Tag Archives: Wordpress hacked

Thanks to Ryan Ozawa, who led the charge of the geek cavalry to the rescue

11 Replies

He’s The Man!

Ryan was on my short list of people to receive my call for help earlier today when I realized that my attempts to resolve the blog issues of the past few days were just digging me deeper into trouble.

It didn’t take him long after getting my plaintive plea for help to assess the situation, sort through a couple of likely options, and zero in on the likely culprit.

I may not be totally out of the woods yet, but things are definitely moving in the right direction!

Apparently I fell victim to a widespread hack of WordPress sites.

Ryan noted that the feed contained a bunch of gobbledy-gook that included the phrase, “evalbase64_decode”.

This is a tell-tale sign of a hack. Someone’s trying to use your blog to redirect people somewhere else, but hiding the real destination by encoding it. And yes, their target is often your feed or other permalinks.

Evil code had been covertly added into permalinks, making those largely inoperable. Interesting that Macs powered right past the evil code, while Windows stumbled pretty regularly (although not in all cases).

Feeds were also corrupted, although I’m not sure about the mechanism for that. It may just be that they couldn’t swallow that evil code.

Ryan quickly came up with a couple of forum discussions of the issues.

http://wordpress.org/support/topic/297639
http://wordpress.org/support/topic/307518

Following his advice, I checked and found the permalink structure had been altered. I deleted that code and restored the proper links.

Then I deleted the little WordPress plugin that sends requests for feeds to Feedburner, then downloaded and installed a clean copy from the WordPress site.

Finally, I examined the data file of users, and found four recently registered users that appeared suspicious. I deleted those users, just in case. If you find that your user registration disappeared and shouldn’t have, please let me know.

I had already upgraded to the latest WordPress version several days ago while trying to troubleshoot, so that was already accomplished.

Right now, it appears that feeds are working again, although I don’t know yet whether access to comments has been restored.

Now I’m following Ryan’s advice to eyeball other files and try to spot remaining covert code that shouldn’t be there.

Hopefully this is on the way to being resolved.

If you don’t know Ryan Ozawa, he’s a prolific blogger and intense user who has been leading the way in putting social media to use.