I got hacked – TWICE

Woke up the other day to find that all the WordPress blogs on one of my hosting accounts had been hacked. So this post is about how I fixed the security problem and how to protect your blog.

Usually the first thing I do in the mornings is walk around the top of the mountain, but I’d been a bit freaked out by a big brown snake the day before, so I decided to give walking a miss.

commonbrown1

I don’t know what type of snake it was because quite a few are brown, but I do know that some of the snakes around here always make World’s Top 10 Deadliest Snake lists. So if I see one I’m off in the other direction. Which in this case was straight back home. Yep I’m a coward.

And I’m scared of really rich beautiful women too. And mayonnaise :)

Don’t ask about the mayonnaise. It’s a long story involving spiteful aunts, priests, and choirboys and I’m not about to tell it here. Well not today anyhow :)

So back to the hacking, and WordPress security and what to do about it.

I took a pot of coffee downstairs to my office, scanned Google News to check out the sadness of the world, then logged to my Gmail account.

And the very top email smacked me between the eyes.

Dusty here. I got your information through the Cash Flow Marketing. FYI I was trying to access your mini site profits on several of your pages and my software detected a virus. I was unable to access it. just wanted to let you know.
Dusty – DBar Safety Technologies

Quickly checking it out I found that all the sites redirected to a site that tried to install rogue anti virus software. So I put in an urgent support request to the hosting company, then discovered that cpanel would still work and didn’t redirect me, so I started to investigate and found the problem within 10 minutes.

Somehow a Permanent 301 redirect had been set up.

301 hack

301 hack

So all I had to do was remove the redirect and the problem was fixed.

But how did the hacker get in? I’d no idea.

Support got back to me after about 25 mins, and we emailed back and forth a while. They suggested making sure that all my WordPress installations were up to date, including the plugins. Each blog (about 10 of them) were all 2.7 except one, which was running 2.6.1, and that site had a few major problems even after I’d fixed the redirect, so I tried to re-upload the backup database but failed, and after a few attempts I decided to leave it for another day.

Bad mistake!

Went away for the weekend and my brother Ric from HighDensityGardening.com emailed to let me know his site was hacked again (I host it for him). And this time I’d no idea how to fix it. Here’s a screen grab of part of the front page.

hackedagain
Maybe my old mate Andy Henry did it.

Nope, only kidding Andy :)

Right, Support got back to me and said it was an outdated WordPress issue. Outdated? The blog in question was running WordPress 2.6.5 (I’d updated all the other blogs on this host to 2.7 and just hadn’t got around to this one yet)

“It appears that the account was attacked using a vulnerability
in an outdated version of wordpress on one of the sites. Using
this vulnerability, PHP shell scripts were uploaded onto the
account, which were then further used to deface the site.
At this time, I have removed the malicious files, however,
you will need to update any and all scripts on the account
to prevent further attack. Unfortunately, since the attack
occurred before our weekly backups were taken, we do not
have a clean copy of the files affected. You will need to
replace these with clean copies from your own backups.”

Luckily I do a daily back up of all my WordPress databases, so it was a simple matter of deleting the existing databases and re-uploading a back up version. Playing safe I skipped a day and login into php myadmin I restored the databases from 2 days earlier.

The last step was to made sure that WordPress, and all the plugins were current up to date versions on all the sites on the account.

Update: 31st Jan

I just came across a WordPress security plugin, or WordPress firewall which investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks.

firewalloptions1

It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. Its features include —

* Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
* Also protect most WordPress plugins from the same attacks.
* Optionally configure as the first plugin to load for maximum security.
* Respond with an innocuous-looking 404, or a home page redirect.
* Optionally send an email to you with a useful dump of information upon blocking a potential attack.
* Turn on or off directory traversal attack detection.
* Turn on or off SQL injection attack detection.
* Turn on or off WordPress-specific SQL injection attack detection.
* Turn on or off blocking executable file uploads.
* Turn on or off remote arbitrary code injection detection.

wordpress firewall plugin
* Add whitelisted IPs.
* Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.

You can download the WordPress Firewall Plugin here.

So far I’ve only installed it on one blog as a test, so assuming it works I’ve still got lots more to add it to. But unless my blogs are attacked again how will I know it’s working? :)

For now – job finished.

Comments

  1. Nice to see someone using the plugin, and that I might have helped. Make sure to leave feedback if it bungles anything up.

    I’m anxious to polish this little plugin up, as it seems to be useful to people ;)

  2. Hi Phil

    How’s it going? Hope you’re no where near those bushfires. This is an excellent post, thanks, am downloading that plugin right now!!

    Jerry

    • Jerry

      I’m at least 2 days drive from the bush fires. Floods are more of a problem here – it’s been raining for 3 weeks.

      So far the plugin has worked well, notifying me of several failed attacks.