WordPress PHP injection?

I just found a creepy case of injection in my index.php file. I noticed this morning that my homepage was throwing a “headers already sent” message pointing to index.php, line 10 when it wasn’t cached by Supercache. A reload of the page cleaned it up. But my RSS feed (which currently goes through Feedburner) was also trashed, and /feed wasn’t redirecting. All with the same error. Disabling Supercache fixed the homepage warning, but not the feed.

Being PHP awesome, I checked index.php for trailing whitespace, and found this snippet of code above the standard WordPress code:


That’s a problem. That forum file is, as you might expect, a crap ton of links and some JavaScript.

A few things to note:

  1. My SSH/bash history is complete and untouched. That is, I can see back for weeks, and all the commands are mine. So it doesn’t seem to be that sort of break-in.
  2. I just upgraded to WP 2.9.2 yesterday through the admin console. Likely culprit? Probably.

Can’t say for sure what it was, since I didn’t do more than a cursory check after I upgraded. The homepage would have been cached, so I wouldn’t have seen the warning there.

I suppose I should report this.

  • This is why I’m not migrating to WordPress or MovableType: they’re just huge targets and neither has a great security track record…

    You might try chmodding the various “core” wordpress files as non-writable. I suspect that the mode of attack was via an injection somewhere and that would require that they at least change it to be writable first (which may be outside their ability to do). The best thing would be to have all of the files owned by someone other than the webserver user, but I suspect that might make the various dynamic editing features not work.

    • Yeah, I’m going to start looking for an alternative, especially if I can get away from an older PHP-based system into something with a cleaner codebase.

  • Andrew C

    We just found the same PHP injection in our Joomla site, along with a couple other injections.

    • Are you on Dreamhost? I now suspect the problem is with them, but I’m still gathering evidence for that. Greg (who’s been hit 3 times) and I have done a big cleanup of our accounts to make sure that there aren’t any old versions of software hanging around, or unknown scripts.

      If it happens again, it’ll be pretty clear the issue isn’t on our end.

  • Andrew C

    Nope, we’re not on dreamhost. We are on a small ISP but we have upgraded Joomla several times so we are going to delete all our files and start over with a fresh install of Joomla, plus change all passwords.

    • Andrew, make sure to check your database for injections, too, just in case. If a backdoor is left open, it’ll just keep happening.

  • Kamal

    Same code was injected in my index.php i coded my self, i’m not using WP but i’m on Dreamhost too!!
    Any ideas?

    • Kamal, definitely make sure you’ve changed all your SSH passwords, disabled FTP (only allow SFTP), and enable the enhanced security. Check your Bash history and see if someone’s been running commands.

      If it happens again, contact support and let them know when the first one happened and when the second one happened. It could be that they had a leak on their end.