Being hacked

WordPress security issue

Yesterday a friend of mine emailed me about my site showing odd numbers in the footer.

After contacting my hosting provider and checking my WordPress files, it turned out that my site had been hacked, exploiting a WordPress breach.
My index.php file had been modified, adding the following malicious PHP code:

function security_update($buffer)
{
  $update = '18446744073709551615';
     if (stristr($buffer, '</html') !== FALSE)
     {
          return eregi_replace('</html', $update.'<html', $buffer);
     }
          else
     {
          return $buffer.$update;
     }
}

This code simply output the string “18446744073709551615″ in the site’s footer – I didn’t even notice it.
Removing this code from index.php fixed the problem. Fortunately this didn’t cause no harm to the site’s visitors or to the site itself.

I’ve googled around for some more info and found this forum post, reporting the same issue. The odd thing is this issue is reported to affect WordPress < 2.6.5, while I ‘m using WordPress 2.7 on my site, which is supposed to fix this security vulnerability.

If you have experienced a similar issue and need help, or if you can share more detailed information, please leave a comment to this post.