Gah, cracked again

The site got compromised yet again. This time through a cross-site exploit. More aggravation follows. Some more information about what happened is discussed.

Has anyone smeared honey all over my site while I wasn’t looking? Once again I find out the Division by Zer0 has been compromised and spam links are being inserted invisible into my content. And that’s only 10 days after the last time. Argh!

This time I didn’t discover it through a google search but rather when someone from NoState.com contacted me through IM to let me know. This time the spam links were not hidden from the normal source but rather simply invisible in the normal page. This at least makes them much easier to find out and know when you’ve removed them. Nevertheless, this always feels like a very nasty violation every time it happens.

However the exploit was better hidden this time. It wasn’t just a few files hidden in my subdirectories but rather code inserted in my actual wordpress and theme files. This seemed to have been done through some kind of xss exploit but I have no idea how it managed it as I’m running the lastest WP version. Fortunately Adrian was good enough to point out a wordpress support thread for my exact issue which helped me locate and rip out the source of the spam quickly. This is why it pays to microblog your aggravation I guess 🙂

Btw, I also noticed that the previous malicious cache.php file had reappeared in my wp-content folder. This time I saved a copy before deleting it and now you can all see what kind of crap they put in your server. Notice the quite humorous note telling you that “modified republishing is restricted”. Or what? Are they going to take you to court?

At least this later crack forced me to finally go ahead and lockdown my site even more. Now the site root, wp-content and my theme directory are read-only from my user as well. Let’s hope this doesn’t create any issues. Unfortunately I cannot make the plugin directory read only as very often they need to write in there as well but I don’t think this was done through a plugin so I think I’m good.I’ve also finally changed the prefix for all my database tables to avoid any zero-day exploits which I’ve been meaning to do for a while.

I also tried to install one logging plugin I saw mentioned in the wordpress forum but unfortunately it didn’t work for me. What would be really great however is a way to monitor all your site files for changes and whenever any file is modified or added, an email would be dispatched to the admin. Sure, you might get notifications for when you upload a new plugin or add new images through wordpress’ builtin function but you could easily ignore those. But when you see a change in your index.php that you didn’t initiate, then certainly something needs to be checked.

On a more positive note, I’ve gone ahead and integrated with Google’s Friend Connect. You can probably see it already on my sidebar where you can add yourself as a “member” of the site, whatever that is. I used to have Facebook but that requires you to add a FB application which not everyone cares to do. Everyone and their mother has a a google account by now however so hopefully this may give me a better idea of how many people like the site enough to register themselves.

But I swear, if I get compromised again, I’m going for a complete wipe and reinstall. It can only mean that I’ve got a trojan that won’t stop making my life difficult.

Reblog this post [with Zemanta]

15 thoughts on “Gah, cracked again”

  1. Too bad that it's too difficult to figure out how the website is being cracked into. It could be anything from exploits into WordPress itself to password sniffing, and not knowing makes me worry about the security of my own blog without being able to do much. 🙁

    1. I would be really surprised if it was a brute pwd attack to tell the truth and I haven't seen anything to point to that. But you're right, it's very aggravating, especially since mose plugins about security don't work on my blog 🙁

  2. I doubt it's a brute force attack on passwords when there's the much easier way of sniffing passwords that are sent over the clear (unless you're also using SSL). Not that it makes it any less aggravating …

    1. That sucks man. Did you clear it already? I checked your site and couldn't see anything in the source.

      1. It may not be the same thing then. In my stats where it says that people clicked on these links it shows 2 or three porn links that I know I haven't put there.

      2. It may not be the same thing then. In my stats where it says that people clicked on these links it shows 2 or three porn links that I know I haven't put there.

  3. Have you activated Akismet on the Intense Debate side and on your blog? It usually does a good job of catching such spam.

    1. I have now activated Askimet on wordpress and ID as well as ticking the check box for wordpress comments to go through ID spam filter. Thanks for the suggestions

  4. One more thing to anyone running WordPress reading this thread and worried about or suffering from similar attacks: change your WordPress database table prefix to ANYTHING other than the default of "wp_". This will make your blog far less vulnerable to SQL injection attacks, since a successful manipulation of the database via that vector requires the attacker to know the prefix.

    Making this change is not trivial, though. There is a decent set of instructions at http://www.talkincode.com/changing-your-wordpress… If you don't have mysql "alter" permission for whatever reason, you can also do this by taking a dump of the database (install the wp-db-backup plugin), editing the dump with find/replace to replace each of the table names with their replacements with the new prefix. Be sure you don't blindly find/replace wp_ for the new prefix everywhere, though, as this may break things. Do each table separately, and then look at http://wordpress.org/support/topic/156194 for some additional bits that must be updated.

    Good luck.

Comments are closed.