Gah, cracked again

The site got compromised yet again. This time through a cross-site exploit. More aggravation follows. Some more information about what happened is discussed.

Has anyone smeared honey all over my site while I wasn’t looking? Once again I find out the Division by Zer0 has been compromised and spam links are being inserted invisible into my content. And that’s only 10 days after the last time. Argh!

This time I didn’t discover it through a google search but rather when someone from NoState.com contacted me through IM to let me know. This time the spam links were not hidden from the normal source but rather simply invisible in the normal page. This at least makes them much easier to find out and know when you’ve removed them. Nevertheless, this always feels like a very nasty violation every time it happens.

However the exploit was better hidden this time. It wasn’t just a few files hidden in my subdirectories but rather code inserted in my actual wordpress and theme files. This seemed to have been done through some kind of xss exploit but I have no idea how it managed it as I’m running the lastest WP version. Fortunately Adrian was good enough to point out a wordpress support thread for my exact issue which helped me locate and rip out the source of the spam quickly. This is why it pays to microblog your aggravation I guess 🙂

Btw, I also noticed that the previous malicious cache.php file had reappeared in my wp-content folder. This time I saved a copy before deleting it and now you can all see what kind of crap they put in your server. Notice the quite humorous note telling you that “modified republishing is restricted”. Or what? Are they going to take you to court?

At least this later crack forced me to finally go ahead and lockdown my site even more. Now the site root, wp-content and my theme directory are read-only from my user as well. Let’s hope this doesn’t create any issues. Unfortunately I cannot make the plugin directory read only as very often they need to write in there as well but I don’t think this was done through a plugin so I think I’m good.I’ve also finally changed the prefix for all my database tables to avoid any zero-day exploits which I’ve been meaning to do for a while.

I also tried to install one logging plugin I saw mentioned in the wordpress forum but unfortunately it didn’t work for me. What would be really great however is a way to monitor all your site files for changes and whenever any file is modified or added, an email would be dispatched to the admin. Sure, you might get notifications for when you upload a new plugin or add new images through wordpress’ builtin function but you could easily ignore those. But when you see a change in your index.php that you didn’t initiate, then certainly something needs to be checked.

On a more positive note, I’ve gone ahead and integrated with Google’s Friend Connect. You can probably see it already on my sidebar where you can add yourself as a “member” of the site, whatever that is. I used to have Facebook but that requires you to add a FB application which not everyone cares to do. Everyone and their mother has a a google account by now however so hopefully this may give me a better idea of how many people like the site enough to register themselves.

But I swear, if I get compromised again, I’m going for a complete wipe and reinstall. It can only mean that I’ve got a trojan that won’t stop making my life difficult.

Reblog this post [with Zemanta]

I feel exploited

The Division by Zer0 has been exploited with Spam Keyword injections. Aggravating! This post gives some more information on that.

Goddamnit! Someone, managed somehow to insert malicious php scripts into the site which were injecting invisible spam links to my content. Even more insidiously, those links were not injected to the html source of the page unless the browser user agent reported that it was a googlebot, making them all but impossible to see with a normal browser.

I was lucky to notice this because in the Google Webmaster tools I still had my site address added as www.dbzer0.com which was wrong as I’m not using the www. part anymore. Fortunately however, this allowed the site stats to show the keywords in the content instead of simply how people are linking to it, which made all the spam stand out.

Oh ouch!
WTF?

When I saw that my fist action was to do a search just to see if I was possibly looking at outdated data.  Unfortunately, the results were not uplifting.

Oh shi--
Oh shi--

This was not good. Looking at the cached copies of these pages, it was obvious that these links existed at least since the start of February which means that whatever is causing this, was added after my upgrade to WP2.7 or managed to remain active after it. The source code for the googlebot looked like this, when it should have been looking like this. The links were apparently pointing to redirection scripts in a cracked Movable Type based blog. I’ve fired an email to the author to advise him to take the site down but have heard nothing from him yet.

Take note people: If you’re not going to keep your site updated and patched, either take it down, or export it into pure html and let that stand. Don’t let your obsolete php and mysql setup running as that just invites people to turn your old site into a spam haven.

At this point I started looking around the interwebs in a bit of a panic as hate this kind of shit being associated with me. I couldn’t find anything exactly like what I had unfortunately. The only thing coming close that I found was this post which at least gave me some ideas on where to look.

I was able to discover 2 malicious php scripts residing in my wp-content folder. One was called cache.php and was on directy under /wp-content/ while the other was in the /wp-content/uploads and had a weirder name (can’t remember now). I summarily deleted them (although in retrospect I should have probably saved them for all of you to see) but I did notice the ironic comment inside, warning people not to copy them and pass them around.

I couldn’t find anything else after that but I was still not certain I was rid of the spam. A quick look through the google bot’s eyes showed me that the page didn’t return any spam results but that could also be because the script doing it is smart enough to recognise fake google agents. The only real way to find out if this still happens is to wait until Google indexes one of the spammed posts again and see if the spam links still appear.

As a precautionary measure, I also changed my WP password (as unlikely as it is that it would have been cracked through brute force) and looked around for anything that can help me discover such stuff in the future. I did find a plugin that looks very promising in this regard but unfortunately due to the way it asks for RAM and the setup of my host’s php, I can’t allocate enough memory for it to run. A last precaution was to add a search alert for these keywords appearing on my site which will, if I get cracked in the future again, give me notice within a few days.

On a more positive note, hopefully by removing these huge-ass scripts (many hundreds of line of code each) perhaps the load on my server will be reduced as well. But I’d be happy even if I simply see these keywords disappear from the Webmaster tools soon.

Reblog this post [with Zemanta]

Nothing is safe anymore

Holy shit. Disk Encryption is cracked, and cracked nastily it is. You are not safe if you are using Windows, Mac or linux as all of them basically use the RAM to store the encryption key.

So currently the only way to fix this is to either use a new memory technology where the RAM is instantly lost on boot or use another place, rather than the RAM. Perhaps we could use an external key? Can DM-Crypt be modified to store the key in a usb-stick? Will that help? Techdirt also mentions that this does not work on disks that decrypt on boot but this is not said in the article…

In any case…ouch!