Instructions and results are in English language. Some documentation about WordPress spam injection and redirection is here.

If you came to this article because you got an e-mail or a comment in your blog that ask to read it, please do not go away. Read the rest.

I’m an independent Information Security researcher. I’m investigating about an attack to some WordPress based blogs that involves spam and exploiting Google pagerank mechanism.

First of all, check yourself that your blog may be compromised. To do that, you need to do two different checks. First requires a little utility called “wget”, that is widely used in Linux, but it is available for Windows, too. Use this command:

wget -U googlebot -O home.html http://yourblogurl/

Note that -O and -U are both capital, and http://yourblogurl/ is the address of your blog homepage.
After command execution you will get a single file called home.html, that contains the HTML of your blog homepage. This is how your blog appears to the Google spider. Open it with a text editor, not from web browser. Examine the code, and you can see a block of code in a <div> block, that contains links that don’t belongs to your site. Usually it is shortly after the opening <body> tag, or near the end of page.
These links are about pills, ring tones, loan, and so on, like normal spam mails. You can compare with your homepage as appears on your browser source viewer, or you can get another copy with wget, without the -U option, so you get the “regular” homepage.

For the second check, open your browser and go to Google search. Type this query string:
buy valium inurl:yourblogurl
where yourblogurl is a part of the site name that is unique for your blog. I.e. if I want to check my blog I will type:
buy valium inurl:ismprofessional
Change text according to your website, and try other well-known drugs name, like the “blue pills”, named in every mail spam message.

The result of the query can be something like this:

Buy Valium from Sunrise Movies
All the information and advice you'll need to find the best
Buy Valium with the lowest Vicodin price, even if you're a first-time buyer.
www.yourblogurl/?item=137

The query part of the url string can change. This is an incomplete list:

?google-approved=number
?coupon_number=number
?item=number
?order_id=number
?certified=number
?pharma-certified=number

If you click on the link in the search results, apparently nothing special happens: you will go in your blog.

But try this: open cookie management of your browser, search for all cookies of your site and delete them. Then return to Google result page and click again on the link with your blog. This time something different happens: your browser will redirected to an online pharmacy.

How this is possible? I don’t know exactly, but I can do some hypotheses: If someone was able to crack something in your WordPress installation, the index.php file may contain malicious code that checks if you visited the blog in the past, through the cookie. If you have the cookie, the code do not activate itself, so you see your blog. If you do not visited blog before, and you come from a search engine, the malicious code redirect your browser to pharmacy site.

It is a sort of hiding mechanism to protect malicious code being discovered by regular blog visitor, or by blog owner.

If you do not understand terms I used, please ask to someone more skilled to explain in other words.

I wrote this message because I tried to warn blog owners of the problem, but my message got no replies, and I suspect that gets catch by spam filters. It is quite difficult to write about drugs spam without use same terms used by spammers.

If you get persuaded that my warning is true, please DO NOT delete your WordPress installation files on server. Save them on a zip file and, if you can, send the zipfile to me, so I can figure how malicious code was injected in your blog. After that you can delete all the file and reinstall WordPress. Check also the database, because some malicious code put extraneous data in WordPress tables.

For what I see, upgrading to WordPress 2.5 DO NOT solve the problem. Some of the hacked blogs already use version 2.5, but the problem persist.

Why I do all this work? Because I think that someone exploiting a bug or a flaw in WordPress, or in the web server configuration, to do dirty business. These people knows perfectly how Google Pagerank works, and are able to use it very well.

I earn nothing from that. I do only for ethical reason.

So, if you think that I am in error, please apologize, and you can forget any message I send to you.

In other case, you can contact me using this page.

At the moment I get more information, I will update this post, so stay tuned.

First information available

Thanks to Jay, we have first data about malicious code. There are some symptoms:

• An extraneous file uploaded to the /tmp/ directory on the server, added as a WP add-on. Warning: It didn’t show up on the list, so it was only visible by looking at the actual database using phpMyAdmin.
• New admin account in WordPress as well, called “WordPress”. Warning: invisible in the administration interface of WordPress.
• Other PHP scripts placed around in various directory of server. Jay do not send me a sample, but he looked into the code, and these scripts allow remote shell and command execution.

Note that: WordPress was updated to last release, but the redirect code were still in place and active. Only after direct database editing the redirect stops working.

A different cracking scheme

During the analysis of a different blog, I found another type of penetration scheme:

• The cracker targets old WordPress releases, known to be highly vulnerable, i.e. 2.0.3, 2.0.5 and so on.
• It inject one or two files in unused directories, like wp-content/themes/classic, or in uploads directory.
• These files are: a remote shell coded in PHP, and the “spam injector/redirector”.
• It uses something called “doorgen”, but the name can be other

So, checks your WordPress installation for modified or extraneous files.

