MonthOctober 2009

I found the hacker… and I’m wondering where else he might be

So finally I had to take Stefan’s advice. Having upgraded to WordPress 2.8.5 over at the Free Our Data blog (where I’ve been having problems with a hacker who’s been inserting spam links invisibly into the end of the page), I …

Oh. And while I was writing that, I noticed – from the FTP transfer that was going on to do a second comparison – that there are a ton of spam pages in the site. Sodding hackers.

Anyway. I downloaded the entire blog content, and then ran a diff – that is, Filemerge (which comes with the Apple Developer Tools, free on your OSX install disk). It compares the content of any set of files, or directories.

Of course the site I’d downloaded was pretty old, and had been upgraded loads of times, so there were loads of files that were on the left (old) and not on the right (new). They just hadn’t been deleted.

Slogging on… I came across a WordPress page which explains which files have been deleted in the move up from 2.7 to 2.8. It’s a useful list and I was working my way through it. Slowly.

By now I’d got to blog/wp-includes/js/tinymce/themes/advanced/skins/o2k7/ and was starting to marvel at how deep WordPress is. When I came across a rather odd one – ui.php – which had the interesting opening:

Codz by angel(4ngel)

Make in China

Web: http://www.4ngel.net

Hmm, is it very likely that a valid WordPress file would really have that sort of comment? And more telling was that when you loaded it in a PHP editor with live PHP generation, you get this:

Yup, it's a hacker's login

Which in essence says: oh, lordy, you’ve been hacked.

Much digging around followed. It’s a fascinating file: it allows the hacker to download your database, and possibly upload chunks as well. I’m going to have to do an SQL dump now to see whether the content of older posts has been hacked (a favourite trick, apparently).

I also discovered a slew of website pages hidden in a directory called “Online” in the “Default” theme folder – which of course every WordPress install will generally have, so that’s a smart place to put it. (That also makes it a good one to delete.)

But as far as I can tell, the site is clean now. My best guess for how they did this is that it was one of the WordPress weaknesses via user registration – this one? This one? There are so many to choose from – and that it’s been sitting there for an age, just waiting to be exploited, or perhaps being exploited and I didn’t spot it. (Certainly neither Google’s indexing nor I discovered the hack of the /default/images folder – which is intriguing. Have you checked that folder lately?)

I hope this is the end of the tale. I’m not pinning everything on it though.

One other point: thanks again to Stefan Pause, who has helped a lot on this (what’s your site, Stefan?) I’m now alerted to the WordPress Exploit Scanner plugin, which will look through your site and find any suspicious CSS, HTML or similar. It reckons that there’s nothing suspicious in the older posts. Good-o, though I’d like to (and will) make sure myself.

Endnote: interestingly, Google won’t allow the ui.php file to be emailed, even in zip form. (I wanted to send it to my web host to explain what I’d found and tell them to search for it.) So obviously Google Mail’s already got some sort of hashing going on to detect malware being passed around. Impressive.

The hackers? Boring, really, that this sort of endless diversion from site to site is how they make their money. All that enthusiasm and knowledge and ability, turned to trying to persuade people lacking self-esteem to buy pills of unknown quality from sites of extremely dubious status. Isn’t there something better we could do with all our time here?

Super-endnote: And then I find another file – this one at /wp-includes/Text/Renderer/Diff/ where there was one called online.php (a bit of a clue by now, because it’s all about “online” crap these guys are selling.)

The WP Exploit Scanner tipped me off – it notes that it’s a base_64 command, which usually means “something to hide”.

And so it proves: here’s the picture you get
Hacker control interface dropped inside WordPress

(You can see the full-size thing at Flickr.) And hey – what is it about hackers and the black backgrounds? Too much watching the Matrix, I think. Forget it, guys – you’re not The One, you’re pushing junk pills.

The hacker leaves more footprints… but how many sites have this problem?

Another day, another little hack on freeourdata.org.uk’s front page – once more adding spam links to it in invisibie links (using the stylesheet command div style="display:none").

What’s interesting this time though is that the person doing it has decided to be a bit more subtle. Rather than doing it all by hand, he’s clearly decided that automation is the thing.

And so the inserted spam-generating code is just one line of PHP. One line!

Ah, but it’s clever – it’s a base64_decode (ie, a string of encoded stuff) which is then enclosed in an eval() statement.

So PHP decodes the base_64 stuff and then does what it’s told by that statement.

And what it’s told to evaluate is to get the content of a URL: http://weberneedle.com/pictures/header/h/freeourdata.org.uk.html.

Weberneedle, in case you’re wondering, is part of Weber Medical. Obviously, it’s been hacked.

The spam is pointing to two directories – http://sportsnation.espn.go.com/fans/Thomas9385 and http://www.anats.org.au/statechapters/act/images/online/canadian/. They’ve been hacked too. (Oh, Anats – the Australian National Association of Teachers of Singing. You’re offering links to a lot more than singing, I’m afraid.)

But it would be interesting to know how many more sites weberneedle’s hacked directory is pointing to.

And the bigger question is: how many sites out there have been hacked? In the course of my experiences alone I’ve come across half a dozen. (And I’m still trying to locate and close the hole in our server that makes this possible, of course. It’s annoying, but not disastrously so.) How many millions (and yes, I mean millions) of sites are there out there which have been exploited in this way, and which are therefore pointing to stuff they never realised?

At some stage there’s going to have to be a massive clearup – but I can’t imagine it happening. You’d pretty much have to turn the web off and on again.