#StandWithUkraine
Andrey “Rarst” Savchenko —  — WordPress — blog, log, php, security

Blog (briefly) hacked

It was one of those awful Fridays yesterday – I had work and then work after work and after even more work I had to attend family event. And when I came home at last my own blog DOSed my browser with endless pop-ups.

I am extremely sorry if you got hit with same yesterday. I do not have exact time frame when it started, but since it was slowed by caching and I don’t see impact on yesterday’s stats I think it was relatively short (hours).

On to boring details.

How he got in

I have no freaking idea. My computers are safe (you can gauge my paranoia by amount of antivirus tools I post about). FTP access is safe, access log clean.

I had found intrusion details in HTTP logs. They show that hacker came from service that lists sites on same server (totally legit, YouGetSignal can do that just as well). And then he simply typed in login URL and logged in. It could believe that my password compromised in some way, but why he came from such service? Why no prior visits or suspicious activity? Why earlier this month another blog at same server was attacked in exactly same way?

Seriously, when initial freaking out period had passed I am still worried about not knowing where was the hole. And even more worried that new server might have it, I had zero security issues in a year on previous hosting.

Damage

Hacker had inserted malicious code in index.php, luckily I use static cache so it takes some time for such thing to spread through site.

He had also installed obscured code in plugins folder secutoolvi-en.php – some kind of PHP backdoor.

Walling up

Malicious iframes were obvious and easy to remove. Luckily I was thorough enough to trace everything step by step with help of LogLady (via gHacks) – turned out to be major help when dealing with 93MB of logs. So I got rogue plugin as well.

Best policy in such cases is complete wipe of everything and restore from backup. Was too exhausted for that so settled for overwriting WP with clean install, changing passwords and numerous security and antivirus scans:

As initial measure I had locked down admin area to only allow access from my home IP, going to look into further hardening:

Also see WordPress Firewall Plugin, recommended by John Myrstad in discussion at WP Tavern Forum.

Overall

Pro – I was ready for anything up to nuked data center. :) Backup of everything, anything and in different places.

Con – I still have no victim to blame. No security screw ups (I am aware of) from myself, doesn’t seem to be [known] WP exploit, hosting security department is looking into it (or will be on Monday… I hope).

Conclusion – I need to tighten control over admin area of my blog, it turned out to be weak spot. And default security measures can fall short of expectations.

Related Posts

17 Comments

  • Miles #

    "FTP access is safe ... It could believe that my password compromised in some way" If you are using FTP instead of SFTP or some other secure protocol, your password could have been sniffed very easily.

  • Rarst #

    @Miles I meant in this specific case, poorly worded it. Host keeps separate and thorough FTP log - so I know I was only person to access it. On previous host I had FTP access locked to my IP, need to check up with new host if they have that.

  • Miles #

    Does your host not support SFTP? Most file transfer clients (WinSCP, FileZilla, etc) support it. No reason to send your login credentials in the clear, even with some sort of restriction based on IP (which could be spoofed: http://en.wikipedia.org/wiki/IP_address_spoofing )

  • Rarst #

    @Miles Doesn't seem like it. It does have WebDAV with SSL, I probably need to look if I can switch to that.

  • digitx #

    In one of your previous posts you mentioned that: "Rarst.net is more or less settled in new place by now, courtesy of WPWebHost and my WordPress story that landed me in winners of their recent contest. [...] Maybe freebie is not a good choice.

  • Rarst #

    @digitx Maybe, but what is a good choice then? :) This blog generates neither traffic or revenue to justify mid to high hosting plans. Previous host was hardly a bliss even if I paid for it. One doesn't expect great things for several bucks a month. So between cheap and free with comparable service I'd prefer free - it is less hassle with finances.

  • digitx #

    I personally do not mind paying a fee for your great blog. If others will, we should work together to find a safe hosting (paid). I will be the first to contribute. Keep this offer in mind and I you want I can research some hosting sites where what happened to you will never happen again. Cheers.

  • Rarst #

    @digitx Thank you, this is great praise. :) It's not strictly financial issue (I make enough to pay for hosting out of my pocket if needed). This blog was started with few rough internal guidelines and one of those is keeping it self-sustained. At moment my priority is to finish up new theme, because that will be major time saver and better platform for monetizing. After it goes live it will be much easier for me to get on with rest of issues and decisions.

  • Donace #

    Oddly my site(s) was hacked as well on Friday; they had injected some type of shell program via a vulnerability in a theme file on an other site and got in that way. Luckily all they did was muck about with index files and luckily for me I was working on the main sites earlier that day and had recent backups. Still a pain up the ass; also the quick thinking by hostgator security tech minimised the down time also.

  • Rarst #

    @Donace Maybe someone was doing mass scanning for exploits... You mean that vulnerability was actually on site other than yours, but on same server? Do you know what vulnerability exactly that was? By the way I had scanned my server for other hacked sites yesterday and everything seems clean. So can't say if more sites were hit, they could cleanup as fast as I did.

  • Donace #

    I am not quite sure how they did it though what I did find was a shell script installed which gave them access to the server without going through cpanel or leaving an IP log trail. Security said there was minimal fall out so wasn't to bad.

  • Rarst #

    @Donace Doesn't seem to be same case then, no need to go through WP admin if you have access to file system. Still waiting for something from security department.

  • Explore yummy cache of Opera alternate download | Rarst.net #

    [...] millions (two) of people enjoyed final release of Opera yesterday, I spent evening in new round of getting hacked and bookmarking WordPress security [...]

  • kelltic #

    FYI: No new articles from 08/27/09 until today (09/03/09). That is not a new problem for me; there are always many days in a row that no article or comments show up. I've mentioned that issue before. But, during this last long run, every time I opened the site it hung up, leaving the hour glass running and notices in the status bar about what was trying to load. I wondered what was going on. Glad to see everything up and running normally (sort of) again.

  • Rarst #

    @kelltic Ok... actually not ok. :) There is something seriously wrong with this blog, you and weekends. There was some problems on Friday and outage (blank page with brief explanation text) on Monday... Rest of time it worked. I know it worked - it worked for me at home, for me at work, and for some hundreds of subscribers and visitors. Cache plugin got recently updated with some new options and that should fix most of issues with comments not showing up. Are you subscribed to feed? If not could you please try that? Are you on any instant messenger so I could quickly get back to you next time it happens? I would really like to properly troubleshoot this.

  • Rarst #

    Little update for those who interested. Hacker wrecked so much (and gave me more trouble on Monday) because he had earlier hacked another site on server via outdated WP. And as I was consulted by http://sucuri.net/ that if hacker has one site then he can screw rest of server really good. Downsides of shared. Issue should be closed, at least support reported they sent hacker's ass flying off server. They also enabled/provided details for SFTP access, that should be little safer for me now.

  • LogLady – rough but useful log viewer | Rarst.net #

    [...] am stuck with it.LogLady is such kind of an app. It isn’t fancy or snappy but it is there for me when it really matters and that is what logs viewer application should be about.What it doesApp opens text file (or [...]