I don’t know about you but I don’t look at my own websites very often. Create a new page or blog post, check it looks OK and move on.
So imagine my surprise and horror when I was checking all my blogs after updating to the latest version of WordPress to discover that this blog had been well and truly hacked. What was interesting was what the hack did which is why I’ve decided to share this with the world rather than bury my head in shame.
When you loaded this site, everything looked normal for about 5 seconds and then you were redirected to another site via what looked like a couple of intermediate/proxy servers. When I first spotted this, I was taken to the listing page for a Chinese TV company which rather shook me as it is not as if my blog is mega popular (I wish!).
Given that in a former life, I founded and ran a very large UK based ISP, I’m used to dealing with hacks such as this. So I fired up an FTP client and logged into my hosting account to see what I could see. I wasn’t expecting to find much in all honesty as I reckoned that any halfway decent hacker would make sure that the date and time stamp on any changed files was the same as the original so as not to arouse suspicion. Having said that, I have seen instances of what we called “script kiddies” who changed things for fun and didn’t care what traces they left behind. Anyway, as I suspected, nothing obvious.
So then I logged into WordPress and decided to change from the K2 theme (1.08 RC) I was running to the default to see whether the hack was theme related or WordPress core specific. And the site worked so the finger was pointing at the K2 theme.
Now that I knew I could stop the hack immediately, I put the K2 theme back and had a play with the site. That was when this hack became interesting. If I clicked on a link within a topic (I have Twitter Tools installed so this was easy to do), I was correctly taken to the linked page. I had just reloaded my blog when the phone rang, and when I looked back, I had been redirected to the link I had just chosen. Further testing showed that this hack always redirected the site to the last clicked link. I’ve not seen this before but I thought/think it was rather neat in a sick kind of way.
Anyway I’ve now upgraded to the latest version of K2 (which was long overdue) and changed the passwords on all my sites as a precaution.
You have been warned!