Comments on: More on the evil in the woodshed http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/ bubbling enthusiasm for $arbitrary_topic Thu, 09 Feb 2012 03:57:48 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Suw http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31770 Suw Fri, 11 Sep 2009 16:36:42 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31770 Carl, I've signed up with Google's Webmaster tools and submitted CnV for reconsideration so hopefully that will do the trick. Will replace the footer.php file on CnV. It probably just got borked in my attempted clean up. Carl, I’ve signed up with Google’s Webmaster tools and submitted CnV for reconsideration so hopefully that will do the trick. Will replace the footer.php file on CnV. It probably just got borked in my attempted clean up.

]]> By: Carl Morris http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31769 Carl Morris Fri, 11 Sep 2009 14:56:03 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31769 Suw, this <a href="http://www.mattcutts.com/blog/reinclusion-request-howto/" rel="nofollow">Matt Cutts post</a> about reconsideration on Google might help. BTW, I'm getting a PHP error in your footer.php now, it might be related to this problem or the fix. Suw, this Matt Cutts post about reconsideration on Google might help.

BTW, I’m getting a PHP error in your footer.php now, it might be related to this problem or the fix.

]]> By: Suw http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31579 Suw Mon, 07 Sep 2009 17:14:25 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31579 I'm pretty sure that the attack vector was Wordpress and that my upgrade to WP and Thesis and my cleaning-up attempts simply failed to remove all the malicious code. It then re-inserted it's spam again. Mike did an amazing job of cleaning things up. I have more details from him that I need to post, just to round up the story. But thanks for the offer of help! It's much appreciated. The only thing that's left to do now is to re-establish my non-spammy credentials with Google, which has dropped my blogs from its search results. :( I’m pretty sure that the attack vector was WordPress and that my upgrade to WP and Thesis and my cleaning-up attempts simply failed to remove all the malicious code. It then re-inserted it’s spam again.

Mike did an amazing job of cleaning things up. I have more details from him that I need to post, just to round up the story. But thanks for the offer of help! It’s much appreciated. The only thing that’s left to do now is to re-establish my non-spammy credentials with Google, which has dropped my blogs from its search results. :(

]]> By: Matt http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31578 Matt Mon, 07 Sep 2009 16:06:47 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31578 It is painful to clean up after a hack, it sounds like their attack vector isn't WordPress anymore. (It could even be another user on the same server.) Sounds like you're in good hands with Mike Little (one of the top WP people in the world) but if you run into any more roadblocks don't be shy about dropping me a line and we'll try to help you. It is painful to clean up after a hack, it sounds like their attack vector isn’t WordPress anymore. (It could even be another user on the same server.) Sounds like you’re in good hands with Mike Little (one of the top WP people in the world) but if you run into any more roadblocks don’t be shy about dropping me a line and we’ll try to help you.

]]> By: Matt Wardman http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31539 Matt Wardman Tue, 01 Sep 2009 09:29:55 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31539 Ouch. I had a couple of exploits last year. I ended up starting for scratch in a new server account. That is now my standard approach. Create new account -> reinstall -> redirect domain. Painful but it does not need repeating. Best of luck. Matt Ouch.

I had a couple of exploits last year. I ended up starting for scratch in a new server account. That is now my standard approach. Create new account -> reinstall -> redirect domain. Painful but it does not need repeating.

Best of luck.

Matt

]]> By: nicholas butler http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31538 nicholas butler Tue, 01 Sep 2009 06:43:04 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31538 Suw I sorted this out for Mike last year. There will be a compromised theme file and very likely a compromised theme file in the wp-admin directory. The file contains a script that acts like an FTP server presenting the user with a form that allows them to send and recieve files from your site. In turn this gives them the access they are looking for. What I did was the following. 1. Get a clean copy of my theme, note I double checked the theme looking for the string of text called uuencode, or gzip or base_decode64 because the secret rubbish string for the file was hidden in that long strong of giberrish. 2. copy down the wp-config and wp-content files 3. test wp-content directory for the above 4. login to wp-admin and remove unwanted users, remove unwanted posts and unwanted pages and remove the user admin in favour of another user account. 5. On my Webghost control panel set the path to your website to a new path and install wordpress there then copy up wp-config and wp-content 6. Add some security plugins notably, admin IP Watch, wordpress-security If your having any trouble with any of these steps then let me know. Nik Suw

I sorted this out for Mike last year. There will be a compromised theme file and very likely a compromised theme file in the wp-admin directory. The file contains a script that acts like an FTP server presenting the user with a form that allows them to send and recieve files from your site. In turn this gives them the access they are looking for.

What I did was the following.

1. Get a clean copy of my theme, note I double checked the theme looking for the string of text called uuencode, or gzip or base_decode64 because the secret rubbish string for the file was hidden in that long strong of giberrish.

2. copy down the wp-config and wp-content files

3. test wp-content directory for the above

4. login to wp-admin and remove unwanted users, remove unwanted posts and unwanted pages and remove the user admin in favour of another user account.

5. On my Webghost control panel set the path to your website to a new path and install wordpress there then copy up wp-config and wp-content

6. Add some security plugins notably, admin IP Watch, wordpress-security

If your having any trouble with any of these steps then let me know.

