Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday 14 October 2009

WordPress users: UPDATE! UPDATE! UPDATE!

I've just spent the last couple of hours or there abouts (wouldn't normally take that long, but I'm a sadist, so spent time analyzing each file), downloading/analyzing, more downloading, then uploading/re-setting-up and re-configuring a friends site, after his WordPress installation got hacked and a malicious script installed on ALL PHP pages, with a simple script format, placed in all of the .html files.

I cannot stress enough, how important it is to ensure that you;

1. Periodically backup your sites files (seperate dated backups if possible)
2. Periodically backup your sites databases (i.e. daily, if you update your site each day, or however often you update your site)
3. Periodically change your FTP/CMS*/cPanel etc passwords (at least monthly)
4. Keep ALL of your CMS sites (including any plugins they use) UPDATED!!!!!

* CMS = WordPress, phpBB, phpNuke etc etc etc

If your site does get infected, first and foremost, having a backup will make it MUCH easier to restore.

If you are using WordPress, phpBB, SMF, or any of the CMS solutions available (PHP, ASP or otherwise), make sure you REPLACE ALL OF THE FILES on your server, with a fresh copy downloaded directly from the CMS solutions developers, this is much easier and much quicker, than going through the files one by one, and cleaning the infection, and helps prevent your missing a file and causing the entire thing to re-infect your site (which by the by, is also why you shouldn't let anyone that doesn't know what they're doing, anywhere near your site. Sadly, my friend made this mistake, and the person that he paid to clean it up, hadn't done it properly, so the infection just re-infected all of the files again, and stopping his sites loading to boot).

If you are using a password that contains full words - STOP!. Your password, especially those used for MySQL, WordPress etc etc etc, should be mixed case, contain special characters, numbers, and be a minimum of 8 characters. This doesn't guarantee they won't be able to brute force (or "guess") your password, but will make it 10 times harder than it is if you use a full word.

The malicious script in this case, pointed to;

URL: ajkcas.com/_vti_cnf/ad.php
IP: 174.123.201.2 (2.c9.7bae.static.theplanet.com)
AS: 21844 (174.120.0.0/14 THEPLANET-AS - ThePlanet.com Internet Services, Inc.)

I decoded the script quite easily in Malzilla, but for some reason, none of the payload URL's are working (and this isn't the first incarnation of this particular script that has refused to give me the payload, had the same problem yesterday with a different site (vogelvry.com.au, 117.55.236.212 - jupiter.fastwebservers.com.au) that had an identical infection). I ran it through Wepawet and JSUnpack in the hopes of their being able to give me a copy of the payload but alas, they couldn't get it either (URL's are producing what appear to be fake 404's).

Wepawet Analysis:
http://wepawet.cs.ucsb.edu/view.php?hash=6c6e67ae54f4b89ce70b26c1b387558b&t=1255550668&type=js

Google Diagnostics:
http://www.google.com/safebrowsing/diagnostic?site=http://ajkcas.com&hl=en

References:

[INFO] My website has been hacked, what do I do?
http://www.malwaredomainlist.com/forums/index.php?topic=3122.0

No comments: