Blog hacked: Phentermine Attack

I’ve not blogged too much lately, however, there was some strange “activities” on my blog…

Today someone in a comment warned me that I have some spam links in the footer visible only with javascripts disabled.

I’ve updated wordpress some days ago because I’ve noticed some spam links in my sidebar, but as it seems this wasn’t enough to fix the problem.

Luckily, I’m using subversion to manage wordpress updates, in this way I can see what happened to my wordpress:

? wp-includes/class-mail.php
M 6377 wp-includes/default-filters.php
M 6377 wp-includes/wp-db.php
M 6377 wp-includes/gettext.php
M 6377 wp-includes/pluggable.php
M 6377 xmlrpc.php
M 6377 index.php
M 6377 wp-admin/admin.php
M 6377 wp-admin/index.php

There was a new file class-mail.php and the others were modified.
Luckily nothing that a few svn revert commands couldn’t heal 😀

If you want to check if you blog has the same “guest” links:

  1. disable javascripts
  2. look at your footer.

If so:

  1. replace those files marked with M
  2. delete class-mail.php

More info on this exploit: Phentermine attack
This episode is the proof of how useful is to install/update wordpress with subversion: Install wordpress with subversion