Discussion:
Pharma hack
Steve Taylor
2013-09-28 08:09:51 UTC
Permalink
A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.

I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.

The site has always had an up-to-date core, with minor delays (I think a
week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
as far as I could tell none of the upgrades involved serious security
patches.

The guy who hosts the site (not my choice) says he's 99% certain WP was the
issue, but this seems unlikely to me. He doesn't seem terribly
knowledgeable about security. I can't be 100% there wasn't some odd hole in
my WP installation, but obviously I suspect a server vulnerability -
leaving us pointing the finger at each other.

Personally I would move hosts, but this isn't my decision. Just wondering
what people here thought, and if anyone heard of recent vulnerabilities to
this hack in relatively up-to-date WP installations. Also, what concrete
analysis of the situation should be the bare minimum expected of a host?

Cheers,

Steve
Simon Vart
2013-09-28 09:53:22 UTC
Permalink
Did you check webserver logs ? You will pages accessed.
Check creation date of common.php and /cookies/ directory and it will tell
you when to look around
Post by Steve Taylor
A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.
I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.
The site has always had an up-to-date core, with minor delays (I think a
week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
as far as I could tell none of the upgrades involved serious security
patches.
The guy who hosts the site (not my choice) says he's 99% certain WP was the
issue, but this seems unlikely to me. He doesn't seem terribly
knowledgeable about security. I can't be 100% there wasn't some odd hole in
my WP installation, but obviously I suspect a server vulnerability -
leaving us pointing the finger at each other.
Personally I would move hosts, but this isn't my decision. Just wondering
what people here thought, and if anyone heard of recent vulnerabilities to
this hack in relatively up-to-date WP installations. Also, what concrete
analysis of the situation should be the bare minimum expected of a host?
Cheers,
Steve
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
J.D. Grimes
2013-09-28 12:36:31 UTC
Permalink
Simon is right - check the server access logs (if you can). That may tell you how they got in.

J.D.
Post by Simon Vart
Did you check webserver logs ? You will pages accessed.
Check creation date of common.php and /cookies/ directory and it will tell
you when to look around
Post by Steve Taylor
A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.
I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.
The site has always had an up-to-date core, with minor delays (I think a
week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
as far as I could tell none of the upgrades involved serious security
patches.
The guy who hosts the site (not my choice) says he's 99% certain WP was the
issue, but this seems unlikely to me. He doesn't seem terribly
knowledgeable about security. I can't be 100% there wasn't some odd hole in
my WP installation, but obviously I suspect a server vulnerability -
leaving us pointing the finger at each other.
Personally I would move hosts, but this isn't my decision. Just wondering
what people here thought, and if anyone heard of recent vulnerabilities to
this hack in relatively up-to-date WP installations. Also, what concrete
analysis of the situation should be the bare minimum expected of a host?
Cheers,
Steve
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Hal Burgiss
2013-09-28 14:37:21 UTC
Permalink
Post by Steve Taylor
A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.
I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.
Definitely. But why is .htaccess writable in the first place? Root
directory? From a systems administration standpoint, the only directory in
a default installation that should be writable is the uploads folder. That
by itself doesn't stop everything, but it stops a helluva lot of stuff.
--
Hal
Abdussamad Abdurrazzaq
2013-09-28 15:39:50 UTC
Permalink
Most shared hosts use php fastcgi and they configure it so that the
entire directory is writeable. This can makes it easier for users to
update WP and allows WP core devs to boast that more WP installations
are up to date compared to other major CMS.

But yeah it isn't ideal from a security point of view.
Post by Hal Burgiss
Post by Steve Taylor
A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.
I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.
Definitely. But why is .htaccess writable in the first place? Root
directory? From a systems administration standpoint, the only directory in
a default installation that should be writable is the uploads folder. That
by itself doesn't stop everything, but it stops a helluva lot of stuff.
Loading...