Posted on 04 February 2010. Tags: base64_decode, eval, hack, malicious code, malware, unescape, wordpress, wordpress security
Well my day ended yesterday with a shock and the whole day today was spent in getting back to normalcy. Yes, SEO-Mind.com was hacked. I am not sure how it was hacked, but a whole bunch of codes were injected in the top of each and every file in my server. That would be 6000 + !!! Yes, the number is right!
When I opened any php file, I had a code starting like below on top of the source code:
This in turn loaded a iframe, which would get added to the footer of every page and download malware to visitors local computer. On decoding the Base 64, I found that it had another encrypted code using eval(unescape in it. This created an iframe as follows:
document.write(‘‘);
Now, the problem was, “How do I remove this from the 6000 odd pages on the server? Not just wordpress, the joomla site residing on the same server location was also infected. This means, the malware code was injected into every php file on the server. It had not left a single php file uninfected.
After breaking my head on different things, finally, here is what I did:
1. Took backup of the database
2. Backup of the wp-content/upload folder
3. Downloaded the plugins folder and themes into dreamweaver and removed the malicious code using find and replace. This was around 1500 files. I had to do this because I had customized most of the plugins and themes and I hate doing that to the dozen plugins and themes that reside on my wordpress again. Infact, I have forgotten what I did as it was years earlier.
4. Install a fresh pack of WordPress
5. link the database to it [Please be aware that some WordPress users have mentioned even their database being hacked. Thank God, it did not happen to me!]
6. Drop the upload folder back to the place as its only images, its not prone to hacks or malicious code
7. Drop the cleaned plugins and themes folders to their respective locations
8. Hurray! it started working fine without the code. I am yet to clean up the other sites, but wordpress is working great and faster too!!
The next immediate step I took was to increase my WordPress Security.
Though a Hack can happen through various channels, majority of the hacks can be avoided through easy precautions. I am writing an article on how a hack like this can be avoided by following some simple procedures. I will post soon about this. Anyone who had a bad day or a week due to this hack can comment on how you solved it out!! I should be getting a peaceful sleep tonight!!
Posted in Tricks and Tweaks
Posted on 27 September 2008. Tags: bug, internet explorer, legitimate, malicious code, malware, Microsoft, patch, spyware
May be I should have posted this a year ago.
A report submitted by Brian Krebs in Washington Post shows that Internet Explorer was unsafe and prone to security issues 284 days in 2006. Surprisingly, Mozilla Firefox was on a security threat for just nine days in the year.
The huge difference shows that Internet Explorer still could not be regarded as reliable even though it has the largest market share of 80 percent.
The detailed report by Brian Kerbs was started in 2005. Kerbs contacted nearly all researchers who had informed about the critical flaws in products by Microsoft. He also examined the dates these security trends or anomalies were found and their submissions. It has been found that Internet fraudsters had used the security flaws in Microsoft for their own benefit all round the year.
| KEY: |
|
Browser vulnerability publicly disclosed |
|
Browser vulnerability actively exploited |
| December 2005 |
Dec. 27: MS06-001 (CVE-2005-4560) – 0day in Windows Metafile Format (WMF). Patch issued Jan. 5. |
|
|
|
| January 2006 |
Jan. 7: MS06-004 (CVE-2006-0020) – Proof of concept for Windows Metafile Format flaw. Patch issued Feb. 14. |
|
|
| February 2006 |
|
|
|
| March 2006 |
|
|
Mar. 16: MS06-013 (CVE-2006-1245) – Proof of concept exploit for IE Microsoft Internet Explorer 6.0.2900.2180 (mshtml.dll). Patch issued Apr. 11. |
|
|
|
Mar. 22: MS06-013 (CVE-2006-1359) – Proof of concept exploit for Microsoft Internet Explorer 6 and 7 Beta 2. Patch issued Apr. 11. |
| April 2006 |
|
|
| May 2006 |
May 31: MS06-043 (CVE-2006-2766) – Proof of concept exploit for MHTML Parsing Vulnerability in IE. Patch issued Aug. 8. |
|
|
|
| June 2006 |
|
|
|
| July 2006 |
July 18: MS06-043 (CVE-2006-2766) – Proof of concept code for Microsoft Internet Explorer 6 on Windows XP SP2 (setslice). |
|
|
| August 2006 |
Aug. 27: MS06-067 (CVE-2006-4446) – Proof of Concept exploit for Microsoft Internet Explorer 6.0 SP1 (DIRECT ANIMATION). Patch issued Nov. 14. |
|
| September 2006 |
|
Sept. 13: MS06-067 (CVE-2006-4777) – 0day flaw in Internet Explorer 6.0 SP1 (daxctle.ocx). Patch issued Nov. 14. |
Sept. 18: MS06-057 (CVE-2006-3730)
- IE 0day Vector Graphics Rendering engine (vgx.dll), as used in
Microsoft Outlook and Internet Explorer 6.0. Patch issued Sept. 26. |
|
Sept. 26: Exploited in the wild. Patch issued Oct. 10. |
| October 2006 |
|
| Oct. 24: CVE-2006-5559 – ADODB.Connection 2.7 and 2.8 ActiveX control objects in Internet Explorer 6.0 Unpatched. |
|
| November 2006 |
Nov. 3: MS06-071 (CVE-2006-5745) – 0day: IE-related (not installed by default on Windows). Patched Dec. 14. |
| December 2006 |
|
|
Compiled by Brian Krebs, washingtonpost.com – January 4, 2007
The first major flaw was done by organized criminals who hacked sites and placed codes which can steal passwords using spyware on systems which use Internet Explorer. Microsoft did not take this attack serious and within few days, thousands of customers were already attacked due to this spyware. Since Microsoft was stubborn, a third-party patch was created by some security experts to fix the bug until Microsoft finally developed the fix.
Again in September, hackers used an unpatched flaw in non-Microsoft web server software and installed malicious codes in a huge number of legitimate websites. Websites affected with this malicious code can infect Windows systems if a user just opens the sites using their browser. Again Microsoft was lazy enough to become serious about this huge treat and third-party patches became the savior until Microsoft issued an official update many days later.
With many more browsers coming into the market, it is time that Microsoft realizes the importance of security and gets alerted and responds promptly than ever before.
Posted in IE
