Cracked by WordPress 18.104.22.168
From the 12th of August I was on holiday around and about Australia.
My Wordpress blog 22.214.171.124 hosted at DreamHost doesn’t use my Wordpress Debian package so I had to upgrade Wordpress by hand. Sigh. So I didn’t get around to upgrading to 1.5.2, until yesterday.
Yesterday I spotted a .cron directory in natalian.org and raptor_chown which seems to be something for grabbing user processes, a httpd and some files that looked like they were for IRC dcc transfers. I’ve since put the files in quarantine for you to study. I changed my passwords and checked for any running processes. The “trojan” didn’t seem to be running and after checking my bandwidth graphs, it looks like everything was normal and my account wasn’t abused.
I wrote to DreamHost support about the break in:
> I am not sure if someone sniffed my password or becuase there was a > security issue with Wordpress: > pico:331$ cat natalian.org/wp-includes/version.php | grep version > $wp_version = '126.96.36.199'; > > Latest version is 1.5.2 and I am only getting around to upgrading it. > > The suspect files are in /home/hendry/quarantine.tar > > I am changing my passwords and updating Wordpress by hand. I will be > also studying the files in quarantine.tar > > Have you considered using the Debian packages of Wordpress for sarge? > http://people.debian.org/~dilinger/backports/wordpress/
We have to have a different mechanism than that for installing per user
on the shared machines. We upgrade the one-click installs when there are
security updates, but after that one-click install is completed, you need
to keep on top of the security updates.
Wordpress’s xmlrpc.php was vulnerable, so upgrading is a great idea. I
would also evaluate the other applications running under any of your
websites if there are any – you never know what could be vulnerable!
securityfocus.com is a great website for finding what applications are
vulnerable. They have a huge vulnerability database that is updated
Please let me know if you have any further questions.
> So that was the cause for the break in you expect? Could any further
> information be gleamed from logs? I’ve been away for almost a month
> before this.
I suspect that it is. If you’ve been away for a month, I don’t think I
could really dig into the logs that far back because we only keep Apache
access logs for about five days maximum.
Again, the best way to prevent break-ins is to keep your applications up
to date, although evaluating your passwords and changing them now and
again isn’t a bad idea. Make sure you don’t use any dictionary terms or
names of pets, relatives, etc. Nonsense words that easily stick in your
mind with a number or two thrown is are best.
I am a bit dissapointed that I got cracked. This has happened to more people than people like to admit. :( I am eager to point fingers, but I guess ultimately I have myself to blame.
I wish the Web or Wordpress or PHP wasn’t riddled with security problems. Though in the last month, it has stabilised…
I wish DreamHost took care of updating Wordpress. DreamHost could have flagged this trojan by running chkrootkit and rkhunter periodically, but then again I don’t want them scanning my files tbh.
I am not too sure about the extent of the crack. All files look ok, but are they? I did run some greps and finds for obvious things. I do have copies of everything which are pretty much all in source control.
This cracker is probably a warez script kiddie who wants my account to help distribute something illegal. Hopefully not intent on destroying my data. The attack could have been reduced by not having unzip on the system. ;)