Update

I arranged an automated test to check for this problem. The page is called WordPress Autotest. Read instructions carefully.

$ smbclient -L //localhost/
Domain=[NAS] OS=[Unix] Server=[Samba 3.0.26a]

        Sharename       Type      Comment
        ---------       ----      -------
        TTTTTTTTTTTT    Disk
        llllll          Disk
        IIIII           IPC       IIIIIIIIIIIIIIIIIIIIIIIII
Domain=[NAS] OS=[Unix] Server=[Samba 3.0.26a]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP

that is every “share” appears with first letter of share name, repeated length+1 chars of the name length.

This is caused by a bug of gcc compiler for ARM, that fails code generation if you use any level of optimization. This bug affect Samba up to release 3.0.28-1, and will be corrected in the 3.0.28-2 release of the Debian package.

References:

• Debian bug report #445566
• Honza Stastny website, that talk about this bug, and the battle to bring Samba to life on his Mybook

Note

The disk I installed on my Mybook (the one I use to made all the tests) fails, without warning, after less than five months. Having smartd installed not helped at all…
So I’m currently unable to do more tests, or give any help.
I’m sorry.

The main reason is those backups are made with partition imaging software (like Partition Magic or Partimage), and some guide includes instruction to save partition table and MBR, too. Right, but there are more data on disk that needs to be saved, and that cannot be recovered in any other way that do a raw image of a number of sector at the start of the disk.

Mybook disk configuration

In picture you can see schematic of the typical WD Mybook WE disk. At the start (in absolute sector 0) there are MBR and partition table (in blue). The partition table point to partitions, stored after some hundred of sector away (in yellow). The original partition table of Mybook place the first partition start on cylinder 4, that is over 48,000 sectors far away from MBR.

Why?

Because in that space there is some software that is vital for Mybook startup process: the bootloaders (in red in figure)!

So, if you want a really complete and working backup, you must save all this sectors in a raw file, using Linux command dd.

A rough procedure can be: use sfdisk to get the exact sector of start of partition sda1:

# sfdisk -d /dev/sda
# partition table of /dev/sda
unit: sectors

/dev/sda1 : start=    48195, size=  5879790, Id=fd
/dev/sda2 : start=  5927985, size=   208845, Id=fd
/dev/sda3 : start=  6136830, size=  1975995, Id=fd

In this example sda1 starts at sector 48195. Well, when we save the MBR we use the command:

# dd if=/dev/sda of=sda-mbr bs=512 count=1

But this save only first sector. We need to save all the sector up to start of sda1 partition, so the command must be:

# dd if=/dev/sda of=sda-mbr bs=512 count=48195

Of course, change the number 48195 to match your disk configuration.
So, now we have the content of the entire space from MBR to start of sda1 partition, with all the bootloaders included.

Now the backup is really complete.

Using mldonkey on the Revived Mybook we have a complete peer to peer client with web interface. It uses edonkey/emule and bittorrent protocols/networks.

As usual, first step is installing mldonkey:

# apt-get install mldonkey-server
. . .

During installation, apt asks for automatically launch mldonkey on system startup. We can reply affirmatively.
As the installation end, we have mldonkey up and running, but we have two problems:

• mldonkey places all working and temp files in /var/lib/mldonkey. If we use a partitioning scheme with root filesystem and home filesystem this lead to fill root partition and cause malfunctions on Mybook.
• mldonkey web interface is accessible only from 127.0.0.1, that is useless.

So, we stop mldonkey server:

# /etc/init.d/mldonkey-server stop

then move the working directory in the /home partition:

# mv /var/lib/mldonkey /home

and set the new working dir in file /etc/default/mldonkey-server that is:

# MLDonkey configuration file
# This file is loaded by /etc/init.d/mldonkey-server.
# This file is managed using ucf(1).

MLDONKEY_DIR=/var/lib/mldonkey
MLDONKEY_USER=mldonkey
MLDONKEY_GROUP=mldonkey
MLDONKEY_UMASK=0022
LAUNCH_AT_STARTUP=true
MLDONKEY_NICENESS=0

in that way:

# MLDonkey configuration file
# This file is loaded by /etc/init.d/mldonkey-server.
# This file is managed using ucf(1).

MLDONKEY_DIR=/home/mldonkey
MLDONKEY_USER=mldonkey
MLDONKEY_GROUP=mldonkey
MLDONKEY_UMASK=0022
LAUNCH_AT_STARTUP=true
MLDONKEY_NICENESS=0

