Webhosting Companies And Security Related Attacks

**jakebarnes** · 03-11-2010 05:09 PM

Hey, folks, our blog keeps getting hacked every single day:

http://blog.wpquestions.com/

We are not on Media Temple. We have a dedicated server from Hostway. We have the newest version of WordPress installed. However, every day, I log into the database and, sure enough, there are new admin-level users, created by some attacker. Sometimes there is only one new admin account, sometimes there are 2. If I log into the WordPress dashboard, then the admin accounts are invisible. I need to log into the database itself, via phpMyAdmin, to see the new admin accounts. I delete them every day, and then the next day there are new ones.

Any ideas about what is allowing this attack? It is a serious security flaw for WordPress.

Search for "WPQuestions" on Google and you'll see that the site is full of ads for Cialis:

http://www.google.com/search?sourcei...pquestions.com

The attack is similar to what has been described in this thread. If you point your browser at our site, then the site looks normal. It is only the Google bot that sees the ads for Cialis.

**jakebarnes** · 03-11-2010 05:23 PM

We have 3 plugins installed:

Akismet

FD Feedburner Plugin

Twitter Tools

**jakebarnes** · 03-11-2010 05:26 PM

Originally Posted by Otto

When you can show that it's a WordPress problem, fine. If not, there's no reason to get people worked up over nothing.

I can assure that we are facing a WordPress attack. We have about 20 different websites running on our server, which we rent from Hostway. It is the WordPress sites that are getting hacked. The non-WordPress sites are not being hacked.

**jakebarnes** · 03-11-2010 05:33 PM

I ran this:

Code:

find -name '*.php' | xargs fgrep -i 'eval(base64_decode'

Got this:

Code:

fgrep: ./wp-admin/includes/arCio: No such file or directory

fgrep: admin.php: No such file or directory

fgrep: ./wp-content/themes/classic/ObGMlej: No such file or directory

fgrep: comments-popupNu.php: No such file or directory

fgrep: ./wp-includes/js/codepress/languages/arCio: No such file or directory

fgrep: asp_old.php: No such file or directory

fgrep: ./wp-includes/js/jcrop/ObGMlej: No such file or directory

fgrep: Jcrop_bak.php: No such file or directory

fgrep: ./wp-includes/js/jcrop/UdtWTSH: No such file or directory

fgrep: JcropDA.php: No such file or directory

fgrep: ./wp-includes/js/tinymce/plugins/spellchecker/includes/ycGqh: No such file or directory

fgrep: general.php: No such file or directory

fgrep: ./wp-includes/js/tinymce/plugins/wpeditimage/ycGqh: No such file or directory

fgrep: editimage_bak.php: No such file or directory

fgrep: ./wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/IEqnZz: No such file or directory

fgrep: butt2_bak.php: No such file or directory

fgrep: ./wp-includes/js/tinymce/themes/advanced/UdtWTSH: No such file or directory

fgrep: about_bak.php: No such file or directory

**andrea_r** · 03-12-2010 06:54 AM

/wp-content/themes/classic/ObGMlej

Why is it returning results for all those weird directories?

**Jeffro** · 03-12-2010 08:44 AM

Ouch. Looks like you're going to have to salvage what you can that is hack free and nuke the sites, then start over.

**kgraeme** · 03-12-2010 09:04 AM

The poisoned google search results as well as the attack on WordPress files, makes me think it may be a variant of Gumblar.

Gumblar works by infecting your desktop PC, often through PDF and Flash exploits*, scanning for known web files including WordPress, modifies the files by inserting its payload, and then you inadvertently upload the corrupted files to your own server.

http://www.pcantivirusreviews.com/up...rculating.html
http://blog.unmaskparasites.com/2009...lex-php-sites/
http://blog.unmaskparasites.com/2009...jected-script/
http://blog.unmaskparasites.com/2009...mblar-zombies/

Remember that even though some of the specifics may not match up with your case exactly, the authors of these attacks are constantly updating their code to avoid easy identification and detection. For instance, they have switched from using gumblar.cn as the botnet host to martuz.cn.
http://news.cnet.com/8301-1009_3-10244529-83.html

http://www.kaspersky.com/news?id=207576044

* I had a system get a different exploit delivered by an exploited Flash ad on an otherwise reputable site.

**jakebarnes** · 03-12-2010 11:50 AM

Originally Posted by kgraeme

Gumblar works by infecting your desktop PC, often through PDF and Flash exploits*, scanning for known web files including WordPress, modifies the files by inserting its payload, and then you inadvertently upload the corrupted files to your own server.

* I had a system get a different exploit delivered by an exploited Flash ad on an otherwise reputable site.

That is interesting and I will look into it. But I am not sure that applies to us. I work on a Linux machine and Darren works on a Mac. We rarely use Windows machines. But I will look into it.

**jakebarnes** · 03-12-2010 11:51 AM

Originally Posted by andrea_r

Why is it returning results for all those weird directories?

Andrea, I think that is the big question.

**jakebarnes** · 03-12-2010 11:54 AM

Originally Posted by Jeffro

Ouch. Looks like you're going to have to salvage what you can that is hack free and nuke the sites, then start over.

Yes, but where is the patch? I do not mind deleting all files, and re-installing WordPress, plus Darren's theme, but since I do not know the attack vector, it seems to me the attacker could just break into the site again.

We had version 2.9.1 of WordPress installed. I just upgraded to 2.9.2. Does anyone know what that upgrade was for? Did it fix security flaws?

I am sort of waiting for Automattic to say "There was a new attack going around but now we have fixed it."

Thread: Webhosting Companies And Security Related Attacks

LinkBack

Thread Tools

Display

Posting Permissions