Update 081509: The “Magic” hack had a sleeper cell. See comments below from Xavier and Nichele. I think I fixed the residual problem, and I will write a detailed post documenting what I did. For now, if you’re curious, leave a comment below, and I’ll let you know when documentation is posted.
Update 073109 at 4:30 p.m.: After breathing into a paper bag and learning about the vars.php file, I’m halfway back after my “Magic” hack attack. See the WordPress support forum for details. Yokima rocks!
Original post 073109I have a problem with authentication in one of my WordPress sites. I can log into the dashboard. I can save a post once. But when I try to save the post again or publish it, I get the authentication window seen in the screenshot below. My admin username and password do not work in this window. When I cancel the window, I get a page that says “Access Denied.” So now I cannot publish posts on this WordPress site.
This is the first time I’ve encountered this authentication window in 2 years of managing the site with WordPress. I have not encountered it yet on my other WordPress sites on the same web host.
Is this an issue with WordPress or with the web host, Bluehost?
The authentication window below states: The site says: “Magic” — What does that mean?
Any solutions or suggestions?
![Shepard Fairey’s “Barack Obama/Hope” image went viral during the 2008 election. Then controversy about the image’s source transformed it into the poster child for fair use in the public debate over copyright and free culture. Now FULAB takes “Hope” as its icon [Image source: Wikipedia]](http://fairuselab.net/wp-content/uploads/2009/03/shepard_fairey_hope_2008.jpg "shepard_fairey_hope_2008")
![Promotional artwork for "The Grey Album" by Justin Hampton. This was not used for the actual cover, but appeared on the Danger Mouse website in 2004. [Source: Wikipedia]](http://fairuselab.net/wp-content/uploads/2009/03/danger_mouse_grey_album_cover_200.jpg "danger_mouse_grey_album_cover_200")
![President George H.W. Bush signs into law the Americans with Disabilities Act (ADA) on July 26, 1990 as Justin Dart looks on. [Source: ucp.org]](http://fairuselab.net/wp-content/uploads/2010/07/ada_signing_072690_ucp_2.jpg "ada_signing_072690_ucp_2")
It looks like you’re running an older version of WordPress (2.6 or so, judging from the screenshot). To prevent this sort of thing in the future, you should upgrade to the latest version (2.8.2 as of this writing).
Thanks, Mark. Updating WP is in my future across all my sites. Has anyone identified the point of entry for this hack? A plugin?
Pingback: a blind flaneur » Playing by Ear: John Cage & Marcel Duchamp
(Mark)^2,
I was on version 2.8.2 and that the injection as well. Looks like it may have come through spam. Luckily, I was paranoid enough to NOT give my username password. I upgraded (which purged all the infected code) and everything is fine. Still need a solution to make it NOT happen again. In the mean time we’ve got to get the word out.
Thanks, Rob. Any idea how widespread this attack is among WP sites?
I encountered this issue and updated to v2.82, the blog seems fine but actually not, there are 500+ outgoing links added at the end of my page, they are invisible but googlebot can see them.
Thanks for the heads-up, Xavier. I’ll check out Googlebot tools
http://en.wikipedia.org/wiki/Googlebot
I encountered the issue and all seemed fine after upgrading and removing code from my plugins. However, I discovered additional code added to my footer, deleted it, and more was inserted later. I believe that this is perhaps what Xavier is mentioning?? The added code seems like additional spam-type links. Is this going to affect my google ranking somehow? If you find out how to get rid of this problem, I’d love to know.
By the way, my vars.php file seemed okay. I also use bluehost. And, I encountered a similar authentication box (which I managed to cancel without entering anything) when using their webmail program. Coincidence? Unsure. Anyway, thanks for posting on this issue!!
Nichelle,
I had the same problem with invisible links inserted into the footer. I deleted them from footer.php, and with your warning, I’ll watch to see if they return. I haven’t read the WordPress support forum referenced above in about a week, so I need to get back to it to see what folks are doing now. It’s been the best source of trouble-shooting ideas that I’ve found on this problem.
Thanks for the tip[ about Bluehost webmail. I don’t use it, butt need to. You might try calling Bluehost support about it, although I;ve had mixed results trying to talk to them.
I visited your site briefly. Looks great! What is the theme?
Fight the good fight,
Mark
Thanks Mark! I did check with Bluehost and was initially told it may be spyware on my computer (but I have a Mac and did a MacScan – nope!) When I responded, I was told that the first technician was incorrect, that the authentication from WebMail was valid – not sure why I could cancel and still reset my password then, however… But anyway, that’s the story. I have been following the thread on wp.org and I think you’ll find my desperate pleas
are the last comments at the moment.
Anyway, thanks for the kind words on the site. The theme is StudioPress’s Church theme (with only cosmetic changes, really) — highly recommend!
Cheers!
Nichelle
Hi I just got this issues I can’t upgrade at this point does anyone know how to solve this also how do I check for hidden links?
If some can email it would really help out.
Thanks
Almog
I noticed my URL structure has changed also from long file names to page numbers which is crap for SEO.
Pingback: Looking Back (Demurely) Over A Quarter Million Page Views « a blind flaneur
This is a great post. I just enjoyed reading it a lot. Its really interesting and contains a lot of information. Thank you for posting.Please keep up the good work.
thank you very much…