Hello, it's been almost half a year I have a recurring security problem, and I really don't understand where it may be coming from.
Could I ask for your opinion, please ?
Since I'm trying to give all the details, I'm sorry that this is a wall of text, but I'll be VERY grateful if you can bear with it, and tell me if you have an idea about how my security has been breached repeatedly :)
In short, my visitors sometimes report that every page of my blog is trying to inject them a malware-ish URL.
- Once, around half a year ago, I had my footer edited with a call for a malware URL.
-> I cleaned my template from all junk, reinstalled a clean copy of my blog template (one of Andreas Viklund's templates, it should be trustworthy), and changed every single password related to my account, FTP, email, phpmyadmin, hosting, etc.
I also CHMODed my template's files to be impossible to edit by anyone, the admin/owner included.
- More attacks followed, and the following times, the URL wasn't present in the source code of my website when I loaded it. My visitors and I had it loaded (fastly appearing in the "loading" part of the browser's status bar, and also noticed among the loaded and blockable elements by the AdblockPlus plugin)
- The two first times, it appeared that deactivating LesterChan's wp-postratings plugin stopped the URL injection. I also noted that saving my blog's public html output source code to my disk, into an html file, and cropping everything but wp-postrating's call, was enough to trigger a virus alert warning when I opened the resulting html file in a browser.
- The 4 following times, it was LesterChan's wp-polls plugin that had to be deactivated to stop the injection.
- Every time with LesterChan's plugins, I deactivated the plugin, deleted it by FTP, and reuploaded a fresh copy grabbed from wordpress.org, and when I reactivated it, the malware injection didn't come back
- However, using a file comparison utility (Beyond Compare), I found that my "compromised" versions of LesterChan's plugins, and the originals as served by wordpress.org or served by Lesterchan.net, were, bit to bit, character by character (binary and text comparison) : strictly identical.
- I'll insist again, I have changed ALL my passwords even remotely related to my website. FTP accounts, admin, users, main hosting account, database, phpmyadmin, email accounts.
Even if one password had been compromised once, no library attack, personal knoweledge of who I am or pattern guessing could have allowed to know my passwords another time.
- LesterChan himself, when asked if he had an idea, simply suggested reuploading a fresh copy of the plugin, and had no other insight.
- Talking about LesterChan, he also had a possible security breach, it may have allowed someone to take a first step into my blog : http://lesterchan.net/wordpress/2011/02/17/code-injection-follow-up/
- But since then, his plugins have been cleaned from this.
- I searched my whole blog and my blog's database for occurences of base64 encoding, of reverse (from left to right) base64 encoding, of rot13-converted base64 encoding, and found nothing.
- I also deleted all of (root)/wp-admin , root/wp-includes, root/wp-content/ , and reinstalled the plugins and the blog template
The attack still came back another time.
-> I'm on shared hosting, however my web host (OVH) is rather professional at doing his job, I doubt they'd have left open the risk to be compromised by other websites on the same cluster.
-> The Exploit Scanner plugin is also useless, for reasons unknown to mankind, it's unable to scan files larger than 10 or 15 Kb of size. At least in that size, it doesn't notice unlegititmate stuff.
-> Regrettably, my web logs are useless. There's for more than 1 GB of text every day, and my text editors die before they manage to open the files.
-> Could it be that some form of backdoor may have been left behind, in order to be able to use a plugin's legitimate code to inject nasty stuff ?
And there I am, clueless.
Please, would you have an idea, an opinion, a thought about it ?
Thank you VERY MUCH if you can help me ! :)