If you suspect an intrusion in your Wordpress blog, or spam link injection, or you feel that your blog is 0wned, you can do this check.
Instructions and results are in English language. Some documentation about Wordpress spam injection and redirection is here.
If you came to this article because you got an e-mail or a comment in your blog that ask to read it, please do not go away. Read the rest.
I’m an independent Information Security researcher. I’m investigating about an attack to some Wordpress based blogs that involves spam and exploiting Google pagerank mechanism.
First of all, check yourself that your blog may be compromised. To do that, you need to do two different checks. First requires a little utility called “wget”, that is widely used in Linux, but it is available for Windows, too. Use this command:
wget -U googlebot -O home.html http://yourblogurl/
Note that -O and -U are both capital, and http://yourblogurl/ is the address of your blog homepage.
After command execution you will get a single file called home.html, that contains the HTML of your blog homepage. This is how your blog appears to the Google spider. Open it with a text editor, not from web browser. Examine the code, and you can see a block of code in a <div> block, that contains links that don’t belongs to your site. Usually it is shortly after the opening <body> tag, or near the end of page.
These links are about pills, ring tones, loan, and so on, like normal spam mails. You can compare with your homepage as appears on your browser source viewer, or you can get another copy with wget, without the -U option, so you get the “regular” homepage.
For the second check, open your browser and go to Google search. Type this query string:
buy valium inurl:yourblogurl
where yourblogurl is a part of the site name that is unique for your blog. I.e. if I want to check my blog I will type:
buy valium inurl:ismprofessional
Change text according to your website, and try other well-known drugs name, like the “blue pills”, named in every mail spam message.
The result of the query can be something like this:
Buy Valium from Sunrise Movies
All the information and advice you'll need to find the best
Buy Valium with the lowest Vicodin price, even if you're a first-time buyer.
www.yourblogurl/?item=137
The query part of the url string can change. This is an incomplete list:
?google-approved=number
?coupon_number=number
?item=number
?order_id=number
?certified=number
?pharma-certified=number
If you click on the link in the search results, apparently nothing special happens: you will go in your blog.
But try this: open cookie management of your browser, search for all cookies of your site and delete them. Then return to Google result page and click again on the link with your blog. This time something different happens: your browser will redirected to an online pharmacy.
How this is possible? I don’t know exactly, but I can do some hypotheses: If someone was able to crack something in your Wordpress installation, the index.php file may contain malicious code that checks if you visited the blog in the past, through the cookie. If you have the cookie, the code do not activate itself, so you see your blog. If you do not visited blog before, and you come from a search engine, the malicious code redirect your browser to pharmacy site.
It is a sort of hiding mechanism to protect malicious code being discovered by regular blog visitor, or by blog owner.
If you do not understand terms I used, please ask to someone more skilled to explain in other words.
I wrote this message because I tried to warn blog owners of the problem, but my message got no replies, and I suspect that gets catch by spam filters. It is quite difficult to write about drugs spam without use same terms used by spammers.
If you get persuaded that my warning is true, please DO NOT delete your Wordpress installation files on server. Save them on a zip file and, if you can, send the zipfile to me, so I can figure how malicious code was injected in your blog. After that you can delete all the file and reinstall Wordpress. Check also the database, because some malicious code put extraneous data in Wordpress tables.
For what I see, upgrading to Wordpress 2.5 DO NOT solve the problem. Some of the hacked blogs already use version 2.5, but the problem persist.
Why I do all this work? Because I think that someone exploiting a bug or a flaw in Wordpress, or in the web server configuration, to do dirty business. These people knows perfectly how Google Pagerank works, and are able to use it very well.
I earn nothing from that. I do only for ethical reason.
So, if you think that I am in error, please apologize, and you can forget any message I send to you.
In other case, you can contact me using this page.
At the moment I get more information, I will update this post, so stay tuned.
Thanks to Jay, we have first data about malicious code. There are some symptoms:
Note that: Wordpress was updated to last release, but the redirect code were still in place and active. Only after direct database editing the redirect stops working.
During the analysis of a different blog, I found another type of penetration scheme:
So, checks your Wordpress installation for modified or extraneous files.
I arranged an automated test to check for this problem. The page is called Wordpress Autotest. Read instructions carefully.
