Remove ‘thepinktheme.org’ / ‘rozekleur.com’ from your wordpress blog?

So you’ve been breaking your head why multiple posts on your blog contain a hidden (javascript) link to the domain www.thepinktheme.org?

Example:

<script type="text/javascript" src="http://thepinktheme.info/dfi823hs.js?0.048378094101036107"></script>

You removed all references in your database, and searched your entire wordpress installation, themes and plugins for infected files? Even searched for PHP eval(); functions etc…

And still it’s returning? Look no further, here’s the solution. You or one of the people who has been using your computer, or who has access to your blog and post rights, installed an extension in Mozilla Firefox called ‘pink theme’ (‘roze kleur thema’). It got installed by clicking on malicious Facebook posts.

This extension is adding url’s linking back to the pinktheme.org (and other associated) domains when you add new posts on WordPress.

Remove the extension in Firefox. Remove all references in your WordPress database and start hunting down that user who’s been clicking on obscure Facebook links.

WordPress 3.x

Bij het vernieuwen van mijn hosting en domeinnaam, heb ik mijn WordPress even aangepast naar versie 3. Ook de website van de dochter is bij deze weer up to date. Voor beveiligde fotopagina’s waren er problemen met sommige browsers. Hopelijk zijn deze nu verholpen.

Vanaf WordPress 3.0 is er ook de mogelijkheid om netwerken op te stellen voor multi-user blog. Helaas staat dit nog niet volledig op punt, dus wacht ik nog even af om beide blogs te integreren in dezelfde WordPress-installatie.

Ere wie ere toekomt: WordPress met theme Atahualpa. De header-image is van eigen makelij.

WordPress hacked…

The past three weeks my WordPress blog got hacked two times. As a regular visitor nothing seemed out of the ordinary, but if you searched Google my blog seemed as a the best drugstore in town (Generic cialis – We Always Have The Cheapest Offers In Our Online-Drugstore). Each and everyone of my blog-pages had corrupted html-title tags or title-id’s (only when viewed through search engines!). Thanks to Google Alerts I found out there was something strange going on.

After a lot of searching (nothing mentioned on the web), finally found the problem. Seemed like my WordPress plugins got edited without my knowledge into base64_encoded hidden code which was then parsed with the php eval() function.

This is what it looks like…

@eval(base64_decode("JGFjdD0iaW1nIjsgZ2xvYmFsICRhcnJfdG...")); ?>

I found different entries in the following plugins: wp-spamfree / rss-import / syntaxhighlighter and so on. I changed all passwords to my site (webspace and databases) and deleted the infected files. Many of those files had changed permissions! I found unknown references to *.bak.php files inside the wp_options database table autoloading various scripts.

Fingers crossed that this won’t happen again. I will keep my eyes on Google / Bing and other search engines to see if my site keeps attracting unwanted visitors.

Google Labs was the only place giving me on the fly information of my cleanup-progress. Unfortunately Google Labs has a request limit on a week to week basis. I haven’t found a similar functionality in BING. So if you reach the request limit, you’re out for the next 7 days…

To give your wordpress some additional security you can password protect the wp-admin directory with .htaccess and .passwd.

If your WordPress gets hacked too, leave me a message if you encounter similar problems. I still don’t know how these files got changed in the first place.