As quite a few of you already know (because you emailed to tell me, thanks!) Cipher Mysteries’ WordPress hosting got hacked again. Unfortunately by the time I’d downloaded the access logs from the server (the next day), all the nasty activity was too far back in the buffer to see exactly where it came from. Next time I’ll try to remember to be quicker!
I first had a look around with the Cpanel File Manager, as I initially expected the attack to have originated from a compromised file in the file system. I did find a backdoor php file inserted into ./wp-content/uploads, which from the file date was probably left there by the previous (Bangladeshi) hacker: but nothing else, which was a bit strange. So I reinstalled WordPress 3.5.1, fired it up, and… it was still hacked.
Appallingly, it turned out that the hacker had managed – despite my firewall & security plugins – to change some fields in the local database itself. Basically, he (I’ll call him “him”, for I’ve read that hacking is a largely male subculture) changed three entries in the WordPress wp_options table:-
1. blog_charset (which he changed from “UTF-8″ to “UTF-7″)
2. blogname (which he overwrote with a load of script kiddie stuff)
3. widget_text (which was filled with a load of escaped script kiddie stuff)
The most interesting hack was #1, because it wasn’t at all obvious to me why changing the charset to UTF-7 would be of benefit. But it turns out that this is a longstanding way of attacking databases (which expect UTF-8, and can be vulnerable to carefully crafted UTF-7 strings causing mySQL to do unexpected things). Here’s a page mentioning this weakness. Just so you know, IE9 doesn’t seem to support UTF-7 satisfactorily, which also had me confused for a while. *sigh*
The hacker may also have made other changes to the database, but I don’t know of any way to see a history of recent mySQL accesses from within WordPress… now there’s an idea for a forensic plugin that would be really useful. Or a Cpanel add-on. Or something.
How did the hacker get in? My guess is by exploiting a just-after-zero-day vulnerability in WordPress 3.5.0, as I hadn’t quite got round to upgrading to 3.5.1, what with work and real life inevitably getting in the way.
Unfortunately, I have no real faith that I’ve solved the problem. Chances are another vulnerability will open up before very long and we’ll go through the same rubbishy process all over again. C’est la vie (du blogging).