One of my sites got hacked. How?
- My spouse tried out a number of WordPress themes while setting up their blog a year or two ago.
- One of them contained something called timthumb.php, which just this August was found to have a great big security vulnerability.
- Someone exploited this vulnerability, probably by scanning for every possible theme that contained it and put a cracker console in the cache directory of that theme.
- They used this console to find and edit every .htaccess on that user account to include a some malicious code. (This was several sites, because I was lazy.)
- It redirected to a quite nasty URL whenever a referrer from a longish list of search engines was seen.
So that’s not terribly nice. I take some small comfort in knowing that at least I have a lot of company. Also, I feel validated in moving off WordPress.
The cracker console was actually quite interesting. If you’re curious, you can see it on this gist, slightly expanded for readability (or just a screenshot).
It was obfuscated by being a big string that ran through preg_replace using the e flag, which executes the result. Yes, this is a genuinely insane feature. That turned some unicode-escaped characters at the beginning into eval(, which revealed the rest of the huge string to be a base64 encoded gzipped blob of source code.
The lesson I’m taking from this is: security is hard to enforce when themes that non-technical people are expected to use can contain executable code. Or even technical people… I wouldn’t have caught that if I’d been looking for a WordPress theme.