Details of Hack

One of the problems that you inherit from running your own blog instead of paying someone else to maintain a blogging platform is that you occasionally come under attack from a hacker. There’s no telling whether this will be successful for them or not until it happens. The overall question is one of time, resources, skill and luck. Given that I didn’t think I’d be a high value target, I did what I could and hoped it would be enough. It was not.

To be honest, I’m still not sure if I’m in the clear. I deleted the compromised account, searched the files for the key phrases and am about to do so for the database, but unless I want to make time to go character by character through all my files and data or do a full reinstall from known-good data (prior the attack and lose everything up to my last full data backup – and still not be sure), I can’t really have a full assurance that I’m safe from having this blog compromised again.

The details so far are:

  • Someone changed my admin account’s password.
  • Someone put the hack defacement in three files in my WordPress theme’s files.
  • I was left a message to close the blog (as administrator) and an e-mail address.

The hacker was: KareemSQL

Remediation:

  • Took control of the blog software via another admin account.
  • Deleted the admin account entirely (don’t need it).
  • Changed my other admin account’s password (to something deep and gnarly).
  • Changed theme.
  • Deleted compromised theme (atahualpa 3.6.7 – don’t know if this was the entry point or just the defacement target).
  • Backed up WordPress data in a well-labeled backup set so I know it’s post-hack.
  • Upgraded WordPress.
  • Upgraded all other plugins as needed.
  • Sent a query to hacker’s e-mail account to see if they’ll tell me how they got in.
  • Considering disabling all plugins.
  • Did same with my msblog site, which the hacker revealed was also compromised.

The primary reason I’m considering disabling plugins is that they’re the prime suspects for this hack. It looks like the hacker first tried “forgot password” type password hacking for the admin account around 11 p.m. last night. It’s certain that the hacker changed the admin account’s password, but I don’t know how. The password was what I consider strong – random, high entropy, not dictionary-guessable. The most likely explanation is an exploit in one of my plugins. Less likely but still possible is an exploit in WordPress itself.

Given that I am running a default install with no self-provided customizations, I’m at a loss to figure out what went wrong and I don’t really have the time to do a complete forensics pass to try to vet the software.

Another option that’s open to me is to import my blog to a paid-for service and let them take the brunt of the costs (time, energy) of another attack. Or I could just carry on like before and hope it’s enough.

A final option which appeals to the luddite in me is to convert the blog to HTML and just publish via HTML. But I like the features in management that WordPress brings.

Email with hacker so far:

To: mshacker1@hotmail.fr
From: malcolm.gin@gmail.com
Subj: http://www.malcolmgin.com/blog/ hack

Hey there.

Thanks for the hack. Can you tell me which flaw you exploited so I can try to fix it or just stop using that plugin? Or do you recommend I stop using WordPress?

I’m just trying to blog about my daily life – so I hope you didn’t hack me because of objectionable content.

Regards,
M


Malcolm GIN
malcolm.gin@gmail.com

Replies 1 & 2:

From: kareemSQL HaCkEr
To:
Subject: RE: http://www.malcolmgin.com/blog/ hack

I am sorry for hack and for the gap leading to the hack is in the database And I advise you to change this version of WordPress the new version Thank you and sorry again

From: kareemSQL HaCkEr
To:
Subject: RE: http://www.malcolmgin.com/blog/ hack

Forgot inform you modify the index.php file from this folder http://www.malcolmgin.com/msblog/Sorry I accept my apologies

Another reply from me:

Subject: Re: http://www.malcolmgin.com/blog/ hack
From: Malcolm Gin
To: kareemSQL HaCkEr

If you are doing this as a white hat or a grey hat, it would be useful to
the hacked owner to know what you exploited. Would it be possible to adjust
your script or whatever outputs the hacked page notification so that you
called out the exploit?

Thanks,
M

Other related new:

UPDATE with more stuff I have done:

  • Changed all my passwords (hosting password, FTP passwords, e-mail passwords, etc.). The assumption here is that in order to do a thorough job you have to be paranoid. Even though I think I have a good idea of how the hacker’s script got in (not, I note, by actually getting my password, but by finding a way in that reset the password to whatever they wanted it to be), I still need to be as careful as possible.
  • Went through and recorded plugin settings then deactivated them and then deleted them and reinstalled from the WordPress Codex (the codex serves as a known-good source). I lost some plugins that have since disappeared. I dealt with it by either just losing them entirely or finding adequate replacements.
  • Installed Exploit Scanner plugin, ran it and deleted all implicated themes. If you want a “hardened” WordPress install you should delete all the themes you’re not planning to use. Via Exploit Scanner I found another malicious file. Am at this point considering backing up the database and reinstalling WordPress from scratch.
  • Installed Antivirus plugin, ran it and deleted implicated objects. Deactivated and uninstalled that plugin.
  • Have been looking at the affected filesystem area for more malware with an FTP client. Found and deleted a couple of wayward malware directories. One was harder to delete than usual because it had a symlink in it.

2 thoughts on “Details of Hack”