Being Defaced and cleaning up

Posted on by

One of the wonderful pieces of IT security defense is planning for when you get your arse handed to you. The more technical term is incident response, but it’s not as much fun to say to your mates at the pub.

Being attacked and having to recover is sadly part of IT life these days, but the more practice, the better you get at it. I’m oddly indebted to this particular attacker as it meant I’ve had to spend time understanding how the hosting company works, how this site is put together and the glaring shortfalls of outsourcing management and security to a third party.

On the 31st of May this blog was defaced and had a number of files uploaded to it.

The defacement was of a political, religious statement nature, which I’d suggest defacing web sites is a bit of a waste of time. Given the attacker lives in a democracy, whether he believes it is or not, I’d recommend he’d spend the time working in worth while, legal groups to express his views or simply help out the local community. If you have a voice and a vote use it, people change the world by words and deed, not by petty vandalism or criminal Paypal pharming schemes to steal money from your fellow man.  I’ll get off my soap box now.

On the 7th of June, I actually noticed the defacement. Oops.

Note to self – be more narcissistic and look at my own blog more often.

In under a minute, I went from shock to annoyance to curiosity. How did this guy get in, what was he actually doing and would I be able to work out how to stop it again?

I wasn’t able to log on to the cpanel to control the site, the wacky security of putting it on a random port over https does not work for locked down corporate environments.

So the first step was to call the hosting company and ask if this was a mass defacement or just me. A number of hosting companies hosting word press site had be compromised due to their bad practices, so best to check. Fortunately for  me I go the support “consultant” that struggled with English. After a painful twenty minutes, the best I got out of the conversation was for him to reset a password and mine was the only site hacked. More on this later. He did offer the gems of: Change your password every couple of weeks and don’t set stuff to 755. Magic. If I was a normal human being 755 would mean the world to me. Thank you!

This is now a great time to bring up the SANS six step incident response steps process. These steps help work through how to deal with this mess:

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons learned

Identification

After  finish work, I finally got on to the site control panel via cpanel and kicked off a backup of the site just to examine off line what had happened.

The defacement was a simple replacement of the index.php file, which contained a lot of meta data. This meta data confirmed the OS, who had customized the OS and where to get a copy of it, what version of Word the defacement page had been made with and a few other pieces of helpful data. What was really interesting was the uploaded fake PayPal.fr payment page sub-directories and file in the public_html folder. The blog’s site logs also contained entries like this:

/~silkhous/PayPaI.Com/confirmmation4548664512884645384534/B!M@R/ProfileCCAdd.js

The /~silkhous refers to another home directory on the same hosted server as my blog. Looks like the other site was suffering the same problem, so much for me with the only site being attacked. Nice work hosting provider!

This caused an instant road block. Alerting Paypal that people are being pharmed out weighted my curious and recover process. As there’s no clear, direct way to contact Paypal’s security team, I had to go through customer service. The very nice lady somewhat taken back that someone might do this and asked me to submit my findings to an email address. When I asked to speak to someone directly, I was told the security team was a back office group and couldn’t be directly contacted. Oh well, the Paypal rep was helpful and was pretty excited, so I sent the details off and went back to the clean up.

Containment, Eradication and Recovery

What I’d found didn’t give me any real clear indications of how the attacker got in. I knew what he’d done to the site, and as he’d kindly defaced the site and tagged it with his email address, I was able to out a fair bit of information on him just from search engines. Still, no clear method of how he got in.

The common options to break in to a WordPress/web site are

1) The hosting provide is vulnerable to attacks and then control the entire server*

2) Bad passwords – allowing brute force attacks (password guessing)

3) Poorly written plug-ins allow attackers to execute code and commands on the site

4) Old version of Word Press allow attackers to execute code through know vulnerabilities

I can safely rule out 2 and 4 as entry points, which leaves only 3 something I can do about now.

Since I make backups of the site every after x number of blog pieces I upload, I decided to delete the entire site and upload a fresh copy of WordPress. Using a couple good articles from WordPress, I picked the parts that worked for me from them to add additional security.

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://codex.wordpress.org/Hardening_WordPress

I then move back old versions of the content to the blog, tested, made a few more changes, took a back up again and then reset the passwords again and ran one final check.

*Should this happen again, time to move web site providers to someone who keeps their OS and software up to date…

Lessons Learned

  • RTFM WordPress’ security guides
  • Avoid having gadgets and plugins just because the look pretty
  • Understand the structure and layout of WordPress and the web site
  • More regular backups
  • Rotate the access logs off the server

So am I safe now?

Possibly, possibly not.

I can say I’ve improved the security of the site and cleaned up some crap. As I still don’t know how he got in, he may just read this, get annoyed and deface the site again using the same hole he did last time. As I think he just ran an automated scanner to find “x” problem then automatically exploit it, he probably won’t read this or even visit the site. Saying that, only a very small number of sites got exploited, so he might come back to visit. :-)

If so and that’s you Mr Attacker- Bonjour là, signalent un commentaire et me font savoir vous êtes entré la première fois. Merci !

I would have used Arabic, but I don’t really trust the translation software. I’ve seen what it does to English.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>