MMM Has Been Hacked… and Fixed!
Evening Update by Mrs. MM: It’s been a long day of researching and looking through everything, but I believe I finally found the culprit hiding in pluggable.php, which was mysteriously updated on Aug 20. Upon viewing the file, it contained a crazy long string of nonsensical garbage, so I updated it with a brand new pluggable.php. This seems to be the only file affected, so hopefully we got the whole thing. Plan B is to do a fresh re-install of WordPress, which might be wise to do anyway. To double check the fix, I ran the site through a fun little utility called Rex Swain’s HTTP Viewer which shows that all looks good and that Google will soon catch on and fix its cache. Luckily both MMM and I are former software developers… Phewf!
Well, Shitty McPants. It looks like some virusy script out on the Internet has hacked into the WordPress system which runs this blog and changed a bunch of obscure php files within.
We looked it up and it’s a common WordPress exploit called the Pharma hack. What happens is that when you look up “mr money mustache” and many other things in the search engines, you will now see a bunch of bullshitty spam stuff about fake pharmaceutical products. The actual site is unaffected for readers – this exploit only changes the results that your website delvers to search engines, as a way of manipulating search engine results in favor of the spammers.
Repairing this damage is not as easy as I had hoped. I changed the passwords for the site and the web server, but there are an infinite number of little files that could contain the fake code that needs to be removed.
If you know any other wordpress bloggers who have found and fixed this problem, please let me know. Meanwhile we will just keep fiddling around here. If I can’t fix it eventually, I may have to take down the whole site, since there’s no sense continuing to use a zombie infected pharmaceutical advertising machine as an ongoing blog platform!
Thanks to reader zero3blur for pointing this out to me this morning.
Article: How To Start a Blog
Where to next? Check out a Random Article
|
Stay in Touch: Subscribe to posts by e-mail, RSS Feed, or follow MMM on Twitter and Facebook.
Join the Conversation: Learn from Like-Minded Mustachians in The Money Mustache Community |
Mr. Money Mustache is a family man living in the United States who retired from work, relatively wealthy, at about age 30. After several years of retirement, he noticed that his still-working peers were envious of his lifestyle. They were making more money than he ever had, yet they were somehow still broke. So he decided to write this blog to educate the world on how it is done.
I’ve had to clean up a hacked WordPress site before. It can be done. Google “cleaning up WordPress pharma hack” for help. There are some plugins that can help you find the affected files. There may be a lot of them, but not an infinite number. :)
Good luck!
If you need someone to take a look and do some of the cleaning, I’d be game. Shoot me an email.
One of Terry Pratchett’s best characters, Sam Vimes, once noted that “if they’re trying to kill you, you must be doing something right.” The same principle applies here – if they’re trying to hack your site, you must have annoyed some powerful (or just very insecure) people. Keep up the good work. ;)
Thanks for the help everyone – especially Mrs. M. All is well.
Might be a good idea to MD5 hash all the files on the web server. Then if anything comes up again you can just hash them again and compare the hashes. File times can be touch matched so just looking at the date is unreliable.
@DTOM: Unfortunately you can not trust the hashing function of the website if it has been compromised. Usually the hacker is not smart enough to replace the hash function though.
Personally I use rsync to take a copy of my servers, well aware that rsync on the compromised server might not be the rsync I trust. After taking the backup I use rkhunter, chkrootkit and clamscan to scan the backup for intrusions. So far it has been catching stuff on servers I backup, not administrate.