Some weeks ago, I received a message telling me that my website had been hacked, with a link to PHP script that was indeed stored in my server. The email was quite polite, trying to fake a real warning from a benevolent user:
It appears your server has been hacked. the following link, for example, used to redirect to rogue antispyware: [LINK REMOVED] don't click on the link unless you're on Linux or you really know what you're doing, because it may redirect to a malicious site. right now it's just redirecting to CNN's web site. you probably want to get rid of this page and get your server cleaned up ASAP. just giving you a heads up. thanks.
I reviewed all the contents in my server, and I found several other
PHP scripts, that were different, and several subdirectories named
.files that contained HTML pages with links to similar PHP scripts
stored in other sites.
The script was a base-64 encoded. I decoded it using a Python script,
and the decoded script was encoded using a naive encrypting algorithm
that shifts the positions of the characters. I again decoded that
using another Python script, and I finally obtained what the malicious script did. It turns out that the script randomly crawled the URLs of
other attacked sites connecting to the machine at 22.214.171.124,, and
it generated all the files that were stored in the
The IP belonged to an ISP called The Planet.com. The site hosted there seems to belong to a Russian guy. I reported the incident to the abuse contact address of the ISP, but I never got a reply.
I also noted that all the lines ended in
\r\n, so the attacker is a
Mac Windows user. I gathered some other scripts randomly, and the scripts gave
the attacker control to upload and modify files in the hosted
machine. It could also query Wordpress databases in the host, what
gave me a hint about how the attacker managed to upload files to my
I had an old Wordpress installation, and it seems that there is a bug that let anyone from the web to register and inject shell script code. I removed a couple of users from all the Wordpress installations that I had, and disabled the possibility of registering new users. Actually I have dropped Wordpress and I using Jekyll and Emacs Org-Mode for this blog.
From my site, I have recovered a list of 53 sites that have been also
attacked, and that have probably not yet cleaned. I am also publishing
here a list of the addresses of these sites, together with the name of
the malicious PHP script (without the
.php extension) that is stored
in the site (first and second columns of the text file,
respectively). If your site is included in the previous listings,
check that the scripts included in the second listing exist, and if
they do, remove all the PHP scripts that you are sure you did not
upload (you can also check that the suspicious scripts are encoded),
and look for directories named
.files; remove all those directories.
And finally, keep your Wordpress always up to date; or even better, drop it and change to another solution. It seems that Wordpress is pretty much a Gruyère cheese.