Anatomy of a blog hack
November 15th, 2009While WordPress is great software, its ubiquity means that a lot of script-kiddies and general hackers like to attack it. All of the different settings, options, plugins and the rest mean that it takes quite a bit of work to balance letting people participate (through comments, postings) while keeping spammers and hackers out.
About a year and a half ago, my blog was hacked. I was notified of it by Google’s webmaster tools, and it took quite a while to go through all the different files to find the offending code and strip it out. It ended up being located in a number of different places, so it took a few go-through’s re-submitting the site to Google before the hack-detection software declared it clean.
I was always a little worried that I hadn’t gotten it all. Recently, I came across a great couple of blog posts that I highly recommend:
- This is a good general description of why you need to be worried and links to a couple of tools you can use.
- This is a link to a WordPress plugin called “Exploit Scanner.” I uploaded it to this blog and found a number of files that were clearly hacker-installed. I’ve since un-installed them, but want to post some things to help anyone else that might face the same situation in the future.
———————-
Files that were uploaded:
fx_akismet.php
fx_blogger.php
fx_I10n.php
fx_menu.php
fx_wp-config.php
fx_wp-db-backup.php
… and a folder of 70 html files and a javascript file meant to steal Google PageRank
All the php files were nearly identical. Here’s the code:
I don’t code in php, so I don’t really know what this says, but hopefully it might be useful to anyone afflicted by the same script.
I highly recommend if any of you have WordPress blogs to take these same steps to see if you’ve been hacked.
November 24th, 2009 at 3:04 am
The code does 2 things (just do you know).
It requires the password the hacker set up to be posted; along with a file – one assumes PHP or Html script.
Then it will either (depending on the options chosen) save the file to the server. Or execute code in the file (using eval()).
The it prints a success / fail.
From the looks of things it looks tailored for use of some sort of bot – because the save_ok/fail/ok text that gets printed is MD5 hashed.
November 24th, 2009 at 4:05 am
The PHP code shown is used to handle a file upload to the server through an html form.
The attacking server mimics a form submission to the PHP code shown, and it tests to see if the file is successfully uploaded. If the test is successful the attacking server can then send down more files
November 24th, 2009 at 5:56 am
This allows the person who has the password embedded in this file to upload any file they want.
November 24th, 2009 at 10:04 am
The code does 2 things (just do you know).
It requires the password the hacker set up to be posted; along with a file – one assumes PHP or Html script.
Then it will either (depending on the options chosen) save the file to the server. Or execute code in the file (using eval()).
The it prints a success / fail.
From the looks of things it looks tailored for use of some sort of bot – because the save_ok/fail/ok text that gets printed is MD5 hashed.
November 24th, 2009 at 11:05 am
The PHP code shown is used to handle a file upload to the server through an html form.
The attacking server mimics a form submission to the PHP code shown, and it tests to see if the file is successfully uploaded. If the test is successful the attacking server can then send down more files
November 24th, 2009 at 12:56 pm
This allows the person who has the password embedded in this file to upload any file they want.