Next, we open file /home/mldonkey/downloads.ini, and we locate the line with:

 allowed_ips = [
  "127.0.0.1";]

This is the list of IP address enabled to access mldonkey web interface. We can modify it as explained here. I.e. to enable access from all PC in the network 192.168.1.x we can change in:

 allowed_ips = [ "192.168.1.0/24";
  "127.0.0.1";]

Make sure that mldonkey is stopped when modify this file: in the shutdown mldonkey writes down current configuration and overwrites all our changes.
Next we can start again mldonkey, and point our browser to: http://mybook-ip-address:4080/.
Note that mldonkey requires about a minute to start, and is a memory eater, so there will be some problems if your Mybook is loaded with Samba and CUPS.
That’s all.

How to add Windows™ compatible file sharing in the Revived Mybook.

Before installing Samba, it is suitable to install CUPS, too.
To install Samba and the web administration tool, SWAT, we use this command:

root@mybook:~# apt-get install swat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  openbsd-inetd samba samba-common samba-doc tcpd update-inetd
Suggested packages:
  samba-doc-pdf
Recommended packages:
  smbldap-tools
The following NEW packages will be installed:
  openbsd-inetd samba samba-common samba-doc swat tcpd update-inetd
0 upgraded, 7 newly installed, 0 to remove and 19 not upgraded.
Need to get 14.4MB of archives.
After unpacking 32.3MB of additional disk space will be used.
. . .

During the installation, installer ask for:

• Workgroup/Domain
• If you want to use WINS coming from DHCP

As the installation ends, you have Samba ready to work. If you haven’t SWAT running, use this command:

dpkg-reconfigure openbsd-inetd

that reads /etc/inetd.conf file and set inetd to automatically start at system boot.

Now you can start managing shares and users, pointing your browser to: http://ip-of-your-mybook:901/. You asked for login/password (that is root/root password).
Remember that Samba requires that Unix user must exist before you can add it to Samba users.
To create Unix user you can use:

# useradd -m username

that adds user “username” to Unix users and create (with -m switch) the home directory.
In this case you can assign users to private directories, and every user can manage his files, accessing with Samba password.
You can refer to immense documentation in the Samba website.

That’s all.

How to enable the Revived Mybook as a print server for USB or network printers.

First of all, we install CUPS print server:

root@mybook:~# apt-get install cupsys
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  cupsys-common defoma file fontconfig-config gs-common gs-esp gsfonts
  libcairo2 libcupsimage2 libcupsys2 libdbus-1-3 libexpat1 libfontconfig1
. . .
. . .
Need to get 24.9MB of archives.
After unpacking 76.0MB of additional disk space will be used.
Do you want to continue [Y/n]? y

as you can see this will install a lot of packages… so please be patient.
As the installation ends, open the file /etc/cups/cupsd.conf and locate the line with:

Listen localhost:631

change in:

Listen *:631

and restart CUPS:

# /etc/init.d/cupsys restart

This will enable CUPS to listen on external interface eth0.
Locate the line with:

DefaultAuthType Basic

and add immediately after this line:

DefaultEncryption Never

Locate the section:

<Location />
  Order allow,deny
  Allow localhost
  Allow @LOCAL
</Location>

and change in:

<Location />
  Order allow,deny
  Allow localhost
  Allow all
</Location>

This will allow access to any computer in the network.
You can also use:

Allow 192.168.x.y/255.255.255.0
Allow @LOCAL
Allow *.mydomain

Refer to CUPS documentation included in CUPS administration web pages.
Locate the section:

<Location /admin>
  Order allow,deny
  Allow localhost
</Location>

and change in:

<Location /admin>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow all
</Location>

This will allow access to remote administration, but requires user/password (i.e. user root and the same password of the root user in the Mybook)
The same you must do in:

<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  Order allow,deny
  Allow localhost
  Allow all
</Location>

Restart cupsys:

# /etc/init.d/cupsys restart

Now you can add printers.
For best use, I advise to use only “raw” printers in Mybook CUPS server, and use the driver of the printing computer, this is the best situation.
If you have HP Jetdirect network printer, when adding printer, in the Device you must choose “AppSocket/HP JetDirect”, and in URI you must insert the string:

socket://hostname:9100

where “hostname” is the IP address of the printer, or the name if resolved from your DNS.
If you have USB printer first connect the printer to the Mybook, next go in “Add printer” from the administration web. In the Device page you should see your printer listed in the combo box. In some cases CUPS doesn’t allow you to define printer as “raw” in this step, but if you select any driver and install the printer, next you can go in Printers and change the configuration of the printer to “raw”.
That’s all.

