Hey everyone – did you get any kind of malware warning when visiting my site anytime over the last month or so? I’m curious to see how many people have proper malware detection in their browsers.
Here’s what happened:
- My wordpress installations have all been hacked. I have several running on this hosting account.
- The most likely source of infection was an older version of TimThumb.php, which is part of the WP theme.
- The attacker comes in and drops in some kind of PHP code to attack your files even after you fix the original exploit.
- The main effect for visitors is the execution of some encoded base64 Javascript code that sits inside certain index.php files, and this JS code is executed on a visitor’s machine. I think it’s intended to grab passwords stored on your (reader’s) machine.
- I’ve never seen the warning on my end at all, but I use a Mac and the code may be targeting IE specifically. I’m not sure yet because I haven’t bothered to decode it yet.
- If I clean up the infected index files, my site shows as being clean when scanned at Sucuri.net – but a few hours later the hack returns, and the base64 encoded stuff is back. So it’s being re-written by other bad files on my server.
- I’ve seen these hacks before, and can usually find modified files by looking at server file timestamps. But this time the bugger is modifying the timestamps so files don’t appear to have been changed.
- For now, my band-aid solution (thanks Val) was to change permissions to read only on the affected files. It seems to have worked, but it’s by no means foolproof. The hacker has my MySQL passwords (which I’ll change), and may still have access to my SSH password (although I don’t think so, already changed).
This particular hack had no visible external indicators to me. So I don’t actually know how long it’s been in place on my server … which is why I’m curious if you’ve seen any malware warnings from your browser / AV software.
It’s a royal pain in the ass, although the silver lining is that I’ve cleaned up a lot of crap on my server that I really didn’t need anymore. Sorta like losing your car keys in a messy room and being forced to clean house to find them.
The only “real” solution to this kind of hack is to completely wipe out all of my files and upload new, clean versions of WordPress and other scripts that I’m running. Then I have to scrub my databases to make sure there weren’t any iframe injections or other crap.
I tell ya … I never thought I’d need to learn about this stuff.
Hi, I'm Chris Umiastowski. I'm a 10-year veteran of sell side equity research and this is where I come to connect with friends on all things related to tech investing.
Yes, I did get a warning message 2 days ago.
Warning yesterday. If they got your ssh password, make sure you clean out authorized_keys (obvious but have to mention it).
No issues on my end from across the pond. Did notice that the layout of your website was a tad bit different, but back to normal today. Beyond that, just great posts! Keep it up.
I got no warning that I remember when visiting your site.. I am using Chrome but not sure if this makes a difference.
Is there a likely hood that there could be an infection on our computers?
I did a Virus scan not long ago (probably 2 weeks) and didnt come up with anything but that doesnt always mean a whole lot.
You sent out two posts on April 8th and I think that it was about then that I got a warning from Avast. I’m using IE.
Hi Chris
Sorry to hear you got hacked. That’s never a pleasant feeling.
The TimThumb.php hack has been around for awhile and it is unlikely that it obtained your ssh password and it doesn’t care which browser you are using and it probably didn’t get your ssh password. Getting the root or user password is quite difficult to pull off unless you used a really weak password. Always better safe than sorry so it doesn’t hurt to change your ssh password of course.
The script may not even have hacked your mysql database password but I would risk that one either.
The script that we encountered with one of our client setup a bunch of phishing pages and that’s probably what it has done on your site.
Make sure timthumb is up to date and scour your site for pages that shouldn’t be there.
We can clean it up in an hour or two at most but we’ll charge you for it.
PS. Wordpress has lots of potential vulnerabilities, mostly from plugins and poorly written themes. You really have to stay on top of WP and plugin/theme updates.
Comments on this entry are closed.