ABOUT THE LATEST WORM ATTACK AND WHAT TO DO ABOUT IT – In the last few months a worm has been sneaking its’ way into older versions of wordpress.
I have read other reports that say it is even more widespread than that too.
It then makes itself an admin and uses JavaScript to hide itself when you look at the users page. It cleverly clean up after itself and usually goes unnoticed while it apparently inserts hidden spam and malware into your old posts.
http://wordpress.org/development/2009/09/keep-wordpress-secure/
I noticed some alerts about website security and website hacking coming in through various places in the WordPress network over the last couple of months.
I’d recently had a bad experience trying to upgrade the software on my large photography website and had to revert back to a previous version because I lost significant functionality after that particular upgrade. So when I saw that a new version had been released, I foolishly avoided doing it!
DECLINING WEBSITE TRAFFIC STATS – Around the same time I remember noticing that my website traffic had declined on my major South Gippsland Website and one other, and when I say declined, I mean 50% less traffic than normal. I put that down to the recession!!! Silly me.
CHECKING YOUR ADSENSE EARNINGS REPORT – My Adsense earnings have actually increased significantly over the last 6 months. But when I checked my reports, I noticed that the earnings were really only coming from 2 of the 9 or so websites I use for this purpose, and only a few cents from each of the others. Ridiculous!
I checked the content on some of these websites at the time to make sure I wasn’t rendering duplicate content or breaching any of googles policies(which I wasn’t) and fixed up a few things that needed improving, just to make sure I was doing everything I could do.
I then put the problem (which was more of an annoyance than anything) at the back of my mind and focused on the wins with the other 2 websites.
RSS FEEDS OR EMAIL ALERTS NOT GETTING THROUGH – Over the last several months I’ve noticed my new posts are NOT being sent to me in email feeds even though I can receive them in my browser. I also noticed that posts that would normally show in google alerts completely stopped and have only just started happening again after I cleaned the websites.
UNUSUALLY LONG TIMES OF NETWORK DOWNTIME – I found that in the latter weeks of the worm attack, often when I’d go to publish a post or change content, the network would suddenly drop out. I made numerous support desk enquiries with my web host and the service would then be restored. In hindsight, I realised this was yet another symptom of a cracked or hacked website.
STRANGE NEW FILES OR IMAGES – Something like shortcodes.old.php or fotter.php (instead of footer.php) need to be deleted immediately. I am still in the process of compiling a list of some of the ones that have been used already, but the fix is to overwrite your wordpress installation, plugins and themes as recommended below.
FINDING MALICIOUS CODE – The wordpress dashboard always notifies us of the latest developments through the development blog, and after reading yet another security bulletin…
I still didn’t upgrade – UNTIL
…all of a sudden, when I was trying to edit one of my template pages (404.php) I discovered some very disturbing code which I know hadn’t been there before. It contained ‘md5 {eval (base64_decode‘. Now that’s NOT good.
WHAT TO DO WHEN YOU FIND MALICIOUS CODE – Contact your system administrator, software developer, php coding professional or web designer if you don’t think you can handle the problem yourself. Your website hosting provider will probably suggest you do that anyway…it’s not their responsibility and they aren’t usually familiar with the working of your website. However, my hosting company were very useful in helping me restore backups from the previous week in case the bad php code was only recently implanted. That didn’t work so I had to delve deeper.
USE A GOOD SUPPORT FORUM – I went to the wordpress support forum and left numerous posts both requesting help and helping others with the solutions I had already found. You always get a better response if you ‘give’ before you ‘take’. True in all areas of life, right!
TRY GOOGLE SEARCHES – Put the main part of the code string into a google search box and find out what other people are saying about it. You can really learn a lot this way, find out how other people fix their problems, find out how widespread the issue is, what damage it has done and what damage it has the potential of doing.
Honestly, when I realized the level of destruction that this worm could cause, I was overwhelmed with a calm sense of terror (if that’s possible).
CHECK GOOGLE WEBMASTER TOOLS – I read of one guy who discovered the worm by noticing his most searched terms were viagra related. His site had definitely been affected by spam generating hacks. Check in google webmaster tools (if you are registered there) to make sure your search terms relate to the KEYWORDS you want.
WEBSITE ERROR LOGS – The error logs give an great indication of where the problems might lie – obviously. Sometimes you aren’t even aware there’s been a problem until you check your logs.
TRAFFIC STATISTICS – Check what your visitors are searching for to find you. This is something you should be doing as a matter of good business practise anyway. Check IP addresses too (though the clever hackers don’t usually reveal themselves too easily), as I found a possible entry point for the problem from checking one of my stat counter logs installed in my dashboard.
GET ERROR 404 ALERTS – Over the past few months I’d been getting a ridiculous amount of Error 404 alerts requesting the strangest file extensions. The latest one that’s still coming in is ‘mirserver.rar’.
