SubscribeThis hijacking is getting stupid!
April 19th, 2008 by ScottK | | Filed in My LifeI want to shout out Mouseclone for letting me know there was a problem with this site. I was contacted on Friday about an alert that was raised to him that I had a possible iframe hijack on my site. Not really knowing what he was talking about I quickly scanned my source code for the exact iframe source that he provided. Not finding anything I dismissed it as many users of SocialSpark visit me and he possibly confused me with someone else.
 I did find today that in fact a database injection had been done and the iframe was there. My mistake was that I only hit the home page and the iframe was on the previous page. The iframe source refers to 61.155.8.157 and after some examination of the obfuscated JavaScript, redirections were discovered. I’ve contacted the server abuse department and will follow up if these people are not shut-down.
Welcome to the interwebs. This is the second time I have been hijacked in the same way. This is a new theme that I have gone through and can not find malicious php code, and since it’s in the admin section I can only assume that it’s a Wordpress security problem. This however is the second time I’ve found hijacked stuff in my database!
While I have gone through every line of code in both this theme and the access logs for this site I can not find how this is happening. Which make me very cranky as it’s happening.
My apologies to anyone who has gotten alerts. Systems are in place to track and prevent these from happening anymore. I hate Wordpress 2.5 (I just set up a site using it) but if it’s a 2.3 problem I’ll have to upgrade.
Tags: hijack, JavaScript, SocialSpark
Entries
I’m happy that you were able to get this solved. I don’t run a virus scanner at home, so if I had visited your site while at home I would have never found it. The reason I don’t run a scanner at home is because I run Linux and 90% of the viruses out there are written for windows. Guess I need to get the Linux version of NOD32, it hasn’t let me down yet, as far as I can tell.
Oddly enough, I just now started noticing the same IP address showing up on my statusbar — retrieving data, it seems. Thank you for making a post, it helped me locate the issue.
This is actually the THIRD time I’ve been hacked in such a manner (also using Wordpress, newest version) and I’m getting frustrated enough to move the whole dang thing to Blogspot or something equally as drastic.
Anyway, cheers and thanks again!
Oh, darn, belatedly… I meant to add that I AM using 2.5, and I know that the hijack wasn’t there when I upgraded, so I don’t think the version is so much the culprit THIS time. That said, can’t say 2.3 was any safer, either.
[...] I’ve had to clear out every last post because of yet another ridiculous iframe hack. This isn’t the worst thing in the world, but the hacks are getting ridiculous here. [...]
@Rina, the first time this happened was only a month ago but not with iframe. If you’re on 2.5 and I’m on 2.3 then it appears to be a new security vulnerability in the Wordpress core that has just been discovered.
I would not even know where to begin on something like that! I have heard a lot of people are putting this stuff in themes if you download them from various sites instead of the actual theme creators…I’ve also heard it helps to change your “file attributes” - certain numbers put you at risk somehow? I don’t really understand it and unfortunately can’t find the useful how-to I originally read about it on Codex…I can change mine using Filezilla, not sure if that works for everyone though. Please let us know if you figure it out!!
I am seriously seriously considering migrating my “mixed bag” blog on blogspot to wordpress and breaking it out into targeted category blogs. However I’ve had rumors that 2.5 isn’t entirely secure. This seemed like all they wanted to do was hack some pointers to theirself into your blog, but they could do a lot worse if they can do that. Even Scott Kveton (who is extremely knowledgeable) had his wordpress hacked.
People use words like iframe and injection rather liberally without really knowing what it is. Are you saying you had an iframe in a template which was fed by some external code blurp and the external code blurp had turned into something bad in the database? Do you know at what level this occurred. Was it a database row containing site blurps?
@CR Dick, here is the listing of events on how I figured it out.
1. Alerted by mouseclone
2. Verified an iframe was within the textual source code of the web page via view source, and not a page debugger.
3. Checked the post in question, I checked it in the Wordpress post editor in code tab (This is what pissed me off, see below)
4. Having not found the iframe in the code view of the wordpress editor I checked the raw database outside of anything web or wordpress. Sure enough it was there.
So that means many Wordpress sites can be affested but not detected unless viewing the source, or checking the raw results of the database. This blog is version 2.3 and my newest blog is v 2.5 but not really popular enough to “suffer” the attacks.
Now just for an update to this story. The abuse email is invalid and returns user not found. About the time of the database injection a major break of Internet Information Servers from China was implemented.
the JavaScript archetecture of the attacks smells like what may have happened here. I was not able to find a breached IIS server to verify the JavaScript though.
To answer your question, this was a complete breach of admin security that allowed an existing post to be updated in the database. Not a third party widget or template that manipulated the DOM. I’ve always enjoyed Wordpress but it’s getting to the point that even I am thinking of just writing my own software and locking it down hard.