verture.net — left handed typing since 2001

Magnifying glass for search box

My site got hacked 03.09.2009

That statement is getting more and more common, and it's now the 2nd time my site has been the target of it. First time was 2 years ago, when the ftp on the server it was hosted was breached, and some industrious hacker injected code into a bunch of sites, to get links to some other sites. Dreamhost took a good beating on that occassion, and learned some valuable lessons.

Earlier in the week I was checking my Webmaster Tools Account and noticed that I had a lot of very strange incoming links all of a sudden: img.skitch.com

I looked at a site search for my site:
Site search
That didn't look like posts I had written, in fact, they were full of gibberish. Here's a screenshot of the cache of one of them.

Here's what I managed to figure out about this case:

  • One file (config.inc.php) was modified to include the path to a file called sessions.inc.php. The modification date was not changed for the file, so it didn't look like it had been tampered with
  • sessions.inc.php was created on my server and contained some of the content on my site, which had been base64-encoded
  • Other hacked sites had a bunch of links to my site, with funny strings in the URL
  • The funny strings are also base64 encoded, and they seem to contain the actual content
  • going directly to the pages won't yeld anything, as the content will only show for GoogleBot

In most cases, having your site hacked comes from running a standard installation of one of the popular blog tools or CMS'es out there (Wordpress, I'm looking mainly at you). The recovery method is to clean your site, and update to the latest version of that tool, which usually has some security patch to apply. The issue in this case is, that I always have the latest version of my blogging tool, since I wrote the damn thing myself.

I'm not saying it's pretty, or a great piece of software, but I wrote it myself hoping that it would help me avoid being a victim of automated hacked attempts. This incident makes me curious, and I see a couple of possibilities as to how this happened: Either my attempts at being non-standard are part of the checks that an automated script looking for vulnerabilities can deal with or, somebody actually did this personally, after having found a possible vulnerability in a script of mine.

Obviously, there's a third option as well, that my homegrown CMS just isn't up to par on the security front. I should probably spend some time securing it after this event.

Comments

Robert Gentel | web | @ / 22:27 / 3rd of september / 2009

You might want to look at your referrer logs, and see if you were found through a special query in search engines. Often automated exploits (and the kind of hack you outline is usually automated) will target those popular programs by looking for a special string. You might be using one that has overlap with the out-of-box software.

Then again, a lot of those hacks are just looking for a "blog" plus keywords, so it may not help.

Otto | web | @ / 22:33 / 3rd of september / 2009

In the past few years, I've done post-mortems on a LOT of hacked sites (hundreds). Mostly WordPress based ones. Here's the breakdown I've found:

90% of the time:
- Shared server hosting many sites
- Exploit happened on another site on the server
- Poor intra-user security allowed one user to modify another users files
- Script ran on the server that looked for stuff like config*.php or index.php and auto inserted its malicious code

6% of the time:
- Server running old version of CMS (or backdoored version, more below)
- Known exploit for that version got exploited
- Automatic scanning script did it
- Backdoor inserted for easy re-exploitation later (in case of sub-par cleanup by admin)

3% of the time:
- Worm or trojan running on users computer got their FTP credentials
- Automatic script process run by somebody autohacked a bunch of sites at once (easy since he had their credentials)
- Backdoors usually inserted at the same time (see above).

0.9% of the time:
- New exploit I have not seen before
- Submit security flaw to whoever needs it

0.1% of the time:
- Real hacker with real skills actually made a real compromise that wasn't a script-kiddie attack of some sort
- Vendetta against site operator/political statement/religion, etc.

Thomas J. Raef | web | @ / 15:38 / 4th of september / 2009

@Otto, your statistics are interesting because our experience has been that over 90% of the time this year, the site has been hacked via a virus on a PC with FTP access to the site.

We've seen a few cases this year (about 8% out of 4,877 sites) where the blog or forum was hacked due to old version of the software and less than 3% were the result of the shared webserver being hacked through someone else's website on the same server. As a matter of fact we developed our own program to test all websites on a shared server to see if they all have the same infection. This leads us to believe that it's a server compromise rather than a bunch of unrelated websites being hacked.

Often times, the server level infection only presents it's infectious code once every so many visitors. It's random so we can't pinpoint the exact number of visitors it takes to trigger the infectious code being presented to the current visitor, but it is a binary installed on the server that is intercepting the HTTP request and delivering infectious code instead of the intended webpage.

I'm not disagreeing with your findings, just presenting our experience.

› Bio (sort of)

Bio pictureverture.net is the personal website of me, Jonas Voss, and this is my blog. I've lived in Dublin, Ireland from 2005-10, currently live in London, and was born and fully customized in Copenhagen, Denmark. I write about anything that comes to mind. Really.
You can send me an email › if that's how you roll.

Disclaimer: I speak for myself, not my employer. srsly. || This work is licensed under a Creative Commons by-nc-sa License.