Nik

]]> By: ManxStef http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31534 ManxStef Mon, 31 Aug 2009 21:47:50 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31534 Ah, gotcha. Yeah, good idea to nuke all the users that aren't yours, if only 'cause there were some privilege-escalation exploits previously that allowed a standard user to get admin access. I'd be happy to take a look through the DB if you can export it? (wp-db-backup may be the easiest way, though through a MySQL tool such as Sequel Pro or a web-based app like phpMyAdmin will do it, too.) Might also be an idea to diff it all against the latest WordPress source, though if you upgraded and overwrote everything then it should be fine. It's somewhat reassuring that it happened to an older version of WordPress rather than the latest, as that would've pointed at a potential new exploit – not that this helps with your cleanup! Perms shouldn't be too much of an issue if everything's read-only by default (with the exception of wp-content/cache and wp-content/uploads, I'm guessing). Oh yeah, if you can change the password of the MySQL database user (as per the Twitter mention) that'd be an idea. If it's an automated hack it's possible they've not got it, but they'll have had access to it so it's better to be safe. Ah, gotcha. Yeah, good idea to nuke all the users that aren’t yours, if only ’cause there were some privilege-escalation exploits previously that allowed a standard user to get admin access.

I’d be happy to take a look through the DB if you can export it? (wp-db-backup may be the easiest way, though through a MySQL tool such as Sequel Pro or a web-based app like phpMyAdmin will do it, too.) Might also be an idea to diff it all against the latest WordPress source, though if you upgraded and overwrote everything then it should be fine.

It’s somewhat reassuring that it happened to an older version of WordPress rather than the latest, as that would’ve pointed at a potential new exploit – not that this helps with your cleanup! Perms shouldn’t be too much of an issue if everything’s read-only by default (with the exception of wp-content/cache and wp-content/uploads, I’m guessing).

Oh yeah, if you can change the password of the MySQL database user (as per the Twitter mention) that’d be an idea. If it’s an automated hack it’s possible they’ve not got it, but they’ll have had access to it so it’s better to be safe.

]]> By: Suw http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31532 Suw Mon, 31 Aug 2009 21:35:53 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31532 Hi ManxStef! Thank you so much for the advice and the links. I did indeed have a compromised admin account on CnV, which is now gone, along with *all* subscribers. There was no compromised admin account on Blogiculum Vitae. Regarding the versions, the compromise of CnV was done before I upgraded it to the newest version, so after the upgrade I would imagine the continued compromises were just extensions of the first. The permissions thing was not that I couldn't access them, but that they didn't have the right permissions. I've gone though every Wordpress folder and checked for suspicious looking stuff, but to be honest I'm not familiar enough with Wordpress to know necessarily at a glance what I'm looking for. And finally, I have no idea how to inspect the database, so if it comes to that I'm going to have to export my content and do a fresh installation. Hi ManxStef! Thank you so much for the advice and the links. I did indeed have a compromised admin account on CnV, which is now gone, along with *all* subscribers. There was no compromised admin account on Blogiculum Vitae.

Regarding the versions, the compromise of CnV was done before I upgraded it to the newest version, so after the upgrade I would imagine the continued compromises were just extensions of the first.

The permissions thing was not that I couldn’t access them, but that they didn’t have the right permissions. I’ve gone though every WordPress folder and checked for suspicious looking stuff, but to be honest I’m not familiar enough with WordPress to know necessarily at a glance what I’m looking for.

And finally, I have no idea how to inspect the database, so if it comes to that I’m going to have to export my content and do a fresh installation.

]]> By: ManxStef http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31531 ManxStef Mon, 31 Aug 2009 21:10:35 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31531 Oh, forgot to mention, if you've not signed up for the Google Webmaster Tools it's a good way of getting a warning that your site's been compromised: https://www.google.com/webmasters/tools/ Make sure you add your e-mail address to the panel and it should notify you of anything untoward. Oh, forgot to mention, if you’ve not signed up for the Google Webmaster Tools it’s a good way of getting a warning that your site’s been compromised:
https://www.google.com/webmasters/tools/

Make sure you add your e-mail address to the panel and it should notify you of anything untoward.

]]> By: ManxStef http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/comment-page-1/#comment-31530 ManxStef Mon, 31 Aug 2009 21:08:11 +0000 http://chocolateandvodka.com/2009/08/31/more-on-the-evil-in-the-woodshed/#comment-31530 I've seen a few exploits like this before, though with earlier versions. (Wasn't Magic Include Shell, was it?) The attack vector can be multiple routes: WordPress itself (though if you were already on 2.8.4 this suggests otherwise), a vulnerable theme (usually functions.php) or plugin, another web app such as a forum, etc. If they've compromised things to the point of changing permissions of directories so you can no longer access them then you'll most-likely need root on the webserver to clean this up, otherwise they may have code in these directories to re-infect whatever you upload. If not, do make sure whatever you upload isn't world-writable, i.e. the 'other' permissions, and ideally remove group write from all the files you don't need to edit, too. It's also possible that they've created entries in the database itself, so do go through that and check if you can – they may have at the very least created a new admin account to get back in. There's some good advice on the WordPress Codex about hardening, once you've secured it again: http://codex.wordpress.org/Hardening_WordPress and BlogSecurity.net: http://blogsecurity.net/wordpress/wordpress-security-whitepaper I’ve seen a few exploits like this before, though with earlier versions. (Wasn’t Magic Include Shell, was it?) The attack vector can be multiple routes: WordPress itself (though if you were already on 2.8.4 this suggests otherwise), a vulnerable theme (usually functions.php) or plugin, another web app such as a forum, etc.

If they’ve compromised things to the point of changing permissions of directories so you can no longer access them then you’ll most-likely need root on the webserver to clean this up, otherwise they may have code in these directories to re-infect whatever you upload. If not, do make sure whatever you upload isn’t world-writable, i.e. the ‘other’ permissions, and ideally remove group write from all the files you don’t need to edit, too.

It’s also possible that they’ve created entries in the database itself, so do go through that and check if you can – they may have at the very least created a new admin account to get back in.

There’s some good advice on the WordPress Codex about hardening, once you’ve secured it again:
http://codex.wordpress.org/Hardening_WordPress

and BlogSecurity.net:
http://blogsecurity.net/wordpress/wordpress-security-whitepaper

]]>