I found the hacker… and I’m wondering where else he might be

So finally I had to take Stefan’s advice. Having upgraded to WordPress 2.8.5 over at the Free Our Data blog (where I’ve been having problems with a hacker who’s been inserting spam links invisibly into the end of the page), I …

Oh. And while I was writing that, I noticed – from the FTP transfer that was going on to do a second comparison – that there are a ton of spam pages in the site. Sodding hackers.

Anyway. I downloaded the entire blog content, and then ran a diff – that is, Filemerge (which comes with the Apple Developer Tools, free on your OSX install disk). It compares the content of any set of files, or directories.

Of course the site I’d downloaded was pretty old, and had been upgraded loads of times, so there were loads of files that were on the left (old) and not on the right (new). They just hadn’t been deleted.

Slogging on… I came across a WordPress page which explains which files have been deleted in the move up from 2.7 to 2.8. It’s a useful list and I was working my way through it. Slowly.

By now I’d got to blog/wp-includes/js/tinymce/themes/advanced/skins/o2k7/ and was starting to marvel at how deep WordPress is. When I came across a rather odd one – ui.php – which had the interesting opening:

Codz by angel(4ngel)

Make in China

Web: http://www.4ngel.net

Hmm, is it very likely that a valid WordPress file would really have that sort of comment? And more telling was that when you loaded it in a PHP editor with live PHP generation, you get this:

Yup, it's a hacker's login

Which in essence says: oh, lordy, you’ve been hacked.

Much digging around followed. It’s a fascinating file: it allows the hacker to download your database, and possibly upload chunks as well. I’m going to have to do an SQL dump now to see whether the content of older posts has been hacked (a favourite trick, apparently).

I also discovered a slew of website pages hidden in a directory called “Online” in the “Default” theme folder – which of course every WordPress install will generally have, so that’s a smart place to put it. (That also makes it a good one to delete.)

But as far as I can tell, the site is clean now. My best guess for how they did this is that it was one of the WordPress weaknesses via user registration – this one? This one? There are so many to choose from – and that it’s been sitting there for an age, just waiting to be exploited, or perhaps being exploited and I didn’t spot it. (Certainly neither Google’s indexing nor I discovered the hack of the /default/images folder – which is intriguing. Have you checked that folder lately?)

I hope this is the end of the tale. I’m not pinning everything on it though.

One other point: thanks again to Stefan Pause, who has helped a lot on this (what’s your site, Stefan?) I’m now alerted to the WordPress Exploit Scanner plugin, which will look through your site and find any suspicious CSS, HTML or similar. It reckons that there’s nothing suspicious in the older posts. Good-o, though I’d like to (and will) make sure myself.

Endnote: interestingly, Google won’t allow the ui.php file to be emailed, even in zip form. (I wanted to send it to my web host to explain what I’d found and tell them to search for it.) So obviously Google Mail’s already got some sort of hashing going on to detect malware being passed around. Impressive.

The hackers? Boring, really, that this sort of endless diversion from site to site is how they make their money. All that enthusiasm and knowledge and ability, turned to trying to persuade people lacking self-esteem to buy pills of unknown quality from sites of extremely dubious status. Isn’t there something better we could do with all our time here?

Super-endnote: And then I find another file – this one at /wp-includes/Text/Renderer/Diff/ where there was one called online.php (a bit of a clue by now, because it’s all about “online” crap these guys are selling.)

The WP Exploit Scanner tipped me off – it notes that it’s a base_64 command, which usually means “something to hide”.

And so it proves: here’s the picture you get
Hacker control interface dropped inside WordPress

(You can see the full-size thing at Flickr.) And hey – what is it about hackers and the black backgrounds? Too much watching the Matrix, I think. Forget it, guys – you’re not The One, you’re pushing junk pills.

8 Comments

  1. Charles

    My blog was hacked in December 2007 and I had a similar experience unravelling it. I made a few changes to lock it down a little, the main one being disallowing write permissions for the Apache user throughout the blog folder. Normally some parts are read-write to allow WordPress to upload images, amend templates etc; but it’s a trade-off I’m happy to make. When I get a moment I may loosen it slightly, eg allowing write access to a folder that can only serve images.

    Tim

  2. Charles: Are you ill? Mentally, that is. You write about having been hacked, yet then, on your Grauniad blog, encourage others to hack a political website.

    You have almost certainly both committed and incited crime.

    I knew The Grauniad was crap, but employing an inciter of crime?

    You deserve to be both sacked and prosecuted.

  3. Charles

    Sunday 25 October 2009 at 12:34 pm

    @Nigel I’ll assume you’re not being ironic, as you’ve left none of the clues that indicate that sort of grasp of context.
    Yes – Free Our Data was hacked. It is unpleasant and annoying; sort of like finding a burglar has been living in your loft.
    The blog post on the Guardian Tech blog (http://www.guardian.co.uk/technology/blog/2009/oct/23/you-decide-hacking-political-website) poses a hypothetical situation that some people – young people, I’d suggest – might find themselves in. It can’t be construed as an incitement because I don’t tell people to do it: I ask “what do you do?”
    It is not the committal of a crime for the same reason – no incitement.
    For the record, I dislike hacking (as I see its effects every day in the mountain of spam emails) and, in that situation, I’d recommend people not to do anything. Far better, if it were possible, to do the “retrovirus” tactic: stuff the party with thousands of your mates and change its constitution so that it reverses its views by 180°.

