Another day, another WordPress hacker *sigh*… :-(

As quite a few of you already know (because you emailed to tell me, thanks!) Cipher Mysteries’ WordPress hosting got hacked again. Unfortunately by the time I’d downloaded the access logs from the server (the next day), all the nasty activity was too far back in the buffer to see exactly where it came from. Next time I’ll try to remember to be quicker!

I first had a look around with the Cpanel File Manager, as I initially expected the attack to have originated from a compromised file in the file system. I did find a backdoor php file inserted into ./wp-content/uploads, which from the file date was probably left there by the previous (Bangladeshi) hacker: but nothing else, which was a bit strange. So I reinstalled WordPress 3.5.1, fired it up, and… it was still hacked.

Appallingly, it turned out that the hacker had managed – despite my firewall & security plugins – to change some fields in the local database itself. Basically, he (I’ll call him “him”, for I’ve read that hacking is a largely male subculture) changed three entries in the WordPress wp_options table:-

1. blog_charset (which he changed from “UTF-8″ to “UTF-7″)
2. blogname (which he overwrote with a load of script kiddie stuff)
3. widget_text (which was filled with a load of escaped script kiddie stuff)

The most irritating hack was #3, as I could tell it was in JavaScript (hint: disable JavaScript and the problem disappeared) but couldn’t see what file had been changed. And in fact none had, because the script was inserted into a field in the database.

The most interesting hack was #1, because it wasn’t at all obvious to me why changing the charset to UTF-7 would be of benefit. But it turns out that this is a longstanding way of attacking databases (which expect UTF-8, and can be vulnerable to carefully crafted UTF-7 strings causing mySQL to do unexpected things). Here’s a page mentioning this weakness. Just so you know, IE9 doesn’t seem to support UTF-7 satisfactorily, which also had me confused for a while. *sigh*

The hacker may also have made other changes to the database, but I don’t know of any way to see a history of recent mySQL accesses from within WordPress… now there’s an idea for a forensic plugin that would be really useful. Or a Cpanel add-on. Or something.

How did the hacker get in? My guess is by exploiting a just-after-zero-day vulnerability in WordPress 3.5.0, as I hadn’t quite got round to upgrading to 3.5.1, what with work and real life inevitably getting in the way.

Unfortunately, I have no real faith that I’ve solved the problem. Chances are another vulnerability will open up before very long and we’ll go through the same rubbishy process all over again. C’est la vie (du blogging).

6 Comments

  1. avatar Dave February 15, 2013 6:54 pm

    WordPress now has an auto-update feature. I’ve got it enabled on my site so I don’t have to think about it. I like having the updates, despite the risk of compatibility issues or other unexpected changes.

    More info on automatic update

    http://zodiackillerciphers.com

  2. avatar Neville February 15, 2013 11:20 pm

    Backup?

  3. avatar nickpelling February 16, 2013 8:43 am

    Dave: thanks for the tip, will enable this ASAP. ;-)

    Neville: I do back Cipher Mysteries up fairly regularly, but certainly not after every post. And after 800+ posts (and lots of uploads), a full site backup gzip is 217MB!

    http://www.nickpelling.com/

  4. avatar Ellie February 17, 2013 8:23 pm
  5. avatar Edwin Lynch March 19, 2014 9:13 am

    Hm. I was hacked and yet all my themes, plugs and WP was right up to date. UTF 8 too. Re-installing WP I hope will solve the issue. They locked me out and so I had to bust my way back in.

    http://www.geoffreymultimedia.com

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>