Oct 28 2010

When You Are 64

Category: WordPressChrisM @ 1:36 am

A little over six months ago the server that this site is hosted on was hacked. I still don’t know how they got in (it is likely that someone else on the same server had an outdated version of some software installed, and once in the hacker somehow gained root access), but once a friend alerted me to the presence of malware links, the fingerprints of the hack were clearly traceable on almost all the PHP files in use across all my sites.
One of the tricks such hacks use is to encode their urls in Base64, hiding in the theme files for your WordPress installation, meaning a simple text search for the url won’t work. Go and google or wiki for more info on Base64, but King Of Flibbles could be encoded to c3RlaW5lciBiaW5vY3VsYXJz … not very easy to read, nor to pick up with a cursory scan of the source code.
This is where you either need to learn to read Base64, if you have shell access you can grep the files for Base64 references, or simply install something like the TAC (Theme Authenticity Checker) plug-in. Whether you are installing a new theme for the first time, and therefore want to check it before activating, or suspect you may have been hacked and want to check all the theme files are still OK, the plug-in will do all the hard work for you. It also lets you know just how many (normally formed) static links there are in the theme, you can easily tell if it has been stuffed full of SEO sapping links.

Tags: ,