Help find hole

[Rarst]

Typical worst nightmare of any blog owner. :((( Came home late on Friday evening to discover my Opera flooded with ddos popup attack... Coming from my own blog.

Discoverd number of iframes inserted into WP's index.php so I am completely freaking out about how it got there. :(

FTP access log completely clean, no one had used it since I moved to new hosting mid-August except my home IP.

I think I had found what probably was an instrusion in HTTP access log - unknown IP with hits on admin areas when I was happily sleeping yesterday.

http://dl.getdropbox.com/u/58900/ip.csv

It had also installed some kind of hidden and encoded plugin (please careful! do not try to run just because):

http://dl.getdropbox.com/u/58900/secutoolvi-en.php

I had changed account passwords and trying to make sense of intrusion log. Will probably overwrite WP with clean install files as well.

What else should I do and more importantly how the hell bastard got in?

Any help very much appreciated!

[update] it seems that intrusion originally came with referer of service looking for other site on same server (see log beginning)... Some kind of server vulnerability? Going to drop this all on support as well.

[update] unwrapped version of hidden plugin (again - careful with this crap please)
http://dl.getdropbox.com/u/58900/unwrapped.php

[update] googled up what seems to be same attack earlier this month and blog is on same server as me
http://onlinehomesbuy.com/2009/08/04...rus-attacking/

Damn server infected or something? :(

[Ryan]

What WP version and theme were you running and did you have any plugins installed? I got hacked a while ago, but it was due to my own stupidity as I hadn't bothered updating WP itself and a few plugins so was leaving myself open for attack.


The first thing to do is to wipe everything. Then comb your database backup for any crud that might be in there.

Overwriting existing files may be useless as there may be a hidden script somewhere which will just hack your blog automatically again. You need to delete the entire folder, lock stock and barrel, including all of your themes, plugins etc., plus any other files which may be floating around on that hosting account. Even a single unchecked file could lead to your site being re-hacked.

Then reinstall everything from scratch. If there is any chance that your backups are affected, then make sure you scan each file individually to check for infiltrated code.


Your server shouldn't be infected unless something catastrophic has gone wrong or you have a poorly maintained server (seems to happen to people who try to manage their own servers).

[Ryan]

[update] googled up what seems to be same attack earlier this month and blog is on same server as me
http://onlinehomesbuy.com/2009/08/04...rus-attacking/

Damn server infected or something? :(

Ohhh, I missed that while replying the first time!

What web host? What sort of hosting setup?


And to state the obvious ... tell your host about it so they can fix the problem.

[Rarst]

What WP version and theme were you running and did you have any plugins installed? I got hacked a while ago, but it was due to my own stupidity as I hadn't bothered updating WP itself and a few plugins so was leaving myself open for attack.

WP 2.8.4 (naturally), Statement theme (old and heavily modded, I rewrote almost all inside by now), plenty of plugins but all are working for long time, no new plugins in months.

Overwriting existing files may be useless as there may be a hidden script somewhere which will just hack your blog automatically again. You need to delete the entire folder, lock stock and barrel, including all of your themes, plugins etc., plus any other files which may be floating around on that hosting account. Even a single unchecked file could lead to your site being re-hacked.

Then reinstall everything from scratch. If there is any chance that your backups are affected, then make sure you scan each file individually to check for infiltrated code.

Well, I did find that hidden script. :) I have backup for everything but too tired by now for complete clean reinstall. Damage control complete, will see how it goes tomorrow.

Your server shouldn't be infected unless something catastrophic has gone wrong or you have a poorly maintained server (seems to happen to people who try to manage their own servers).

Ohhh, I missed that while replying the first time!
What web host? What sort of hosting setup?
And to state the obvious ... tell your host about it so they can fix the problem.

WPWebHost, shared. Moved to them (for free, won in contest) mid-August.

See also part how hacker came at my blog by looking for blogs at server. If he had exploit/pass/whatever for my blog he would come to blog, right?

But he was scanning server instead. Considering highly WP nature of hack - he was scanning server of company that specializes in WP blogs for WP blogs.

I sent details to support. So far they scanned installation for injects (which I already did) and scanned my account with antivirus (which I already did). Waiting for reply on direct question if there could be somethign wrong with server setup.

By the way Google is hardly happy about zone, ~10% sites infected with malware
http://www.google.com/safebrowsing/d...?site=AS:30475

[Ryan]

Yuck, sounds like time to ditch your host, even if it is free.

[Rarst]

Yuck, sounds like time to ditch your host, even if it is free.

Heh... I'll see how it goes. :) For now I got informed that stuff was forwarded to security department. I will also make list of sites on server myself and see if any more got hit.

Seems cleanup worked fine and I put wp-admin area under .htaccess lockdown that would trigger 404 and email notifications. Now need to deal with details and install few of those paranoid security plugins.

[JohnM]

Have a look at WP-firewall for monitoring whats going on if the try to hit you again.

t intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. Its features include —

* Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
* Also protect most WordPress plugins from the same attacks.
* Optionally configure as the first plugin to load for maximum security.
* Respond with an innocuous-looking 404, or a home page redirect.
* Optionally send an email to you with a useful dump of information upon blocking a potential attack.
* Turn on or off directory traversal attack detection.
* Turn on or off SQL injection attack detection.
* Turn on or off WordPress-specific SQL injection attack detection.
* Turn on or off blocking executable file uploads.
* Turn on or off remote arbitrary code injection detection.
* Add whitelisted IPs.
* Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.

Click here for more info on the injection blocker's security filters.

http://www.seoegghead.com/software/w...s-firewall.seo

[Rarst]

@JohnM

Thanks, one of those I had searched up yesterday. Going to properly sort through them today and decide what I need to install.

btw there was no weird page requests involved (as far as I can tell from log).

Biggest question still stands - how the heck he got in admin area.

[Jeffro]

So what's the status of the problem? Did the webhost get back with you on any reports? I hate these types of attacks as you go to sleep, wake up and find the site gone or all screwed up. Makes you not want to sleep ever again.

When I asked for feedback regarding WPWebhost as I almost moved WPTavern there, I received quite a few good replies and feedback.

[Rarst]

@Jeffro

Got answer this morning from security department (I think, these help desk systems make hard to understand who exactly is maliling you).

Said nothing about specifics of hack or hole possibility or if they looked into it at all.

As for my question on recommended security measures got some general advice (permissions on wp-config, strong passwords). And more importantly they had enabled SSH for my account, as I understand that is not default feature there. Will play with it this evening.

By the way I had scanned all sites on my server on Saturday - no obviously infected ones. Either my bad luck or if others were hit they cleaned up by then.