As a contributing author to a weblog about South Africa’s upcoming World Cup 2010 (see The South Africa Project) I was rather surprised the other day when I went to log in to our Wordpress blog, just to see the following warning in my Web browser:
What does it mean? How can we get this sort of warning from our own site, without ever opening up anything or getting any indication that we’d be hacked or compromised?
Our first reaction was “that’s weird, why would the Web browser be reporting that the site is infected with malware?”
Turns out that modern Web browsers, including Safari and Firefox, actually check in with Google to see if the site has been tagged as having malware. Recall that “malware” is generally spyware or other software that’s installed on your computer because you visit the page, often even without your being notified or even being aware it’s happened. Think of a virus that’s disseminated via Web page. Not good.
The different browsers show this error differently too, by the way.
The warning on the previous page is from Apple’s Safari 4.0 beta. Here’s what Firefox shows you:
I tried Microsoft Internet Explorer, with the phishing controls turned on, and it still didn’t have any warnings or cautions when connecting to the site. Another reason to seriously consider using a third-party Web browser, perhaps.
Anyway, when we dug into it, we quickly found that the site had indeed been compromised and that hackers had inserted bad snippets of code in the header of each page, code that started out like this:
A quick glance at this PHP code shows you that they’re cunning, these hackers. They’ve written their malware and then encoded it, and have the script decode it when invoked (the “base64_decode”). This is so that search engines can’t find it, but fortunately Google is paying attention and is one step ahead of them, correctly flagging that indeed, the site is infected with malware.
The chap doing the administrative work on the site reported that “we got hacked pretty good. They got in the database as well and changed the passwords. I fixed that, downloaded a clean copy of WordPress and changed FTP & MySQL access.”
We’re still cleaning up the mess, unfortunately, but what I will say is that if you ever see a warning like we did on a site that you think is clean, stop and immediately call in someone to help you verify that it is clean and not hacked and infected by malware or other unsavory software.
i also encourage you to go read Hardening WordPress, whether you’ve been hacked or not. An ounce of prevention, and all that.