Hashemian Blog
Web, Finance, Technology, Running

Wordpress Base64 Hack or PHP-CGI Hack?

by @ 10:57 pm
Filed under: hacking,web — Tags: , , ,

A couple of months ago I started noticing that this blog's RSS feed, which is via Feedburner, wasn't coming through on some RSS readers. After some tests I discovered that the feed actually contained a malicious javascript block at the top. That was breaking the XML format, causing the RSS readers to fail. Turns out that It was my own site that was hacked, replicating over to Feedburner.

After a bit of investigating I found a number of files, specially those named index.php, that had been modified by a code block at the top that started with something like "eval(base64_decode(…" followed by a long string of hex numbers. I decoded the hex string and I ended up with a php code block that looked pretty devious with references to Chinese sites.

This is what was happening. A blog page is accessed by a user. Since most Wordpress activity is funneled through the index.php file the malware at the top is executed and after a couple of iterations a javascript block is produced and sent to the browser. No idea what the javascript code was doing, but safe to assume its goal was to infect the users with malware, steal data and eventually turn them into zombies in some botnet.

Do a search for Wordpress base64 hack and you'll find thousands of sites around addressing this issue. Wordpress doesn't exactly have a good security reputation but its latest versions were thought to be more secure. But in this case Wordpress wasn't at fault. Turns out the real culprit was php-cgi 5.3.5 and a nasty security hole stretching back for 8 years. The bug would allow the attacker to view the source code of a page, run arbitrary code, and generally be a pain in the a$$.

I suspect in some cases where Wordpress (or Joomla or Drupal or phpMyAdmin) has been hacked, the true culprit has been php-cgi. The reason these popular programs are targets is that their structures and operations are well-known to all including the hackers. All it takes to exploit vulnerable sites is to write simple scripts targeting known pages and letting it loose on the internet. The robot crawls around infecting sites as it find them and then those infected sites infect their users by extension. An old concept, but pretty neat in a distorted sort of a way.

There are some of questions to be answered here. Why was such a gaping hole allowed to remain in php for 8 years? Why was it publicized before it could be plugged? Why do some sites still use CGI? After all, this vulnerability didn't affect php ran as a module. Those are good questions and there are plenty of discussions about them online, so no need to rehash here.

What might be useful is explaining what I did to plug this hole on my site. Stay tuned …

Gawker's Hack, Spammers' Treasure

by @ 11:40 pm
Filed under: hacking — Tags: , ,

Today, out of curiosity, I downloaded the hacked Gawker files from The Pirate Bay. I'm not sure if I broke any laws by doing that, but I was only interested in checking out their PHP source files. You can learn a lot by looking at production code other than your own.

While my intentions were harmless, I'm sure many others downloaded the files for more sinister purposes. I was blown away by the size and scope of the membership file dumps. There are thousands and thousands of records of login name, passwords and emails. One of the first things the bad guys will do is to try breaking into the members' bank accounts, email accounts, and Facebook, Twitter, Amazon, and eBay accounts since many tend to use the same password everywhere online.

I hope people change their passwords quickly enough to mitigate the damage from the criminals, but there is one damage that will be hard to contain, and that is the sheer number of valid emails that spammers will promptly exploit.

Granted, most emails appear to mysteriously land in spammers' databases almost as soon as they're created. Nevertheless, even those users who guard their emails tooth and nail, had better be ready. If they had a Gawker account, they will be getting valuable offers from a number of spammers real soon.

Powered by


Read Financial Markets  |   Home  |   Blog  |   Web Tools  |   News  |   Articles  |   FAQ  |   About  |   Privacy  |   Contact
Donate Bitcoin: 1GfrF49zFWfn7qHtgFxgLMihgdnVzhE361
paypal.me/rhashemian
© 2001-2021 Robert Hashemian   Powered by Hashemian.com