This may or may not have anything to do with my website getting cracked into and it may or may not have been a precursor to what followed: 23 July was the last post of last year. Months after that my WordPress/Akismet install received and caught a good amount of spam with a good chunk of them being from September 2009. More than 1½ times the amount recorded from previous years combined. A massive flood in failed spam comments.

I paid no real attention since this was probably due to the July post that helped spam bots know the weblog was alive and kicking, but then again this was happening about two months after the post.

So…come 31 October 2009, I try to SFTP to my server and I couldn’t even log into my server. I forgot what error the WinSCP keep giving me after a while. I think it was something about a timeout but it wasn’t the usual timeout error. I kept getting it so I updated WinSCP just to make sure and it still kept happening. I even tried the Firefox extension FireFTP…no dice. I could get into WordPress and phpMyAdmin fine through my browser but that was not what I was looking to do. Luckily, DreamHost offers a WebFTP login which can be found in the DH panel. It can be used to edit your site pages via a web browser. I guess I should have tried to access my site via command line/shell to see if I could get in that way, but I didn’t feel like it. Decided to try to WebFTP for the time being to do some minor editing.

When I clicked to edit the source of one of my files I noticed that an extra line of code at the top of the pages I brought up. First I thought this was something the web based editor adds onto the files. I don’t want something adding stuff to my code. I have to find a way back into my server that I know works. Further research into what the code added actually was had revealed that I was a victim of the eval(base64_decode()… crack that starts off like
<?php /**/
eval(base64_decode("aWYoZnVuY3R...
....
?>

Oh, crap. That’s when I put my site into maintenance mode until I figured out the extent of the damage and how it happened. As far as not being able to log in, it suddenly came to me what might have been the cause. Not the hack crack but the fact that I changed my router’s firewall setting to test out a more secure setting and left it that way. This turned out to be too much and far more restrictive than what I needed. Since the router’s firewall was boosted up to restrict programs and traffic allowed, I ended up blocking myself out of my server. Aackk! I switched the setting so the information could be sent and received properly with out being partially blocked or ignored. It worked! So folks, if you keep getting timeouts or whatever, try to think back and remember if you changed a setting here or there.

Finally, I checked some more files via WinSCP I found more of the same junk added through out my .php files. It nested itself throughout my WordPress directories. Some files altered, others were not. The files affected were all modified around the 26th and 28th of October 2009.

Decoding the bulk of the crap to make it atleast somewhat human readable showed an “if file exists” clause:
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1 I have no idea what the global variable “sh_no” is. Elsewhere in the code it had a few gzdecode()s, a bunch of gibberish and something that look like it was to alter something in the <body> tag:

if(preg_match('/\<body/si', ...

Strangely, the function gzdecode() is not introduced until PHP 6. Many servers out there are at PHP 5.x and there are even a few still using PHP 4.x. DreamHost currently has both 4 and 5. Very, very few servers are running the bleeding edge 6 and maybe even less than that for people on shared hosting plans. I wonder if this was to be a platform to a future larger crack once more servers start to switch over to PHP 6?

Anyway, it was the “…wp-includes/js/tinymce/themes/advanced/images/xp/style.css.php…” section in the decryption might be where an old security flaw in the TinyMCE editor cause my site to be exploited. Regular .htm/.html files elsewhere in other directories were fine along with some other .php files. I never use the visual editor to post. Oh, yeah and… holy crap! My WordPress version was ancient! I seriously didn’t realized how old the install really was, version 2.0.4?

I download my theme and other non-WP directories then scanned all my files for viruses. Saved a copy of the database to see exactly how much damage was actually done. Checking the files on my site and my MySQL DB didn’t show any altered links in posts or registered extra users from what I skimmed through. Code was just added and nothing else? I didn’t find any iframes with ads added when I viewed my website then again I didn’t check the source code at the time. Should have saved the WP install directories as well for a closer look.

My site stats show some referring URLs with “…translate.googleusercontent.com/translate_c?hl=zh&ie=…” in it. The “zh” means Chinese. It may be the Google robots indexing (and translating?) my site. Is it related to the crack? Who knows, but 66 requests for only 3 pages? Maybe something was causing the bot to get caught in loop.

Server log showing increased hits from translate.googleusercontent.com

ClustrMaps 2006-2009 archive for this site.

These events along with my attempts to reboot my site have been piling up on my to-do list. At least, finally I got my butt into gear and got my site rebooted despite minor troubles with the fact that around 31 Jan – 1 Feb 2010 somehow the DreamHost server I’m on was about 12 minutes off when accounting for time zone difference (about -3 hours 12 minutes without adjustments to my time zone, they’re PST, I’m EST). Now it’s finally been corrected on their end. Still there are other minor things that I still have to have done like add a page here and there but it’s 99.98% ready. Yippee!

