April 8th, 2009 14 Comments

Maliciousness

Share

Sorry for the silent treatment this week but I’ve been having some behind the scenes issues lately. Seems like my blog has hit the “big time” because my site’s been under attack from hackers for the past few weeks. Yesterday we found “obfuscated” code embedded, but we are having a bitch of a time reverse-engineering it. And last week we found a SQL injection that pointed to a fake Google analytics page.

I know, it’s sort of over the top geek speak (and I thank GOODNESS that my husband is a nerd) that even I don’t understand sometimes! So, we’ve been busy scrubbing some of the code over here.

If anybody has any suggestions for stricter WordPress security please drop me a line!

Anyway, how are you guys?

Filed Under

14 Responses

  1. KT Did says:
    April 8, 2009 at 11:44 pm

    There are always those jerks out there. Glad you are getting the bugs out. Listened to your podcast and think you did a great job. Plugged it off of my podcast too. Hope it all works out with the bugs.

    Reply
  2. chessie says:
    April 9, 2009 at 7:08 am

    Arghhh…your lucky to have a loving geek within arm’s reach! Nasty people…. (not the loving geek,)

    Glad things are working out for you.

    Reply
  3. Torch says:
    April 9, 2009 at 7:42 am

    Why are they always trying to ruin a good thing? Must be jealousy! You guys will get it all worked out.

    Ride on,
    Torch

    Reply
  4. ElectraGlideInBlue says:
    April 9, 2009 at 8:34 am

    Congrats on the site traffic,and page rank. Damn spammers and hackers. Ya would think they could find better things to do with their spare time, like ride a motorcycle!
    Have you been using WP Security Scan?

    Reply
  5. Shawn Knisely says:
    April 9, 2009 at 10:14 am

    I am curious how you found your bugs? I run WordPress on Linux. I have taken precautions, but there is always the possibility that I am vulnerable on some issues.

    I don’t get much traffic, so maybe I am just lucky that no one has turned their evil eye on me.

    Reply
  6. Janet says:
    April 9, 2009 at 1:47 pm

    Lizzie, so sorry this is going on – do you use the Akismet plug-in for WordPress spam-comment control? Was this something other than spam comments causing the problem? Drop me an email if you like, I use WP also and maybe can be helpful. Take care!!

    Reply
  7. iamshimone says:
    April 9, 2009 at 4:47 pm

    Sorry for your woes.

    First suggestion, get off DreamHost. Yes they are cheap but you get what you pay for. Personally I spent years dealing with my sites getting hacked and I traced it all to DreamHost’s lax policies and virtual host setup.

    Second, upgrade all your plugins and related scripts including, contact form, wp-polls, jquery, prototype, etc. From a cursory glance it looks like a few of these are out of date. Updates often contain security patches.

    Third, remove anything that accepts a POST e.g. index.php?ak_action=hackmysite

    Fourth, disable access to the server using Apache rules (assuming you’re on UNIX box).

    Lastly, Google search tips for securing PHP and/or a WordPress install.

    Hope this helps and good luck! Love the blog :)

    Reply
  8. Scott Walker says:
    April 9, 2009 at 5:28 pm

    Ouch. That’s never fun? Care to share the injected code? I wouldn’t mind taking a look at it. Have had some success in the past.

    Reply
  9. Lizzie says:
    April 9, 2009 at 9:28 pm

    Thanks for all the helpful comments!

    I am pretty fastidious about keeping my plug-ins up to date and have a few WP security/database monitoring plug-ins that I use.

    I am using Akismet for spam, so no real concerns there.

    I had considered switching my hosting to Media Temple, but have heard that they’re not as good as once thought so I’m sticking with Dreamhost until a better host is available.

    I found the bugs a few different ways: one was during a code validation, another I found a weird 1 pixel shift in the design that when we ran the site through Firebug it reference a javascript that we were not familiar with.

    And a few times I’ve had incredible spikes in traffic, with people staying on the site for under 20 seconds, which leads me to believe that someone was hammering on the site to get in.

    Scott, if you’d like to check out the obfuscated code I can email it to you separately.

    Thanks again anyone and if you have anything else to share please send it my way!

    Reply
  10. Lizzie says:
    April 9, 2009 at 9:52 pm

    I just did a bit more digging and found that all the traffic came from Kintiskton llc in Montara CA. After doing a bit of research I found some interesting info. Looks like someone has a spider bot hammering sites, specifically looking at images. Still not sure how they were able to leave code on the site but now I know who did it and that I’m not alone.

    Reply
  11. Caleb says:
    April 10, 2009 at 4:19 pm

    Lizzie,

    Found your post through your link-back to my site. Are you saying that your site has logfile records of a user-agent modifying things on your server, taking injection attacks, etc… and the IP’s source to Kintiskton?

    Best,

    -Caleb

    Reply
    • Lizzie says:
      April 10, 2009 at 8:15 pm

      Caleb, the files that were modified did not have updated modification dates. However, what I can tell you is that on the 2 occasions that Kintiskton spider bot hammered on my site, we found malicious code dropped on there at the same time. Whether it’s a freaky coincidence or something that they did, I am not sure. But we have read reports of similar experiences from other blog sites.

      Reply
  12. Magnus says:
    April 11, 2009 at 3:26 pm

    I hope you crush your enemies, see them driven before you, and hear the lamentation of their women.

    Reply
  13. Scott Walker says:
    April 12, 2009 at 9:38 am

    Yeah, send it on.

    Reply

Leave a Reply