After checking through google searches, I found this post that explained it might be searching for security vulnerabilites, and at the very least, is using up your resources and bandwidth, so should be stopped.
I’m still unsure how I will deal with that but will continue to monitor my Error 404 reports with even more scrutiny.
I’m now receiving errors and redirections like this…
‘south-gippsland.net/protection.php?action=logout&siteurl=www.gokartsrus.com/images/info.txt?’ (some code removed)
…so I suspect redirections had previously been implanted but are no longer valid since the cleaning process.
CHECK THAT YOUR PERMALINK STRUCTURE IS CORRECT – Many people reported that their permalinks were suddenly broken and had strage code attached to them. Go to >> settings >> permalinks, and check what it says. Make sure it looks like one of the example structures. The one I prefer to use which is SEO friendly is /%postname%/.
MAKE SURE YOUR RSS FEED IS WORKING – Do that by going to ‘http://yourwebsiteurl/feed’. I have all my feeds run through feedburner anyway, so can check my subscriber stat, resync my feed at any time and check for error reports.
Through this epidemic, many people have noticed problems with their feeds. One of the websites I checked had a problem with its’ permalinks which stopped the feed from being read properly. I might not have even noticed it had been infected with ‘the worm’ if this issue hadn’t occurred.
CHECKING IP ADDRESSES – After noticing some reports of other people checking the IP addresses of the offending robot attackers, I checked my own statcounter logs and found an unusual IP from Saudi Arabia that had googled ‘wordpress blogs’ mulitple times to get to my website. It is interesting to note that I ONLY found this IP address registering in one of the two statistic trackers I use…so it seems to have effectively hidden itself in one of them as well.
BACKUP YOUR WEBSITE – I’m lucky with this one. I learned from other peoples mistakes to backup both the data on my computer and my websites.
But, I had always been deleting the old backups when a new one was done…not such a a good idea now this has happened! Keep all your backups if you can just in case something gets in and it takes a while to realise the problem…like this quiet and sneaky worpress worm has done.
Importantly you should run the backup website copy through a virus scan. As it turns out, I found one of mine was infected with a PHP Remote Admin Application which I found in the theme folder listed as remv.php.
UPGRADE YOUR WEBSITE, OVER-WRITE YOUR PLUGINS AND THEME – In many cases the worm adds code or a strange file to one or more of your plugin folders or themes. In my case it had attacked my images slideshow gallery plugin and category order plugin and created unusual files.
Anything like wp-inclodes.php instead of wp-includes.php or fotter.php instead of footer.php need to be deleted immediately. Delete ALL unused plugins and themes too as a precaution.
Make sure you know what you are doing before you randomly start deleting files and folders though please.
Doing a manual upgrade of your wordpress install by completely deleting wp-admin and wp-includes and then uploading the new versions are a MUCH safer way of upgrading. Same goes for plugins and themes. Don’t just over-write the files and folders, delete them completely (saving a backup copy of course) and then upload the new versions.
CREATE A NEW ADMIN IDENTITY AND CHANGE YOUR PASSWORDS – I went into my dashboard and created a new user (myself), with a new name, new email address and password and made sure to give my new identity admin privileges.
I then used php My Admin and deleted the old identity as the worm had duplicated variations of my name and email address on the bogus admin users it had created earlier.
Not only that, I also noticed my passwords had been reset when I tried to access the websites through ftp. This happened several times so I advise you change your FTP passwords as well.
OTHER SECURITY MEASURES – Ths post about how to secure your wordpress blog contains a whole host of useful tips to protect your website from the more common hacking attempts.
ONE MORE THING – Over the last few weeks I noticed my laptop signal dropping out a few times every day and after trying numerous methods to reconnect, the ONLY way I could restore it was to restart the computer completely.
I am NOT sure if this is part of the worms activity expanding on to my computer as well, but since I’ve cleaned all the websites I’ve been monitoring, the dropping out has stopped…interesting and scary at the same time!
We’ve been lucky here. We caught this outbreak before it had the chance to expand and do even more damage. But I suspect most people are completley oblivious to its’ activity.
NEW INFORMATION – we were hacked again over the weekend of October 25th and 26th 2009. You can read more about it here.
This provides us with another great opportunity to ramp up our security procedures, skills and knowledge.
Here is some more VERY USEFUL INFORMATION about how to handle a hacking attack…
TURN THE PROBLEM INTO A BENEFIT – Use the problems as a springboard to help you learn more about internet security procedures.
There’s no benefit in going after the ‘bad guys’, they probably thrive on knowing they’ve made us annoyed or angry anyway.
My clients have been tremendously supportive. I’m also really grateful for the opportunity to gain more experience that can ONLY help me provide a more secure level of web services.
