Tag: hacking

  • Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    Our Investigation of the Hack of One Website (OR: How We Investigated a Hack of One Website)

    We were contacted by one WordPress website owner with the issue of a website hack. Consequences of the hack were that their whole website content was deleted, meaning articles, pictures, plugins and themes were gone and visiting the website displayed a blank page. What was left in the folder «wp-content» was a single folder «uploads», new files in the root directory and many custom files «.htaccess» in other folders.

    What measures were taken in the first place before restoring the website. To avoid future successful connections from the hacker, all passwords were changed, including database ones, authorization over HTTP was enabled, installation of any files and themes were allowed only over FTP.

    What Has Been Done to Find Out the Source of the Hack

    The main task was gathering information about how the hacker managed to get access to the website and delete all of its content.

    The first step was saving the entire file system in a way where the files can not be created anew but to be saved in their current state (It’s important to know for identifying the creation time of the malicious files).

    • saving nginx «access.log» on the date of the detected hack
    • saving nginx «error.log» on the date of the detected hack
    • saving nginx «syslog» on the date of the detected hack

    Input data:

    • logs «access.log» (200 MB) «error.log» (47 MB)
    • website files

    The local repository of Splunk was chosen for the log analysis, data sources were the files «access.log» and «error.log».

    To determine the time when the website infection happened, the creation time of the suspicious files in the website folder was inputted.

    The next step was selecting a set of lines from the log files within a certain time period and the server response 200, while requests from «admin_ajax» and «wp_cron» were excluded.

    Thus, we found the hacker’s IP address that was able to get a response 200 for its POST request to this address: /wp-content/themes/seotheme/db.php?

    Next, we analyzed every line of activity of this IP address within the same time period. Based on this data, we see that someone created this folder: /wp-content/themes/seotheme

    Furthermore,

    • the cybercriminal from the IP address 43.153.77.57 was able to get a response 200 to their POST request while forcing /wp-content/themes/seotheme/db.php?u and in the end a number of malicious files was created which were started being called; 
    • a set of files «.htaccess» was created and modified specifically for the Apache-like webserver to allow executing files; 
    • the file «index.php» was modified, added obfuscated malicious code;
    • the file «plugins.php» was modified, added obfuscated malicious code;
    • the file «pluggable.php» was modified, added obfuscated malicious code; 
    • there were some eval constructions in the files, and parsing them was impossible.
    • It’s also impossible to know the origin of the folder /wp-content/themes/seotheme and the files in it, the reason is self-deletion of the malware results.

    How to prevent future hacks:

    1. constant monitoring of the website files for any new unknown files in the system,
    2. aggressive response to status changes of the «.htaccess» files if you use an Apache web-server
    3. force to implement any filesystem actions with a protected FTP account only, you can edit your wp-config.php by adding the code below:
    define( 'FS_METHOD', 'ftpext' );
    
    define( 'FTP_BASE', '/yoursitepath' );
  • Best practices to protect e-commerce sites

    Best practices to protect e-commerce sites

    Online shopping has always attracted intruders: it is a source of credit card data (now almost irrelevant); user data; data about orders and market trends (consumer demand); a traffic source; manipulation with the discount coupons, etc. An e-commerce site may be attacked as intruders in “free hunting” (non-targeted attack) and by the request of unfair competition. Recently are popular different kinds of DoS/DDoS attacks, as to disable a competitor and as a tool for blackmail.

    In this topic, I will describe best practices for the protection of e-commerce sites.

    (more…)