herraiz.org | Blog

Main | Blog | Research papers | PhD thesis | GnuPG (PGP)

 Subscribe to this blog in a reader

Under attack

Some weeks ago, I received a message telling me that my website had been hacked, with a link to PHP script that was indeed stored in my server. The email was quite polite, trying to fake a real warning from a benevolent user:

It appears your server has been hacked. the following link, for
example, used to redirect to rogue antispyware:

[LINK REMOVED]

don't click on the link unless you're on Linux or you really know
what you're doing, because it may redirect to a malicious
site. right now it's just redirecting to CNN's web site. you
probably want to get rid of this page and get your server cleaned up
ASAP. just giving you a heads up.  
thanks.

I reviewed all the contents in my server, and I found several other PHP scripts, that were different, and several subdirectories named .files that contained HTML pages with links to similar PHP scripts stored in other sites.

The script was a base-64 encoded. I decoded it using a Python script, and the decoded script was encoded using a naive encrypting algorithm that shifts the positions of the characters. I again decoded that using another Python script, and I finally obtained what the malicious script did. It turns out that the script randomly crawled the URLs of other attacked sites connecting to the machine at 77.55.31.116,, and it generated all the files that were stored in the .files directory.

The IP belonged to an ISP called The Planet.com. The site hosted there seems to belong to a Russian guy. I reported the incident to the abuse contact address of the ISP, but I never got a reply.

I also noted that all the lines ended in \r\n, so the attacker is a Mac Windows user. I gathered some other scripts randomly, and the scripts gave the attacker control to upload and modify files in the hosted machine. It could also query Wordpress databases in the host, what gave me a hint about how the attacker managed to upload files to my server.

I had an old Wordpress installation, and it seems that there is a bug that let anyone from the web to register and inject shell script code. I removed a couple of users from all the Wordpress installations that I had, and disabled the possibility of registering new users. Actually I have dropped Wordpress and I using Jekyll and Emacs Org-Mode for this blog.

From my site, I have recovered a list of 53 sites that have been also attacked, and that have probably not yet cleaned. I am also publishing here a list of the addresses of these sites, together with the name of the malicious PHP script (without the .php extension) that is stored in the site (first and second columns of the text file, respectively). If your site is included in the previous listings, check that the scripts included in the second listing exist, and if they do, remove all the PHP scripts that you are sure you did not upload (you can also check that the suspicious scripts are encoded), and look for directories named .files; remove all those directories.

And finally, keep your Wordpress always up to date; or even better, drop it and change to another solution. It seems that Wordpress is pretty much a Gruyère cheese.

Written on Jan 19 2010 | Tags: #wordpress, #attack, #php
blog comments powered by Disqus