  4. Well, after your tweet (http://twitter.com/charlesarthur/status/5101572415) curiosity got the better of me. Gosh, you *ARE* distracting :)

    I managed to find the files based on your comments and spent a few minutes to decipher them. The one created by “4ngel” does a few things. It acts as a file manager, allowing the script kiddie (not a true hacker) to browse the files on the server and download / upload files as desired. It also has a datababase manager, which pretty much allows the script kiddie to view and download accessible portions of your database (even make an exact replica of your database).

    Furthermore, there are a few functions to allow it to execute PHP code directly on the server (without the need to upload a file) and contains base64 encoded content. This encoded content are two different versions of the same thing: a method for establishing connections to other ports on your or a remote server by use of a perl script or by compiling a C-source application.

    The other file you’ve posted a screenshot of (the “Server security information”) script does some extra things that the code from “4ngel” does not, mainly scanning the server for usable hacks.

    So now, what does this all mean to you? First of all, the fact that these files ended up on your server to begin with means that one or more directories had public write access. Most WordPress users will allow quite a few directories to be writeable, because it makes things easier for them. But it also makes it easier for script kiddies, obviously.

    So limit the directories that have public write access. In WordPress, the only directory that would really need this is the /wp-content/uploads directory, and ideally you should also disable the ability to execute anything from this directory. Everything else should be read-only (especially the /wp-include directory). It’s at the cost of upgrading WordPress or installing plugins, but this can be solved by specifying an FTP or SSH account in the “wp-config.php” file.

    Speaking of the “wp-config.php” file, this should be located outside of any publicly accessible directory. For example, if WordPress is installed in “var/www/mysite/public/” then the “wp-config.php” file should be located in “/var/www/mysite/”.

    Some other pointers to secure the blog site is to require authentication to access the file “wp-login.php” and the directory “/wp-admin”. You may also want to deny any particular request methods that do *not* use the HTTP “GET”, “HEAD” or “POST”. For example, there’s no need to allow “CONNECT” or “PUT” requests (the latter being dangerous).

    Also, that screenshot on Flickr gave away some interesting security issues with your site as well. It shows that PHP allows the execution of some potentially dangerous commands such as phpinfo, eval, shell_exec, apache_setenv, etc. These and others can all be used to exploit the server. Furthermore, the /etc/passwd file was accessible apparently — this can give complete access to the *entire* server, not just the website portion. This does not need to be accessible from PHP.

    I’ve read that Mr. Pause has helped you fix the security issues and I’m sure he knows what he’s doing, but this is just as a little insight as to what went wrong. It wasn’t particularly WordPress’ fault, and as with all things popular: the bigger they are, the harder they fall.

    PS.: You did reset all the passwords on the server, right?

  5. Charles, whilst Nigel rant does seem to indicate he knows bugger all about the law (like me) I do think he rightly points to a degree of double standards. I think your piece in the Guardian would have been fine without the “television programme ” reference but that made it rather less ‘academic’. I think as a journalist you are unlikely to face prosecution but you may have pushed the “facilitate” provisions of the Act. Let’s assume there is an attackable flaw in the ‘PNB’ website that you know about. At that point the ‘nod and a wink’ takes on a new meaning.

  6. Charles

    Monday 26 October 2009 at 12:23 am

    @Myatu don’t worry about the PHP and other commands that are executable – that was running for testing purposes on my own machine, to see what it did. (Cautiously.) Those vulnerabilities don’t exist on the Free Our Data site where I found the file.

    And yes, I did reset the passwords. All of them, everywhere. And salted the cookies.

    @EMComments – there’s no facilitation. I’m giving nobody the tools to carry out a hack, and I’m not encouraging it. I’m positing a situation where two people have gained the expertise, and asking if you were one of them, what you would do. I have never visited the BNP website, have no knowledge of its setup and personally would discourage anyone from attempting a hack under any circumstances. (Though you could posit the situation where it’s needed: to save a life – say if the data is on a website and you can save someone from a death sentence? On some rather different site, to save a life/prevent a killing? There could be endless justifications if you pick the right set of situations. This one, I think not – but people are a bit ready to overreact in all sorts of ways.

  7. Hi Charles I know there’s no facilitation – unless you are unlucky enough that the site gets hacked in the next few days, then expect a visit from Inspector Knacker ;-0

    “Iím giving nobody the tools to carry out a hack, and Iím not encouraging it.” That would be Conspiracy I think. Facilitation is about the old squatters situation where “someone” forces open the door but does not enter the house. Other people then just “happen” to see the unlocked premises.

    The “Greenpeace” defence might run but your friend would still be hanged because the data obtained couldn’t be trusted as it would be coming from a hacked site.

    Essentially I think the “BNP hack” pricked our Gurdianista conciences. On the one hand we despise those scum and on the other how do we protect our own freedoms if we don’t defend those of other people, even those we despise? Oh, the liberal dilema!

  8. Hi Charles

    OT This comment system encourages double posting (I know it blocks it) because there is no immediate feedback from the “Say It!” button and quite a delay before the comment appears.

Comments are closed.