Leds are placed in two “rings”, outer and inner. Outer ring use four leds, and kernel uses it to shows general activity, with effect like a rotating lamp (clockwise), and can be used to notify some special conditions. Inner ring uses six leds, and can be used as a “fuel gauge”. I.e. it can be lit progressively like an empty/full indicator.
To lit it, we use a special file in /sys directory, available only when kernel module wdc-leds is loaded (should be loaded at system boot if you use my root filesystem).
File is: /sys/devices/platform/wdc-leds/leds:wdc-leds:fuel-gauge/brightness and accept a value from 0 to 255. To write a value in it we use the command:

# echo 50 > "/sys/devices/platform/wdc-leds/leds:wdc-leds:fuel-gauge/brightness"

This will lit three leds of the inner ring (at 5, 7 and 9 o’clock).
Equivalence between value and leds is:

• value from 0 to 32: lits one led (5 o’clock)
• value from 33 to 49: lits two leds (5 and 7 o’clock)
• value from 50 to 66: lits three leds (5, 7 and 9 o’clock)
• value from 67 to 82: lits four leds (5, 7, 9 and 11 o’clock)
• value from 83 to 96: lits five leds (5, 7, 9, 11 and 1 o’clock)
• value from 97 and upper: lits all leds.

In this picture you can see how leds are lit.

There is no value to put off all leds, even with 0 the first led lits (only unloading module).
Known that is really simple to arrange a “space meter” using leds, or a visual progress bar.

A photo gallery of Mybook, during operations described here.

Il connettore usato per la console seriale.
Serial console connector.

Lo stesso connettore visto dall’esterno.
Same connector, external view.

Altra vista dall’esterno.
Another external view.

La posizione del connettore sullo stampato del Mybook.
Serial connector position in Mybook PCB.

Il Mybook riassemblato con il connettore della console seriale in alto a sinistra.
Reassembled Mybook, with serial connector on the upper left.

Un dettaglio del connettore dopo il riassemblaggio del Mybook.
Connector detail after assembling Mybook.

Now we install log daemons for Mybook.
(Note: if you install a root filesystem image release 20070826 or newer, you need only logrotate, syslog and klog daemons are already installed and operative)

Come primo servizio, dato che l’immagine del filesystem è realmente ridotta, ci occorre il log di sistema e del kernel, dato che saranno i primi posti dove andremo a guardare in presenza di problemi. Il primo passo è l’installazione dei demoni di log:

root@mybook:~# apt-get install sysklogd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  klogd
The following NEW packages will be installed:
  klogd sysklogd
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 104kB of archives.
After unpacking 194kB of additional disk space will be used.
Do you want to continue [Y/n]? y
...
Setting up klogd (1.5-1) ...
Starting kernel log daemon....

Setting up sysklogd (1.5-1) ...
Starting system log daemon....

Poi installiamo anche il pacchetto logrotate, che impedisce ai file di log di diventare troppo grandi, creandone di nuovi ed archiviando i vecchi periodicamente:

root@mybook:~# apt-get install logrotate
Reading package lists... Done
Building dependency tree
Reading state information... Done
Recommended packages:
  mailx
The following NEW packages will be installed:
  logrotate
0 upgraded, 1 newly installed, 0 to remove and 19 not upgraded.
...
Setting up logrotate (3.7.1-3) ...

E’ tutto. I file di log saranno nella directory /var/log e periodicamente verranno ruotati e cancellati i più vecchi.

As first service, we need system and kernel logs, the first places where to look when in troubles, so we going to install log daemons:

root@mybook:~# apt-get install sysklogd
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  klogd
The following NEW packages will be installed:
  klogd sysklogd
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 104kB of archives.
After unpacking 194kB of additional disk space will be used.
Do you want to continue [Y/n]? y
...
Setting up klogd (1.5-1) ...
Starting kernel log daemon....

Setting up sysklogd (1.5-1) ...
Starting system log daemon....

Next, we install the logrotate package, to avoid excessive grow of log files:

root@mybook:~# apt-get install logrotate
Reading package lists... Done
Building dependency tree
Reading state information... Done
Recommended packages:
  mailx
The following NEW packages will be installed:
  logrotate
0 upgraded, 1 newly installed, 0 to remove and 19 not upgraded.
...
Setting up logrotate (3.7.1-3) ...

That’s all. Log files are in the /var/log directory, and will be rotated periodically, deleting oldest.