Coming soon: The details on my 2010 design reboot later and what happened to my original “steampunk” look idea that I previously tweeted about. Of which, you can see, is not currently gracing the face of my site.

Actually this was more of a crack than a hack since it fudged up the creator Erik Benson’s servers. Thus mucking up other peoples’ sites and I’m not talking about just a handful of people here.

15 more between the 18th of June till now. All with the “wanadoo.fr” in the headers. Someone on there is infected and it sends itself to people with different “sender” emails. I’ve got 3 different “senders” so far. The IP numbers are different for the most part but the numbers belong to the same block… “wanadoo.fr”, as in the headers.

I started to keep a little OpenOffice spreadsheet on the attachment names, dates, IP info, subject titles, and sizes of the zombie emails I’m getting (mainly because it finally gives me a reason to start learning the ins-and-outs of OpenOffice). Plus, I figured it wouldn’t be wise to bounce the emails since that might cause more trouble in cyberspace so it’s…

delete, delete, delete!

This time attachments with file the names:

• Manufacture.zlv
• Alive_condom.com
• Counter_strike.vbs
• bateaqxiqy.jpeg
• Message.zip

The last two were sent together, how nice. Taking a closer look at the email headers (The same French header info as the emails I talked about a few days ago on the 15th.) and the common sender name this time, I realized this joker has emailed me before (Re: Past entry titled “Dig this…” from 28 October 03). I can’t really tell if this actual person deliberately sent these to me or not but it’s getting annoying. Luckily my email program has now trained itself to automatically mark it as junk mail.

Of course the recent four were sent with a “latinmail.com” email suffix. A popular spammer domain.

Ha! The Eklectik.com team?! Gee, what a minute, That’s me! Funny I don’t remember doing any “unauthorized access” on my account and sending myself and email to that affect preventing me from accessing my own email. Bad me. For shame! Go figure.

An attached file you say? Obvious ploy to get me to open an attachment in an email from a sender who is unknown—but in the case of the one from The Eklectik.com team, well there is no “The Eklectik.com team” Thank You, but no. Try again.

Who ever this asshole is (whether human or machine) they sent me some other emails too but with the sender email address changed. Apparently with a different attachment with them with names like: MoreInfo.pif, Toy.com, the_message.com and Info.scr. All of which to me spell out trouble (i.e. virus, trojan, phishing).

Some of the emails didn’t even have any regular plain text in the body of the message. Except one that only stated “I love you answer me please” and gave a website address. My sarcastic answer: “Oh, O.K. Uuh, I think it’s time we started seeing other people. Really, it’s been great, but I feel we’ve grown distant. We can still be friends alright?” I really didn’t respond to the email.

Most likely a phishing scam on that one. From the headers I think I’ve narrowed it down to it being supposedly sent from a French domain and an IP based in the Netherlands (Amsterdam).

Hey? I’m in Pittsburgh and never been to Texas. It’s almost like the time when one day I logged into my Amazon.com and found that my birthday info stored and displayed for my wishlist had been changed to October 8 instead of remaining at the correct December 23. I had found out about the change in birthdate some time in November 2002 and who knows how long it was like that. May be I should log into my accounts more often to make sure info doesn’t change for no reason. Once I input info (especially info that should not change a lot or at all) it would be nice if it would stay put.

Damn trolls!

Yep…
…yer browser’s been hijacked!

I was wondering, “Is this a new css or dhtml effect that makes your navigation look like a toolbar? Can’t be, I’ve been on the website before”. I right clicked the toolbar and noticed that it had a new menu item checked: Xupiter. Uuh? One thing I can’t stand is a another toolbar taking up valuable space. I only have 5 other small buttons other than the forward and back buttons with address bar. I don’t need a toolbar I’ll never use—especially a toolbar I didn’t ask for.

I did a Google search and Lockergnome search. The SpywareInfo website was very useful as well. It turns out that it secretly installed itself using Active-X and the “<OBJECT>” tag embedding on a webpage or pop-up… or pop-under for that matter. Oh, well. To combat this I downloaded and used Spybot S&D by PepiMK Software that handled the browser hijacker Xupiter well after a reboot. (You can find the download at various places like ZDNet or at http://security.kolla.de/). My Tempory Internet Files folder still had some bits and pieces of Xupiter that I had to take care of. Now I’ll have a look at my Registry to see if any other bits and pieces were left there.

Nothing like wasting your time and money trying to regain your browser and computer.