Jan 13
If you install Samba on Mybook from Debian “lenny” repo, you probably face to the following problem:
$ smbclient -L //localhost/
Domain=[NAS] OS=[Unix] Server=[Samba 3.0.26a]
Sharename Type Comment
--------- ---- -------
TTTTTTTTTTTT Disk
llllll Disk
IIIII IPC IIIIIIIIIIIIIIIIIIIIIIIII
Domain=[NAS] OS=[Unix] Server=[Samba 3.0.26a]
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
that is every “share” appears with first letter of share name, repeated length+1 chars of the name length.
This is caused by a bug of gcc compiler for ARM, that fails code generation if you use any level of optimization. This bug affect Samba up to release 3.0.28-1, and will be corrected in the 3.0.28-2 release of the Debian package.
References:
The disk I installed on my Mybook (the one I use to made all the tests) fails, without warning, after less than five months. Having smartd installed not helped at all…
So I’m currently unable to do more tests, or give any help.
I’m sorry.
I read about making a backup of a Western Digital Mybook World edition, and how some of this backups fails at the moment of restore.
The main reason is those backups are made with partition imaging software (like Partition Magic or Partimage), and some guide includes instruction to save partition table and MBR, too. Right, but there are more data on disk that needs to be saved, and that cannot be recovered in any other way that do a raw image of a number of sector at the start of the disk.
In picture you can see schematic of the typical WD Mybook WE disk. At the start (in absolute sector 0) there are MBR and partition table (in blue). The partition table point to partitions, stored after some hundred of sector away (in yellow). The original partition table of Mybook place the first partition start on cylinder 4, that is over 48,000 sectors far away from MBR.
Why?
Because in that space there is some software that is vital for Mybook startup process: the bootloaders (in red in figure)!
So, if you want a really complete and working backup, you must save all this sectors in a raw file, using Linux command dd.
A rough procedure can be: use sfdisk to get the exact sector of start of partition sda1:
# sfdisk -d /dev/sda # partition table of /dev/sda unit: sectors /dev/sda1 : start= 48195, size= 5879790, Id=fd /dev/sda2 : start= 5927985, size= 208845, Id=fd /dev/sda3 : start= 6136830, size= 1975995, Id=fd
In this example sda1 starts at sector 48195. Well, when we save the MBR we use the command:
# dd if=/dev/sda of=sda-mbr bs=512 count=1
But this save only first sector. We need to save all the sector up to start of sda1 partition, so the command must be:
# dd if=/dev/sda of=sda-mbr bs=512 count=48195
Of course, change the number 48195 to match your disk configuration.
So, now we have the content of the entire space from MBR to start of sda1 partition, with all the bootloaders included.
Now the backup is really complete.
Con mldonkey installato nel Mybook resuscitato abbiamo un client peer to peer gestibile via web. Può connettersi alle reti: emule/edonkey e bittorrent.
(Articolo solo in inglese. Se qualcuno è interessato me lo faccia sapere che lo traduco in italiano)
Using mldonkey on the Revived Mybook we have a complete peer to peer client with web interface. It uses edonkey/emule and bittorrent protocols/networks.
Sep 2
Come attivare la condivisione file Windows™ compatibile nel Mybook risuscitato.
(Questo articolo è solo in inglese. Se qualcuno è interessato me lo faccia sapere che lo traduco in italiano.)
How to add Windows™ compatible file sharing in the Revived Mybook.
Aug 30
Come trasformare il Mybook resuscitato in un print server per stampanti USB o di rete.
(Questo articolo è solo in inglese. Se qualcuno ha interesse me lo faccia sapere che lo traduco in italiano.)
How to enable the Revived Mybook as a print server for USB or network printers.
Western Digital Mybook Workd Edition has ten leds on the front side. This article talk about using it.
(Articolo solo in lingua inglese. Se qualcuno è interessato me lo faccia sapere che lo traduco in italiano.)
Aug 28
Aug 25
Ora attiviamo i log di sistema per il Mybook.
(Nota: se abbiamo installato una immagine del root filesystem versione 20070826 o successiva occorre solo installare il logrotate, i demoni syslog e klog sono già installati)
Now we install log daemons for Mybook.
(Note: if you install a root filesystem image release 20070826 or newer, you need only logrotate, syslog and klog daemons are already installed and operative)
Stai visionando gli archivi della categoria ...english, too!.
Questo sito e tutti i suoi contenuti sono pubblicati sotto una Licenza Creative Commons, quando non diversamente specificato.
Per altri usi, basta contattarmi.
