The Pharma Hack

[WPblogger]

Since the 0-day thread sort of morphed into a thread about all sorts of hacks I thought I'd try to start a fresh discussion on just the "pharma hack".

Chris Pearson published a guide on how to find & fix the hack today, but as far as I know, no one knows where the vulnerability is.

And what's worse, is that it's still spreading. I've found a few Google queries that are bringing up results that are almost completely full of WP sites that have been hit and unfortunately the number of results for these queries are growing rapidly.

There's this one (that's grown over 200k since yesterday): http://kl.am/aFY8

This one that I just found today: http://kl.am/aFXS

This one (that's quite a bit smaller than the other two): http://kl.am/aFYl

And I'm still looking for more. Obviously whatever the vulnerability is, this is a major deal for a LOT of WP users, many of whom are probably clueless that they've been hit.

I haven't found any common threads among the sites in terms of hosting providers, themes, or plugins. I've passed along log files to Mark J & a couple of others but so far, still no smoking gun on how they got in.

I'm no security expert but it seems like with this many data points to work with, we'd be able to find something.

[Ipstenu]

The Chris Pearson article in question: http://www.pearsonified.com/2010/04/...harma-hack.php

Having read that now, he's wrong about 'ftp_credentials' being a 'rogue database entries'. If you've ever entered your server info in the upgrade panel, you probably have it saved - Mine has my server ftp.ipstenu.org and ID ipstenu but no passwords... which I think you could have guessed were my server and ID anyway ;)

Given the nature of the hack (files added etc) it looks to me like a clear-cut case of someone scoping out server credentials and using a rather brilliant way of screwing your site up. And yeah, I totally think this hack is brilliant. It's wrong and evil, but totally genius in a way that 0-Day (or maybe we should call that 0-NetSol?) wasn't.

[andrea_r]

He's badly worded the post about the rogue database entires. While the fields are legit, they *did* have hacked data in them.

The way he wrote it in the post wasn't exactly clear. (I checked with him directly.)

And I'm betting his ftp credentials were lifted. Not within WP, but he said it happened when he ftp'ed his stuff to a new site. Other people who have had similar hacks (tho not as brilliant as this one) also had their ftp passwords lifted.

[Ipstenu]

Other than the rss ones (well and the ftp_credentials) I don't even see anything with those other db entries.

But to get DB access implies they have your server login/password OR your wp-config.php info which brings us back to 0-NetSol, doesn't it? Or am I just not caffeinated enough?

[andrea_r]

Yep.

[WPblogger]

Other than the rss ones (well and the ftp_credentials) I don't even see anything with those other db entries.

But to get DB access implies they have your server login/password OR your wp-config.php info which brings us back to 0-NetSol, doesn't it? Or am I just not caffeinated enough?

I'm sorry to be dense but I'm fairly ignorant on security issues so I'll probably be asking a lot of stupid questions like this.

When you say it brings us back to 0-NetSol are you saying it's the same issue root vulnerability as the NetSol hack?

As a disclaimer, I'm a NetSol employee but I do SEO for the company and have no knowledge of what the issues were etc.

In looking at these sites that have been hit with the pharma hack, they're hosted across a wide array of web hosts and servers. They're most definitely not all NetSol hosted.

As far as I can tell, they're not even all on shared hosts.

[Ipstenu]

WPblogger, no worries

I'm saying that the vulnerabilities we presumed to be the root cause for the Network Solutions fiasco would be the same to cause this hack. Basically, both this hack and the one that nailed your employer can really only be performed if your server is insecure.

Server security is a tripod.

1. The ISP is responsible for making sure the sever itself is up to date with the latest patches etc, and that the server is configured in a safe way.
2. Web-apps are responsible for not unleashing needless insecurities to the system.
3. The end-user we pray to the flying spaghetti monster that they've not done something to violate security out of ignorance.

The 'flaw' in WordPress is an accepted inherent risk of most PHP/SQL webapps, in that for the SQL DB to be read, the password to that database must be kept in clear text (i.e. not encrypted). This is in the wp-config.php file.

The users can run into problems with this by having their wp-config.php file set so that anyone can read it (bad permissions - 777 for example). This IS NOT a flaw in web-app or the ISP, it's just ... well, ignorant (unless the ISP is forcing the file to be 777 to run WordPress, at which point it's their fault, and yes, there's an ISP that does that!). In addition, I know a lot of people who, instead of making a DB user for their blog, will put their server ID and password in that file, which means once it's been read, ANYONE can log into that server as them. I suspect this is done from ignorance as well.

The ISP is responsible for making sure that if Joe User set his WP config file to 777, and put their server ID/Password in there, the worst they can do is shoot themselves in the foot by preventing them from reading anyone else's user directory. Limit the destruction on a per-user basis. There are a lot of Shared Hosts out there with lax security policies, which makes this more prevalent than I'd like.

Hopefully that made sense.

The Pharma hack seems to be looking for people with wp-config files that can be read, logging into the account as the User, and either adding files that edit the database, or both editing the database and adding the fake plugin files.

IF you were vulnerable to the 0-Day/NetSol hack (and I'm only using that term because y'all were the big daddy name related to the hack) and you have not fixed the security issues with your wp-config.php file, you're probably at the same risk for this hack.

[andrea_r]

... and a lot of other hacks were going around where really the root cause was someone lifted their FTP passwords.

If I can get in and craftily replace your files via ftp (cuz, well, YOU can right?) then I can also do all other kinds of things.

Hmmm, I wonder if Chris decrypted that code and figured out what it did.

[WPblogger]

If a site being hit with the pharma hack implies that their web hosts has security issues, it would implicate several web hosting companies including:

• Media Temple (mentioned in the previous thread)
• GoDaddy
• 1 & 1
• Dream Host
• NLISP Internet
• pair Networks
• In2Net Network
• HostWay
• Local Launch
• 2N+1
• ServerBeach

And those are just from the few of the sites that I pulled up and verified...

[Ipstenu]

Not always.

A single user on a site being hit by the pharma (or 0-day), does not mean the server is insecure. It means the user account has been compromised.

An entire shared server being hit by any of those hacks probably is insecure.

It's a bit of hair splitting, but basically if it's just one person on a server, then they probably screwed up their own security settings and shot themselves in the foot. Get them to change passwords and check file security per http://codex.wordpress.org/Hardening_WordPress STAT! If everyone on the box is getting hit, then something's not right on the server itself, and your security team should stock up on Red Bull.

And in case this got missed, in no way what-so-ever am I EVER even considering blaming Network Solutions for ANYTHING (except their initial mis-representation of the hack being a WordPress only thing). Like I said, security's a tripod. If The WebHost did it's job, the damage will be limited on a per-user basis.