O Canada! – or – frgdr.com Just Got Base64’ed, Again!

Warning: This post is quite technical and might only be interesting to true geeks.

[singlepic id=313 w=320 h=240 float=right]Yesterday I found out frgdr.com was injected with malicious code which redirected some visitors to discount-canadian-medshop.com, an e-commerce website selling pharmaceutical drugs (read: Cialis). This was a particularly conniving hack as only some posts were affected, making it harder to detect anything was wrong. If you are interested in such details, after the jump is a summary of the incident.

How did I find out?

So about two weeks I started noticing the visiting stats for my website had significantly declined, and that I was getting about a third of the traffic I was used to getting. I attributed this to my lack of new posts during recent weeks and figured Google recalculated my rank and decided to demote me. Fine, I said, so be it.
[singlepic id=314 w=525 h=100 float=center]

Then, yesterday I was ego searching and discovered something strange: some of my links shown by Google had Cialis-related titles. At first I thought my personal computer had some sort of virus that was making these link changes just on my own PC, but soon I realized this was not the case. In fact, I now know my website has been hacked for so long, Google and other search engines had already indexed the hacked posts and they were appearing for anyone searching for such products.
[singlepic id=315 w=320 h=240 float=right]What made this hack particularly smart is the fact that only a third of the posts were hacked (242 out of 692 indexed results), which meant that many people visiting the homepage and other popular posts, did not even notice anything was wrong, hence could not alert me to that fact. During that time I also checked daily that everything is on the up and up, as I always do, visiting my website from different computers and using two separate website monitoring services. I figured if anything shady was going on, I will quickly find out about it. I was wrong.

What actually happened?

Reverse engineering the hacking, I now know that about two weeks ago, an eval (gzinflate(base64_decode( code was added to the end of my WordPress wp-config.php file, instructing WP to require_once a PHP file that was uploaded to a folder that was scheduled to be deleted for a while now. The uploaded PHP file named 2tre8e3e4r56e3f6ba4c5721d403e.php was apparently in charge of what posts were left unchanged, and what posts were showing the pharma site. Bear in mind, visitors were not redirected to that site but were actually shown an html file from my root directory, the second one to be uploaded to the server, named whois.dat. Yeah, that filename made me smile too… :)

What did I do wrong?

While I do believe this hacking was done manually by a pretty skillful hax0r, as always, leaving old folders is a bad idea. In my case, that folder included an outdated YOURLS installation, and leaving old PHP files around is a no-no.

What did I do right?

Following is a list of precautions I took before being hacked including WordPress plugins I use to make my website secure. This might be useful for people who self-host WordPress as vigilance is a constant battle. Bare in mind that with everything mentioned here I still got base64’d:
– passwords: I use strong passwords, up to 20 characters in length, and a different one for every service. Using RoboForm2Go to remember my passwords for me, I can be this restrict.
– file backup: The actual files are backed up daily by my hosting provider.
– database backup: Using WP plugin WP-DB-Backup to automatically backup and email me the MySQL database every hour.
– malware notification: Using WP plugin WP AntiVirus to monitor malicious injections and send an email warning of possible attacks.
– unauthorized logins: Using WP plugin Login LockDown to prevent brute force attacks.
– corrective measures: Using WP plugin WP Security Scan to detect novice-level vulnerabilities.

The battle continues…

One thought on “O Canada! – or – frgdr.com Just Got Base64’ed, Again!”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>