A Cracking Week Off?
I had a week’s holiday of sorts last week. On returning I found that this website had been cracked. (I already had intimations that something was wrong because of site stat failures and an email from @Justin Asking, sometime commenter to this website and others). Anyway, so it was. Unfortunately, I didn’t have good web access so was unable to correct things properly.
The main screen, viewable on zone-h here, was replaced by this,
Site Hack Aug 2011
A neat little JavaScript mouse trailer was part of the package!
The cause was my own – a wide-open directory made so as part of an image upload plugin for my WordPress installation. This plugin makes it easy and neat for any commenter to add material to the website……unfortunately for me, it allowed any file, with active content or not, to be uploaded.
Needless to say, the plugin is now disabled and the directory is locked down to the specific file types that I’ll accept. No more active content allowed there matey!
Unwanted Extras
Once the nasty files were uploaded, the internal site privileges allowed the install of a swathe of .htm files to the site root and uploads folder. These had various names like f.htm, g.htm etc. Index.htm was the file on show.
Alongside these, apart from files needed to run the previously mentioned JavaScript, were another swathe of .phtml files, such as joker.phtml, which are actually php code shining as html. A couple of plain text files had also been uploaded. These had lists of files, sites and persons.
All .htaccess files were okay as well as the WordPress installation files. To be sure, I redid the WordPress install from scratch with fresh downloaded files..
Finale
All told, about fifty files were dumped on my website. I’ve hopefully removed the lot and have them downloaded for analysis at a later date. The screen content and internal code all points to Turkish or S.E. Asian (Vietnam or Indonesia) Muslim crackers (I refuse to use the hacker term except to clarify the cracking of security by it’s now-common usage). Saying this, the culprits (the code points to several authors who used freely downloadable files from cracking websites and then proudly expected a pat on the back for their extreme skill at doing a download…like….der….), the culprits could have come from anywhere.
Fifth columnists and agent-provocateurs are nothing new.
Interestingly, being cracked puts me in the same company as at least 186 well-known multinational businesses, such as Acer, Vodaphone, BetFair, The Daily Telegraph, The Register, Spam.Org, Victoria Beckham and Destiny’s Child.
Even System of a Down dot com, was down!
Zone-h’s full list is here. The Register reports it here, The Guardian here.
The Guardian interview with the crackers notes that the culprits had been planning the attack for some time which obviously includes the time when my site was compromised. I don’t know if my website was actually used as part of the above DNS server attack but it’s usual for an attack like a DDOS to use several vectors and simultaneous attack points in order to force a server to fail and dump code. This dump then reveals passwords and the like for later use.
Addendum
WordPress.Org’s forum has a posting about this crack from last week. A Google search in the comment by RedNeckTexan shows the attack on this website to be far from unique….! The links I’ve followed go right to the heart of the crack and the people doing the cracking.
This is the Google Search on the “Easy Comment Uploader” plugin. Like me, RedNeckTexan has pulled the plugin for now, which can be found in the WordPress repository here.
