Recently, my site was hacked. I've found that what hit me, hit also hundreds (and very likely many thousands) sites! The sites affected are running mostly WordPress blogs, but I saw some forums and other
CMSes being hacked as well (although a WP installation may exist on those servers and only the malicious code is embeded in other CMSes).
- Moodle: http://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:elearning.emate.ucr.ac.cr+loan
- SMF forum: http://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:spinnershome.net+loan
I ask you to help me get to the bottom of this and find the bug.
Please note, that it is quite hard to notice the hack if you don't look for it. Check Google with the following phrase:
Where "example.com" is your domain (or some affected domain). You'll see a lot of crap that you didn't even know existed.
First, a list of sites that link to my hacked site (so they're also hacked):
NOTE that you will not see the malicious text, it shows up only to crawlers. BUT if you run the Google's site: search, you'll notice it.
About 10 of those hundreds of pages are viable links, rest is due to this hacking going on. And that's only the sites that link to mine after a few days. My address is blogtimes.pl which occurs a few times as I link to myself obviously.
I was/am running the latest WordPress installation (3.0.1) with some daily updated plugins:
Akismet, All in one SEO Pack, Broken Link Checker, FD Feedburner Plugin, Google Analyticator, Google XML Sitemaps, Move WordPress Comments, No Self Pings, Popularity Contest, Raw HTML Capability, SEO Friendly Images, SEO Smart links, Sociable, Sociable Poland, Subscribe to comments, WordPress Database Backup, WP-PageNavi, WP BlipBot (Polish equivalent of Twitter), WP No Category Base, WP Super Cache, Yet Another Related Posts Plugin.
My hosting provider is DreamHost with shared hosting. My password for WP was quite strong and it doesn't seem like it is the weak link. My username was however "admin". My FTP details were randomly generated.
My CHMODs were as supposed to (safe). I did not run any other site on this account, nor did I have shell access enabled. MySQL database doesn't seem to be affected at all. After the attack I run some plugins to check for vulnerabilities and none found anything.
DreamHost states that my FTP account was not accessed, so the hack occured through HTTP most likely (or the shared server, which is unlikely judging on the number of sites affected). DreamHost doesn't
have logs reaching over a week in the past (...) so I'm not able to check which files were accessed during the hack. I can however do some other sniffing.
This is how the attack progressed in time:
07th Nov. 2010
./wp-config.php was modified at 07:26 (no malicious code there, could be that the attacker just looked at my MySQL DB credentials or changed the unique keys that wp-config.php has)
./wp-admin/includes/version.php was modified at 07:27 (totally changed with heavily encrypted PHP code. The decrypted version can be found at http://pastebin.com/3JWb96z6 This file is basically an admin panel for managing files and running shell commands. You need to provide a variable using POST for the page to show up)
11th Nov. 2010
These files were uploaded: http://pokazywarka.pl/i3r0i6/
They are encrypted and I don't yet know what is their purpose.
Also, the ./wp-includes/post-template.php was modified that day. It had some heavily encrypted PHP code boundled inside. I've decoded it:
The first and second functions are basically wrappers for the content below them. What you can see is that some pages from my blog are changed to malicious ones (probably nested inside the files uploaded the same day), but only if the crawler visits the page. As a result, Google dropped my ranks for the whole domain at 15th Nov. and that ringed my bell. You can also see that the script takes a "pw" variable through GET. This way the attacker can run a CURL query (look up another site) and open or write a local file.
19th Nov 2010
./wp-content/languages/mo/index.php was modified (or uploaded the first time). It probably is a gateway to version.php (I can see there are POST requests executed on it), or it is another way to manage the hacked site. DreamHost reports that in the same dir there are other files which are browsable through HTTP, like:
I however do not see any files in this directory using LIST -al and LIST -alh with many FTP clients. It may be that I have to turn on shell on this account to look them up, which I am not willing to do.
Anyone knows if this is the case? Can you hide files from FTP access without having power over the FTP server?
Finally, 19th and 20th Nov. (newer logs are yet to come from DreamHost I guess), there have been numerous attempts to further compromise my server (and likely access my linux password). I do have access to the HTTP logs for this timeframe, so I was able to review the malicious requests. You can see them here:
Note that 220.127.116.11 is the IP of the attacker. He is the only one who knows that he should access index.php and does so using POST (so he provides his passphrase). You can see that he uses an iPhone and probably some kind of an automated application on a computer (hence the 3 requests per second) to upload files (most likely). This IP belongs to the ISP Optimum Online and is shared from the pool 24.185.x.x in Brooklyn, NYC.
Other IPs are most likely script kiddies and bots, not related to this hack.
I do not see any other malicious requests on the 19th, so eigther the index.php modified itself (bacuse the modification date = 19th) or it was modified by some other protocol.
This is very weired, as I can not seem to find how the initial upload was able to take place and how the 19th modification of index.php took place. We can be sure that the issue is large in scale. I still have some files that I can decode (index.php) and if I do so, I'll try to put a trap on the attacker and get to know his passphrase.
Any comments will be appreciated!
Related thread on the WordPress forums: