{"id":25353,"date":"2014-12-14T06:33:35","date_gmt":"2014-12-14T11:33:35","guid":{"rendered":"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=25353"},"modified":"2014-12-14T06:38:12","modified_gmt":"2014-12-14T11:38:12","slug":"the-infection","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=25353","title":{"rendered":"The Infection"},"content":{"rendered":"

As I mentioned last Friday, this site was compromised<\/a>. A friend (thank you so much Peter!) jumped in and we tried to unravel the mess. And when I say “we” I mean, “Peter did most of the heavy lifting and my job consisted mostly of remembering things.” Since I know some of you will be curious about it, I thought I’d share the results. <\/p>\n

In looking at the problem, we had several goals and questions:<\/p>\n

    \n
  1. Is the machine actually infected? If so, with what?<\/li>\n
  2. Remove the infection.\n
  3. Figure out how the infection occurred.\n
  4. Secure the machine to prevent future infections.\n<\/ol>\n

    Let’s look at the results:<\/p>\n

    <\/p>\n

    Is the machine actually infected? If so, with what?<\/h3>\n

    Yes, it was infected with Flash \u00e2\u20ac\u02dcEITest'<\/a>, which seeks to spread by infecting reputable sites. (According to that website, it’s also infected sites like The Department of Statistics at Carnegie Mellon University.) <\/p>\n

    It presents a flash file to visitors and exploits some weakness in Flash + Internet Explorer + Windows 7 to get some sort of malware onto the user’s machine. <\/p>\n

    I must say that infections are getting more socially<\/strong> clever. Sure, a lot of them had technological<\/strong> cleverness to spare. A hacker would find and exploit any number of obscure weaknesses, and write sophisticated code to accomplish amazing wonders on the victim’s machine. But they were always so brute-force and idiotic when it came to the human element. Infections were brazen, aggressive, and obvious. You could often see right away that you were infected. Yes, a few people were oblivious enough that they didn’t realize all those porn popus from CNN.com meant their computer was hacked, but those people are not the norm. The malicious programs would attack early, attack often, and would make themselves very obvious. It’s like a guy in a ski mask walking down the street in broad daylight and attempting to mug every single person they pass, even if it’s a kid, a hobo, or a policeman. That crime spree isn’t going to last long. <\/p>\n

    This particular devil was a little smarter. It wouldn’t present itself unless you were running Windows 7 and using Internet Explorer, since you needed both of those to be vulnerable. It kept a record of visitors, and would never attack the same person (IP address) twice. After all, after the first attack you’re either infected or immune, so why bother attacking again? <\/p>\n

    This made the thing tough to track down. <\/p>\n

    Remove the infection.<\/h3>\n

    The infection was focused on two main files. The first was templater.php, which resided in the root of the blog directory. Templater.php isn’t a normal part of WordPress, but that directory is full of PHP files. There were two clues that this file didn’t belong: 1) All proper WordPress files begin with “wp-“, so it should have been named “wp-templater.php”. 2) The file was frigging huge. The typical WordPress source file is a few hundred bytes. This thing was 38 kilobytes. The text of the file was mostly gibberish like this:<\/p>\n

    \r\n\n
    We figured it's probably binary data, encoded into a string, and then un-packed when needed. The sad thing is that that isn't even the most unreadable PHP file I've ever seen, and this one was obfuscated on purpose<\/em>.<\/p>\n
    The other troublesome file was \"error_log\", which looked like an error log and contained stuff you would expect to find in an error log, but is not part of WordPress proper. <\/p>\n
    Both of these files had promiscuous file permissions set and were owned by \"nobody\" instead of being properly owned by my hosting account, as would be normal for files on my website. They were both created on August 4, which suggests that this is when the infection took place. (At the time, I was busy dealing with this<\/a>.) No other WordPress files (or any files) were created on or around that date. <\/p>\n
    We checked for other files created after August 4th. Nothing had been touched outside of the WordPress folder.<\/p>\n
    It seemed pretty easy to remove these offending files, but in the end this \"surgical strike\" approach seemed too risky. What if this thing had inserted bits of itself into other parts of WordPress? WordPress is huge. It has hundreds of files spread out over dozens of nested directories. Properly inspecting them all would be impossible.<\/p>\n
    So we did a complete re-install of WordPress. This is why some site features vanished. Those were plugins that need to be re-installed. Over the next couple of days I'll restore comment editing and \"check here if you're not a spammer\". <\/p>\n
    Figure out how the infection occurred.<\/h3>\n
    My FTP site was using a password that's as old as this blog. However, I don't think that was the attack vector. If the FTP had been used, the attacker would have been able to hide things much better. (The infected files would have been owned by me.) <\/p>\n
    Several file permissions were far too permissive, and I think that was the opening that let the attacker in. The WordPress folder was set so that anyone on the machine could write to that directory. So if stupidcrap.com and shamusyoung.com are hosted on the same machine, and if stupidcrap.com got hacked, the hacker would also be able to put files in my WordPress directory.<\/p>\n
    This vulnerability has probably been around for AGES. Back in the early days of this site, I was pretty careless. I didn't know the danger, I didn't quite get how permissions worked, I didn't envision this blog as something that needed to be built to last, and I didn't care what happened to it. If Linux file permissions gave me trouble, I just added permissions until it stopped. I figure I was probably working on one of the early plugins or the theme that now drives the site and wanted to do something fancy. I changed permissions while I was working, and then neglected to change them back when I was done. <\/p>\n
    I've always had trouble CREATING files in PHP. If the file exists, then you can just mark the file as write-able and your code will run. But if the files doesn't exist for some reason, then you need to make the directory itself<\/em> write-able, which is a much larger hole. If I want my script to be able to create one particular file (say, an error log) then I need to make it so that any other script can create ANY file. (Say, another script, or even a binary!) If there's a proper way to handle this in PHP, I've never found it.<\/div>\n
    So it was probably my fault. The other possibility - that the machine itself was compromised - is technically possible but far less likely. I'm willing to bet this was a mistake I made ages ago. <\/p>\n
    Secure the machine to prevent future infections.<\/h3>\n
    We cleansed the filesystem of all files not owned by me. (Those two were the only troublemakers.) Directory permissions were locked down again. Passwords were changed.<\/p>\n
    Wrapping up.<\/h3>\n
    Remember that you're only at risk if you're on Windows 7 and using unpatched Internet Explorer 11 with Flash enabled. I imagine if you're using Internet Explorer then it's because you have to and not because you want to. Do make sure to keep it up to date. Attacks like this can come from anywhere, so sticking to \"safe\" sites isn't enough. <\/p>\n
    Hopefully you didn't catch anything on account of me. Everything should be solid now. Thanks for your patience. <\/p>\n","protected":false},"excerpt":{"rendered":"
    As I mentioned last Friday, this site was compromised. A friend (thank you so much Peter!) jumped in and we tried to unravel the mess. And when I say “we” I mean, “Peter did most of the heavy lifting and my job consisted mostly of remembering things.” Since I know some of you will be […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[111],"tags":[],"class_list":["post-25353","post","type-post","status-publish","format-standard","hentry","category-notices"],"_links":{"self":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/25353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25353"}],"version-history":[{"count":0,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/25353\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}