Website bombardment and crack of 2009

A now time for a seriously long-winded story my little kitties. It has it’s beginnings, middles, and endings. It’s about how I realized my decrepit WordPress install was not so secure.

Akismet Stats 2008-2009
This may or may not have anything to do with my website getting cracked into and it may or may not have been a precursor to what followed: 23 July was the last post of last year. Months after that my WordPress/Akismet install received and caught a good amount of spam with a good chunk of them being from September 2009. More than 1½ times the amount recorded from previous years combined. A massive flood in failed spam comments.

I paid no real attention since this was probably due to the July post that helped spam bots know the weblog was alive and kicking, but then again this was happening about two months after the post.

So…come 31 October 2009, I try to SFTP to my server and I couldn’t even log into my server. I forgot what error the WinSCP keep giving me after a while. I think it was something about a timeout but it wasn’t the usual timeout error. I kept getting it so I updated WinSCP just to make sure and it still kept happening. I even tried the Firefox extension FireFTP…no dice. I could get into WordPress and phpMyAdmin fine through my browser but that was not what I was looking to do. Luckily, DreamHost offers a WebFTP login which can be found in the DH panel. It can be used to edit your site pages via a web browser. I guess I should have tried to access my site via command line/shell to see if I could get in that way, but I didn’t feel like it. Decided to try to WebFTP for the time being to do some minor editing.

When I clicked to edit the source of one of my files I noticed that an extra line of code at the top of the pages I brought up. First I thought this was something the web based editor adds onto the files. I don’t want something adding stuff to my code. I have to find a way back into my server that I know works. Further research into what the code added actually was had revealed that I was a victim of the eval(base64_decode()… crack that starts off like
<?php /**/
eval(base64_decode("aWYoZnVuY3R...
....
?>

Oh, crap. That’s when I put my site into maintenance mode until I figured out the extent of the damage and how it happened. As far as not being able to log in, it suddenly came to me what might have been the cause. Not the hack crack but the fact that I changed my router’s firewall setting to test out a more secure setting and left it that way. This turned out to be too much and far more restrictive than what I needed. Since the router’s firewall was boosted up to restrict programs and traffic allowed, I ended up blocking myself out of my server. Aackk! I switched the setting so the information could be sent and received properly with out being partially blocked or ignored. It worked! So folks, if you keep getting timeouts or whatever, try to think back and remember if you changed a setting here or there.

Finally, I checked some more files via WinSCP I found more of the same junk added through out my .php files. It nested itself throughout my WordPress directories. Some files altered, others were not. The files affected were all modified around the 26th and 28th of October 2009.

Decoding the bulk of the crap to make it atleast somewhat human readable showed an “if file exists” clause:
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1 I have no idea what the global variable “sh_no” is. Elsewhere in the code it had a few gzdecode()s, a bunch of gibberish and something that look like it was to alter something in the <body> tag:

if(preg_match('/\<body/si', ...

Strangely, the function gzdecode() is not introduced until PHP 6. Many servers out there are at PHP 5.x and there are even a few still using PHP 4.x. DreamHost currently has both 4 and 5. Very, very few servers are running the bleeding edge 6 and maybe even less than that for people on shared hosting plans. I wonder if this was to be a platform to a future larger crack once more servers start to switch over to PHP 6?

Anyway, it was the “…wp-includes/js/tinymce/themes/advanced/images/xp/style.css.php…” section in the decryption might be where an old security flaw in the TinyMCE editor cause my site to be exploited. Regular .htm/.html files elsewhere in other directories were fine along with some other .php files. I never use the visual editor to post. Oh, yeah and… holy crap! My WordPress version was ancient! I seriously didn’t realized how old the install really was, version 2.0.4?

I download my theme and other non-WP directories then scanned all my files for viruses. Saved a copy of the database to see exactly how much damage was actually done. Checking the files on my site and my MySQL DB didn’t show any altered links in posts or registered extra users from what I skimmed through. Code was just added and nothing else? I didn’t find any iframes with ads added when I viewed my website then again I didn’t check the source code at the time. Should have saved the WP install directories as well for a closer look.

My site stats show some referring URLs with “…translate.googleusercontent.com/translate_c?hl=zh&ie=…” in it. The “zh” means Chinese. It may be the Google robots indexing (and translating?) my site. Is it related to the crack? Who knows, but 66 requests for only 3 pages? Maybe something was causing the bot to get caught in loop.

Server log

Server log showing increased hits from translate.googleusercontent.com


I decided to check my server stats and my Clustrmaps page and then noticed an increase in visits to my site from China, maybe a googlebot in China? A better robots.txt file should handle some of these bots.
ClustrMaps 2006-2009 archive for this site.

ClustrMaps 2006-2009 archive for this site.

These events along with my attempts to reboot my site have been piling up on my to-do list. At least, finally I got my butt into gear and got my site rebooted despite minor troubles with the fact that around 31 Jan – 1 Feb 2010 somehow the DreamHost server I’m on was about 12 minutes off when accounting for time zone difference (about -3 hours 12 minutes without adjustments to my time zone, they’re PST, I’m EST). Now it’s finally been corrected on their end. Still there are other minor things that I still have to have done like add a page here and there but it’s 99.98% ready. Yippee!

Coming soon: The details on my 2010 design reboot later and what happened to my original “steampunk” look idea that I previously tweeted about. Of which, you can see, is not currently gracing the face of my site.