Anatomy of a blog hack

November 15th, 2009

While WordPress is great software, its ubiquity means that a lot of script-kiddies and general hackers like to attack it. All of the different settings, options, plugins and the rest mean that it takes quite a bit of work to balance letting people participate (through comments, postings) while keeping spammers and hackers out.

About a year and a half ago, my blog was hacked. I was notified of it by Google’s webmaster tools, and it took quite a while to go through all the different files to find the offending code and strip it out. It ended up being located in a number of different places, so it took a few go-through’s re-submitting the site to Google before the hack-detection software declared it clean.

I was always a little worried that I hadn’t gotten it all. Recently, I came across a great couple of blog posts that I highly recommend:

———————-

Files that were uploaded:
fx_akismet.php
fx_blogger.php
fx_I10n.php
fx_menu.php
fx_wp-config.php
fx_wp-db-backup.php
… and a folder of 70 html files and a javascript file meant to steal Google PageRank

All the php files were nearly identical. Here’s the code:

I don’t code in php, so I don’t really know what this says, but hopefully it might be useful to anyone afflicted by the same script.

I highly recommend if any of you have WordPress blogs to take these same steps to see if you’ve been hacked.

  • http://www.livemeta.net Errant

    The code does 2 things (just do you know).

    It requires the password the hacker set up to be posted; along with a file – one assumes PHP or Html script.

    Then it will either (depending on the options chosen) save the file to the server. Or execute code in the file (using eval()).

    The it prints a success / fail.

    From the looks of things it looks tailored for use of some sort of bot – because the save_ok/fail/ok text that gets printed is MD5 hashed.

  • garethdp

    The PHP code shown is used to handle a file upload to the server through an html form.

    The attacking server mimics a form submission to the PHP code shown, and it tests to see if the file is successfully uploaded. If the test is successful the attacking server can then send down more files

  • Mark

    This allows the person who has the password embedded in this file to upload any file they want.

  • http://www.livemeta.net Errant

    The code does 2 things (just do you know).

    It requires the password the hacker set up to be posted; along with a file – one assumes PHP or Html script.

    Then it will either (depending on the options chosen) save the file to the server. Or execute code in the file (using eval()).

    The it prints a success / fail.

    From the looks of things it looks tailored for use of some sort of bot – because the save_ok/fail/ok text that gets printed is MD5 hashed.

  • garethdp

    The PHP code shown is used to handle a file upload to the server through an html form.

    The attacking server mimics a form submission to the PHP code shown, and it tests to see if the file is successfully uploaded. If the test is successful the attacking server can then send down more files

  • Mark

    This allows the person who has the password embedded in this file to upload any file they want.

  • Pingback: This Resource site

  • Pingback: emerald art glass house