing of it.
And Lynn made a backup before upgrading wordpress…
Hmmm…Definitely time to see how old this problem is.
Everything seems fine from here (IE8).
I had some odd message earlier today before I came here that said my computer had been hacked and to ‘click here’ to fix it. Naturally I didn’t, and Norton popped up and said something was trying to hack my machine.
Don’t get why people find screwing stuff up for others so entertaining. What Sweetbo said re: borgs
I’m using the Chrome browser and all is good. I’m betting you triumphed over the hackers already
I can see the weird links and the suspect Javascript in your code, but I think it’s not likely that you have been hacked.
It’s a lot more likely that you have installed a WordPress plugin or widget that already had this code in it.
(Anyway the good news is that the suspect code is not working and not doing any harm.)
One way to find out which plugin it is would be to search within all the files belonging to your plugins for some of the suspect text.
But the easiest solution is going to be to disable each of your plugins one by one, reloading your site in your browser and checking the source code, until the suspect code disappears. Then you will know which plugin it is and you can remove it, and enable the other plugins again.
I thought about that but hadn’t thought about disabling them to track it down. Honestly..I haven’t actually thought too much about it. I was editing when I got the email that alerted it to me and then I tossed it out to you folks to see if you had any bright ideas…which you did!
Thanks to you all!!!!!
Do you create your page via a program or online? If it’s a program, removing the script should be fairly easy. As long as you can access your pages’ folder, it’s doable.
If it’s online … yeek! Though I’m sure somebody here is wiz enough to know how to fix it.
I wish I understood code more — because there is definitely links on your page — I just don’t SEE them. But if I put “Adobe Premiere” under search/find in Firefox, it stops at several places on your page, indicating that the word is there.
Sheesh. Very sorry for this.
Online. Which doesn’t mean I can’t backup to my desktop and just go in page by page and clean it up with a text editor. But that’s…oh, my gawd…so many pages involved! And I don’t know when and how that code is manifesting throughout the site.
Well…I’ll work it out. At least it doesn’t seem to be particularly harmful…that’s my biggest concern. And it does seem odd for a hacker to leave such a clear trail! It’s just…weird.
Well…I’m going code hunting.
Thanks all!
Jane, one of the reasons I run a webserver with a bunch of wikis and blogs is that it allows me to keep up with what the hackers are currently doing for my security teaching. I’m well locked down right now, and the two major current problems have been constant botnet attacks on the SSH port and hackers trying to sneak through my comment approval queue. You’re running WordPress, so you should be reasonably secure, but you need to follow the principle of least privilege–you can’t trust anyone who posts your site, so minimise your exposure and validate whatever they post.
Basically, you’re seeing an attempt to use your site to increase the search engine ratings of a bunch of grey sites. That’s why you can’t see anything–the crap they installed was for search engines, not humans, to see.