WordPress Authentication Issue – Or Magic Hack?

Update 081509: The  “Magic” hack had a sleeper cell. See comments below from Xavier and Nichele. I think I fixed the residual problem, and I will write a detailed post documenting what I did. For now, if you’re curious, leave a comment below, and I’ll let you know when documentation is posted.

Update 073109 at 4:30 p.m.: After breathing into a paper bag and learning about the vars.php file, I’m halfway back after my “Magic” hack attack. See the WordPress support forum for details. Yokima rocks!

Original post 073109I have a problem with authentication in one of my WordPress sites. I can log into the dashboard. I can save a post once. But when I try to save the post again or publish it, I get the authentication window seen in the screenshot below. My admin username and password do not work in this window. When I cancel the window, I get a page that says “Access Denied.” So now I cannot publish posts on this WordPress site.

This is the first time I’ve encountered this authentication window in 2 years of managing the site with WordPress. I have not encountered it yet on my other WordPress sites on the same web host.

Is this an issue with WordPress or with the web host, Bluehost?

The authentication window below states: The site says: “Magic” — What does that mean?

Any solutions or suggestions?

This entry was posted in Meta-blog and tagged , , , . Bookmark the permalink.

15 Responses to WordPress Authentication Issue – Or Magic Hack?

  1. Mark Jaquith says:

    It looks like you’re running an older version of WordPress (2.6 or so, judging from the screenshot). To prevent this sort of thing in the future, you should upgrade to the latest version (2.8.2 as of this writing).

  2. Mark Willis says:

    Thanks, Mark. Updating WP is in my future across all my sites. Has anyone identified the point of entry for this hack? A plugin?

  3. Pingback: a blind flaneur » Playing by Ear: John Cage & Marcel Duchamp

  4. rob elamb says:

    (Mark)^2,
    I was on version 2.8.2 and that the injection as well. Looks like it may have come through spam. Luckily, I was paranoid enough to NOT give my username password. I upgraded (which purged all the infected code) and everything is fine. Still need a solution to make it NOT happen again. In the mean time we’ve got to get the word out.

  5. Mark Willis says:

    Thanks, Rob. Any idea how widespread this attack is among WP sites?

  6. Xavier says:

    I encountered this issue and updated to v2.82, the blog seems fine but actually not, there are 500+ outgoing links added at the end of my page, they are invisible but googlebot can see them.

  7. Mark Willis says:

    Thanks for the heads-up, Xavier. I’ll check out Googlebot tools
    http://en.wikipedia.org/wiki/Googlebot

  8. Nichelle says:

    I encountered the issue and all seemed fine after upgrading and removing code from my plugins. However, I discovered additional code added to my footer, deleted it, and more was inserted later. I believe that this is perhaps what Xavier is mentioning?? The added code seems like additional spam-type links. Is this going to affect my google ranking somehow? If you find out how to get rid of this problem, I’d love to know.

    By the way, my vars.php file seemed okay. I also use bluehost. And, I encountered a similar authentication box (which I managed to cancel without entering anything) when using their webmail program. Coincidence? Unsure. Anyway, thanks for posting on this issue!!

  9. Mark Willis says:

    Nichelle,

    I had the same problem with invisible links inserted into the footer. I deleted them from footer.php, and with your warning, I’ll watch to see if they return. I haven’t read the WordPress support forum referenced above in about a week, so I need to get back to it to see what folks are doing now. It’s been the best source of trouble-shooting ideas that I’ve found on this problem.

    Thanks for the tip[ about Bluehost webmail. I don’t use it, butt need to. You might try calling Bluehost support about it, although I;ve had mixed results trying to talk to them.

    I visited your site briefly. Looks great! What is the theme?

    Fight the good fight,
    Mark

  10. Nichelle says:

    Thanks Mark! I did check with Bluehost and was initially told it may be spyware on my computer (but I have a Mac and did a MacScan – nope!) When I responded, I was told that the first technician was incorrect, that the authentication from WebMail was valid – not sure why I could cancel and still reset my password then, however… But anyway, that’s the story. I have been following the thread on wp.org and I think you’ll find my desperate pleas ;) are the last comments at the moment.

    Anyway, thanks for the kind words on the site. The theme is StudioPress’s Church theme (with only cosmetic changes, really) — highly recommend!

    Cheers!
    Nichelle

  11. Almog Koren says:

    Hi I just got this issues I can’t upgrade at this point does anyone know how to solve this also how do I check for hidden links?

    If some can email it would really help out.

    Thanks
    Almog

  12. Nico says:

    I noticed my URL structure has changed also from long file names to page numbers which is crap for SEO.

  13. Pingback: Looking Back (Demurely) Over A Quarter Million Page Views « a blind flaneur

  14. jack says:

    This is a great post. I just enjoyed reading it a lot. Its really interesting and contains a lot of information. Thank you for posting.Please keep up the good work.

  15. hack says:

    thank you very much…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>