Sorry for the downtime – we got hacked
My apologies that the blog has been down for the last few days. Some hackers got into my PHP and inserted some malware onto the blog. A helpful reader alerted me to the problem within hours of it happening, and I quickly turned the whole site off to prevent spreading malware. It took me a few days to find the time to gain enough confidence that I understood what happened so that I could safely turn the site back on. I won’t detail everything I did to lock the server down, but I’m pretty sure it’s safe now. But if you see anything amiss, please contact me right away!
In the interest of keeping the internet safe, I’ll share what I found. Dan Hill has a pretty good description of the problem on his blog, or at least a very similar one. I know another friend who got hit in a similar manner. They all have their sites hosted on dreamhost, as I do. So it certainly could have been a result of the recent hacking there, but from what I saw, there are hints it is just an exploit of an insecure wordpress plugin. In particular, the attack came in through Google Analytics for WordPress by joostdevalk (v 3.2.5). Somehow the plugin directory had global-write (x777) permissions on it, and a couple rogue files were there including one called ainslieturing.php which is pure virus (as opposed to a modified file that was originally there and useful) and apparently the code which attaches the virus to all the other PHP files in the site. The virus was triggered by a POST to the ainslieturing.php page from IP 184.108.40.206, which might be somewhere in Germany. Curiously, at the time of this writing, the exact phrase “ainslieturing.php” does not appear anywhere on the web, which is part of my motivation for documenting what happened.
Dissecting the ainslieturing file took a bit more work. It was extra-obfuscated. The code does the same thing of eval’ing a base64_decode’d string, but it does it in a way where the string “base64_decode” never shows up in the source (example source). Presumably this is to make it harder to detect when somebody is trying to clean up the mess. For example, this avoids the simple sed fix posted on Dan Hill’s blog. Additionally, the base64 encoded code appears written to avoid simple virus filters, because it is shuffled before evaluation by a key (143 in my case) which can be easily modified (example source). The inner code is a PHP script which lets the attacker run arbitrary code on the server, or upload arbitrary files. Interestingly, the whole thing is password protected, requiring the attacker to present a password with MD5 signature “ca3f717a5e53f4ce47b9062cfbfb2458″. (Anybody feel like reversing that?) If you want to check your files to see if any of them have the double-obfuscated code, this will find them (and perhaps some false positives too):
grep ".x62.x61.x73.x65" * -R -l 2> /dev/null
Once ainslieturing was triggered, the rough symptoms were that a bunch of code got inserted at the top of many of wordpress’s PHP files which is lightly obfuscated through eval-base64-decode. The virus code when de-obfuscated looks like this. I haven’t bothered to fully understand it, but similar code has infected other people’s servers, with minor variations. In particular, the code fetches some instructions from URLs which are doubly-obfuscated, but resolve to domains in Poland or Russia. Many *.rr.nu domains with hoperjoper.ru as the nameserver and and in particular the throw-away domain ens122zzzddazz.com. (Please be careful with these URLs — DO NOT JUST TYPE THEM INTO YOUR BROWSER. Use wget and look at the files that come back.) If you operate any blacklists, feel free to add these domains to them.
The …dazz domain in particular has a whois record which is not private:
Registrant: Dan Brown [email protected] +022.824460528 +022.824460528 ENO Aleje Ujazdowskie 20-44 Warszawa,Warszawa,AF 00540
So, Dan, if you actually exist, you either have some explaining to do, or your domain has been completely taken over. If any of my readers are traveling to Warsaw, Poland and feeling intrepid, feel free to drop by Dan’s office and let me know what you find.
That’s all for now. If you have anything relevant to add to the situation, please leave a comment.