Born to be geek! -- Attack2023-01-05T18:15:16+01:00http://herraiz.org/blog/tags/attack/Israel Herraizisra@herraiz.orgUnder attack2010-01-19T00:00:00+01:00http://herraiz.org/blog/2010/01/19/under-attack<p>
Some weeks ago, I received a message telling me that my website had
been <i>hacked</i>, with a link to PHP script that was indeed stored in my
server. The email was quite polite, trying to fake a real warning from
a benevolent user:
</p>
<pre class="example">
It appears your server has been hacked. the following link, for
example, used to redirect to rogue antispyware:
[LINK REMOVED]
don't click on the link unless you're on Linux or you really know
what you're doing, because it may redirect to a malicious
site. right now it's just redirecting to CNN's web site. you
probably want to get rid of this page and get your server cleaned up
ASAP. just giving you a heads up.
thanks.
</pre>
<p>
I reviewed all the contents in my server, and I found several other
PHP scripts, that were different, and several subdirectories named
<code>.files</code> that contained HTML pages with links to similar PHP scripts
stored in other sites.
</p>
<p>
<a href="http://herraiz.org/blog/files/2010-01-19/tsd.phpremovethis">The script</a> was a base-64 encoded. I decoded it using a Python script,
and the decoded script was encoded using a naive encrypting algorithm
that shifts the positions of the characters. I again decoded that
using another Python script, and <a href="http://herraiz.org/blog/files/2010-01-19/decoded.txt">I finally obtained what the malicious
script did</a>. It turns out that the script randomly crawled the URLs of
other attacked sites connecting to the machine at 77.55.31.116,, and
it generated all the files that were stored in the <code>.files</code> directory.
</p>
<p>
The IP belonged to an ISP called The Planet.com. The site hosted there
seems to belong to a Russian guy. I reported the incident to the abuse
contact address of the ISP, but I never got a reply.
</p>
<p>
I also noted that all the lines ended in <code>\r\n</code>, so the attacker is a
<del>Mac</del> Windows user. <a href="http://herraiz.org/blog/files/2010-01-19/decoded2.txt">I gathered some other scripts randomly</a>, and the scripts gave
the attacker control to upload and modify files in the hosted
machine. It could also query Wordpress databases in the host, what
gave me a hint about how the attacker managed to upload files to my
server.
</p>
<p>
I had an old Wordpress installation, and it seems that there is a bug
that let anyone from the web to register and inject shell script
code. I removed a couple of users from all the Wordpress installations
that I had, and disabled the possibility of registering new
users. Actually I have dropped Wordpress and I using Jekyll and Emacs
Org-Mode for this blog.
</p>
<p>
From my site, I have recovered a list of <a href="http://herraiz.org/blog/files/2010-01-19/sites.txt">53 sites</a> that have been also
attacked, and that have probably not yet cleaned. <a href="http://herraiz.org/blog/files/2010-01-19/address_scripts.txt">I am also publishing</a>
here a list of the addresses of these sites, together with the name of
the malicious PHP script (without the <code>.php</code> extension) that is stored
in the site (first and second columns of the text file,
respectively). If your site is included in the previous listings,
check that the scripts included in the second listing exist, and if
they do, remove all the PHP scripts that you are sure you did not
upload (you can also check that the suspicious scripts are encoded),
and look for directories named <code>.files</code>; remove all those directories.
</p>
<p>
And finally, keep your Wordpress always up to date; or even better,
drop it and change to another solution. It seems that Wordpress is
pretty much a Gruyère cheese.
</p>