This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • New note by bobjonkman 26 June 2022
      I've never played #Minecraft - Is this #Federated software? Is it #FreeSoftware? If so, how can Microsoft control what's happening on someone's private server? Even if such code existed in a #FreeSoftware application, I would have thought there'd be a fork that eliminates that external control. It's time for that now. But if #Minecraft isn't […]
    • bobjonkman repeated a notice by lnxw48a1 26 June 2022
      RT @lnxw48a1 Seen via @sullybiker Microsoft bans in #Minecraft will soon carry over to privately run servers as well. One commenter said "Seems like there is a really simple solution here: Don't be a toxic asshole on a public server." But once $CORPORATION starts interfering with privately hosted servers in any way, those servers' […]
    • New note by bobjonkman 27 May 2022
      Mind you, there's something charming and soporific about listening to a professional baseball game with an old-fashioned, laid-back announcer. But most of those have retired... #ASMR
    • New note by bobjonkman 27 May 2022
      Applies to all professional #Sportsball: begging to see overpaid drug-users doing something that the rest of us would gladly do for free. When I walked our dog we'd pass the local baseball field, and we'd stop and watch the game for hours. But the one time I went to a professional baseball match (Toronto Blue […]
    • New note by bobjonkman 19 May 2022
      I've had all my clocks and watches on 24hr time ever since...
    • New note by bobjonkman 19 May 2022
      When I was a young pup, just started my first job. Woke up at 4:30 one day, panicked, "I've slept through the whole day, I'll get fired!!" It was 4:30am, of course. Don't recall if I got back to sleep or not.
    • bobjonkman repeated a notice by lnxw48a1 19 May 2022
      RT @lnxw48a1 I woke up around 02:45, thinking it was 07:45. Before 03:00, I realized it wasn’t time to get up. I still really feel the lack of #sleep 💤.
    • Favorite 19 May 2022
      bobjonkman favorited something by lnxw48a1: I woke up around 02:45, thinking it was 07:45. Before 03:00, I realized it wasn’t time to get up. I still really feel the lack of #sleep 💤.
    • New note by bobjonkman 14 May 2022
      "A Supreme Court that doesn't give a damn what the public wants ... is exactly what a Supreme Court is for, actually." True enough. But elected representatives in government *are* supposed to do what people want, that's why they get elected. If they had fulfilled their obligations to actually represent the citizens' wants then the […]
    • bobjonkman repeated a notice by clacke 14 May 2022
      RT @clacke People, not all people but most people, are angry about the wrong thing. I agree that Roe v Wade being canceled is a bad outcome. I agree that women should have the right to their bodies, but here's my possibly unpopular take: A Supreme Court that doesn't give a damn what the public […]

Recovering from a WordPress hack

Posted by Bob Jonkman on 29th October 2013

WordPress logo cleaved by axe

WordPress Hacked!

Last Friday I was finally getting around to upgrading the WordPress installations on the SOBAC server from v3.6 to v3.6.1. Surprise! WordPress v3.7 had just been released the night before!

WordPress upgrades are famous for their ease of installation. Surprise! After upgrading the first installation most of the plugins were missing, and the theme was broken. A quick look at a directory listing showed that the plugins and themes were still installed. A quick look with a text editor showed some peculiar PHP code at the top of every .php file in the plugins folders. Surprise! This WordPress installation had been hacked! Fortunately, of the five instances of WordPress on this server, only two appeared to be affected. This Blog Is Not For Reading was not one of them.

Each .php file started with something like this:

<?php $zend_framework="\x63\162\x65(…)\x6e"; 
zend_framework("", "\x7d\7(…)

Injected, obfuscated PHP code at the top of every .php file, referencing the zend_framework

Searching the Internet for “wordpress plugin invalid header zend_framework” I found a reference that makes me think this may have been possible because of a flaw in an earlier version of the WordPress code that handles comments. Most likely one of the comment fields (user name, e-mail, web address or the comment text itself) wasn’t properly sanitized, and allowed some kind of code injection (probably PHP injection, not a MySQL injection; the contents of the databases appeared to be untouched).

From the backups of the server it appeared that the breach occurred in or before August — either just before the release of WordPress 3.6 on 1 August 2013 or just before the release of WordPress 3.6.1 on 11 September 2013. If I had not been slack in upgrading to WP v3.6.1 then this breach might have been identified much sooner.

The upgrade to WordPress identified the modified files because the injected code preceded (and corrupted) the WP headers, and so WP v3.7 disabled any affected plugins and themes.

The Fix Is In

I renamed the directory containing the WordPress code, installed a fresh copy of WP3.7, cleaned and copied the wp-config.php and .htaccess files, uploaded a small image to create the wp-content/uploads hierarchy, then copied the upload folder (which didn’t contain any .php files), and then re-installed and re-configured the themes and plugins directly from the WordPress site.

Aside from the additional PHP code, there didn’t appear to be any other damage to the system. So I used the original wp-config.php (but cleaned, and with the “Authentication Unique Keys and Salts” section refreshed), and the new installation just used the existing databases. If there’s any malcode in the databases then that could re-infect the system, so I’m keeping an eye on it.

I have no idea what the malcode was intended to do. It didn’t corrupt the databases or anything else, but it’s possible it was acting as a keylogger or phoning home some other way. If I feel inclined I might try to de-obfuscate the injected code, but right now I don’t really feel like doing forensics.

Someone suggested using AppArmor to make the WordPress directories read-only. I’m not sure that locking down the WP directory is a good idea. The big new feature in WordPress 3.7 is its automatic update feature. If the WordPress directories are locked down then future security updates won’t be applied automatically. If there is an exploit and WordPress issues a new release to fix it, then a locked-down site will experience a delay in upgrading until the SysAdmin notices and upgrades manually (which is what used to happen before v3.7, but it seems a bad idea to delay upgrades when that’s no longer necessary). Also, the plugin and themes directories would be locked down, and they still require fairly frequent manual upgrades.

I sent the users on the affected sites this message:

While doing upgrades on WordPress yesterday I saw that your blog had been hacked sometime during or before August. I’ve fixed it (re-installed the code, copied your media library, re-installed themes and plugins). I don’t think any damage was done beyond the insertion of malicious code in some of the WordPress files. I don’t know what the action of that code was intended to be, but you should change your WordPress password just in case the bad guys captured it. You can change your password on the “Users, Your Profile page” once you’ve logged in.

After spending some time on Saturday fixing the two hacked WordPress sites I’m a little paranoid, and making sure to implement updates quickly. But a little paranoia is good — it’ll ensure I won’t become complacent again.


WordPress Hacks by Rafael Poveda is used under a CC BY-NC-SACreative Commons — Attribution-NonCommercial-ShareAlike — CC BY-NC-SA license.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in code, How To, security, System Administration | Comments Off on Recovering from a WordPress hack

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on 18th November 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).


Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

Tags: , , , , , , , , , , , ,
Posted in email, Internet, spam | 1 Comment »

Better Tag Cloud