hacked!

January 2, 2012

in Meta, Tech

(I am getting a lot of hits on this post from google. If you came here because you think your wordpress install has been hacked as well, make sure you also read Hacked, Again! and Hacked, the Followup)

So, I had a fun afternoon, how about you?

A week or so ago, I noticed an odd thing: Google Reader had stopped updating my blog feeds. Around that time I had been mucking with the blog feeds (see Housekeeping) so I figured maybe I had confused Google Reader, and if I ignored it, maybe it would go away.

Hint: if Google gets annoyed at your web site, perhaps there is something wrong with your web site.

Then yesterday I noticed that if I unsubscribed to my blog feed in Google Reader and resubscribed to it, the title to my blog would not come up. Instead Google Reader decided the title was “Personal Creations Elmo, Consumer Payday Loans – $300 – $2500.”

I became indignant. My blog looked fine to me. It looked fine from a variety of other locations. The code looked fine if I grabbed it with curl. Something was wrong with Google.

Hint: It’s unlikely something is wrong with Google. Something might be wrong with your site.

Then it got worse and it spread to my search results:

Googlesearch

At the same time a friend sent me a screen shot of my web site as he saw it:

Screenshot 5 1

Yeah, I got hacked. But it was a selective hack; only the google and yahoo crawlers and referers from google and yahoo saw it. (no one actually uses the Yahoo search engine.)

I spent the day cleaning up from this hack, including doing it twice because it came back. I still don’t know where it came from or if its going to come back again. This was not a lot of fun.

I googled what I found and turned almost no information at all; no exploits, no descriptions, no patches, nothing. I don’t know if what I had was new, or if it was obscure, or what. Technical details in the More part of this post.The changes I found affected three sites on my web host: one wordpress site (this blog) and, more worrisome, my www and work sites, which are entirely static HTML files — no PHP, no databases, just flat HTML.

On all three sites the hack added or modified an .htaccess file, adding rewrite rules. The modification dates of the files were not recent; they seemed to have picked a date and time that would not stand out (eg if every other file in the directory was modified on April 23, 2010, that was the modified date the .htaccess had). It also added a PHP file to the top level of the domain. For wordpress, that file was wp-stat.php (NOT wp-stats.php); for the static sites it was common.php. The rewrite rules in htaccess were similar for both versions:

# WordPress search queries statistic module

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC] 
RewriteCond %{REQUEST_FILENAME} !wp-stat.php
RewriteCond %{DOCUMENT_ROOT}/wp-stat.php -f
RewriteRule ^.*$    /wp-stat.php [L]

The wp-stat file is a base64 encoded PHP file. (hint: random files with base 64 encoding are probably up to no good). I ran it through a base 64 decoder and got a self-decrypting JavaScript file (hint: ditto). There were only a few readable strings in that file, most obviously the string “VASH NE PODDERZHIVAET ETO.” Googling that turned up only two references. This is one. That is the same script.

I deleted the file and fixed my .htaccess files. Because this hack crossed all the boundaries of my web sites and because the modification dates were in the past, I suspected a worse break-in than just a wordpress hack. I changed every password on everything — my shell account, my mySQL database account, all my wordpress accounts.

While I was poking around looking for other suspicious things that might be going on, the hack put itself back: it remodified all my .htaccess files and reinstalled the wp-stats and common.php files. Dammit.

Finally, suspicious of wordpress altogether, I also blew away my database, went back to an earlier backup, and reconstructed the more recent posts via wordpress import/export.

I removed write access to the .htaccess files (chmod 0444) and either that, blowing away the wordpress database, or changing all my passwords), seems to have stopped it for now — at least it hasn’t come back in the last few hours. We’ll see what happens overnight.

If anyone has any other ideas I’d love to hear them.

Google Reader seems to have rediscovered my feeds. Google search is still a bit behind.

I have no information on consumer payday loans.

{ 9 comments }

1 Enno Rehling January 2, 2012 at 10:51 pm

Having been similarly hacked before myself, I would recommend re-imaging the entire machine. You cannot trust any part of it. I thought I was clever and got it removed, but the truth was I still did not know enough about how it had nested inside my system in the first place and how deeply rooted it was, and in the end, I ended up on every blacklist on the internet for being a spam hoster because I was too lazy to nuke everything including the OS from orbit. It really *is* the only way to be sure.

2 Matt Rose January 4, 2012 at 6:45 pm

Also, get rid of wordpress. It’s secure for a few days, until somebody finds a way to hack it, then you have to upgrade it. Seriously, google wordpress 0day exploit. For my blog I use tumblr, but a static site generator like blosxom might be good too.

Also, Enno probably has the right idea. At least get Eric to look it over

3 Matt Andrews January 18, 2012 at 5:16 pm

This exact same thing has been happening to me the past few weeks. I’ve tried everything. My webhost ran a scan and found a suspicious PHP file which I removed. I deleted all Wordpress installs and even databases from the server. Nuked any files with 777 permissions. Deleted the common.php file. It keeps coming back. Despairing! I just tried setting .htaccess to 444 and will see if that does anything. Makes me feel slightly better than it’s not just me, though…

4 FPMurphy February 21, 2012 at 6:21 am

Are you hosted on Dreamhost?

5 Mike March 9, 2012 at 5:52 am

I have this same situation. Dreamhost hosted.

6 Mike March 9, 2012 at 5:54 am

FPMurphy, I take it you are on Dreamhost as well. Did you get this resolved?

7 laura March 9, 2012 at 3:16 pm

Copying over my comment from hacked, the followup:

@Dmitry, FPMurphy: I am indeed on Dreamhost, but I have heard from a LOT of people who have this same breakin who are on other hosting providers. The problem is definitely in WordPress. The issue with Dreamhost specifically is that they give you easy access to a WordPress installation but then zero guidance at all toward securing it, or any sort of hint that the wordpress install you have might be compromised. I like Dreamhost a lot but I think they could do a lot better than “here is this inherently insecure software, and you’re on your own.”

8 The Doctor March 28, 2012 at 3:51 pm

It may not necessarily be the CMS you have installed. I’m helping to troubleshoot the same kind of compromise on a website that’s all static HTML right now. I think a few groups have latched onto the same idea only they’re pulling it off in different ways.

Change your passwords from a workstation that you trust before cleaning up the mess. Also, check your ~/.ssh/authorized_keys files in your Dreamhost shell account – if you don’t remember setting one up but you have one now, it may have been created by the attacker. If you did set up SSH public key authentication, make sure that an attacker didn’t add their own SSH public key to the authorized_keys file.

9 John May 11, 2012 at 10:38 am

Hate to burst the bubble – I just found the same hack, and I don’t use Wordpress at all.

John

Comments on this entry are closed.

Previous post:

Next post: