It was one of those awful Fridays yesterday – I had work and then work after work and after even more work I had to attend family event. And when I came home at last my own blog DOSed my browser with endless pop-ups.
I am extremely sorry if you got hit with same yesterday. I do not have exact time frame when it started, but since it was slowed by caching and I don’t see impact on yesterday’s stats I think it was relatively short (hours).
On to boring details.
How he got in
I had found intrusion details in HTTP logs. They show that hacker came from service that lists sites on same server (totally legit, YouGetSignal can do that just as well). And then he simply typed in login URL and logged in. It could believe that my password compromised in some way, but why he came from such service? Why no prior visits or suspicious activity? Why earlier this month another blog at same server was attacked in exactly same way?
Seriously, when initial freaking out period had passed I am still worried about not knowing where was the hole. And even more worried that new server might have it, I had zero security issues in a year on previous hosting.
Hacker had inserted malicious code in index.php, luckily I use static cache so it takes some time for such thing to spread through site.
He had also installed obscured code in plugins folder secutoolvi-en.php – some kind of PHP backdoor.
Malicious iframes were obvious and easy to remove. Luckily I was thorough enough to trace everything step by step with help of LogLady (via gHacks) – turned out to be major help when dealing with 93MB of logs. So I got rogue plugin as well.
Best policy in such cases is complete wipe of everything and restore from backup. Was too exhausted for that so settled for overwriting WP with clean install, changing passwords and numerous security and antivirus scans:
- WordPress FAQ on cleaning up hacked site;
- WordPress Exploit Scanner plugin (slightly outdated);
- Theme Authenticity Checker plugin;
- WP Security Scan plugin;
- Unmask Parasites online service;
As initial measure I had locked down admin area to only allow access from my home IP, going to look into further hardening:
- Password Protection and Authentication Locking down Apache with .htaccess;
- AskApache Password Protect plugin;
- Chap Secure Login plugin;
- Limit Login Attempts plugin;
- Hardening WordPress.
Pro – I was ready for anything up to nuked data center. :) Backup of everything, anything and in different places.
Con – I still have no victim to blame. No security screw ups (I am aware of) from myself, doesn’t seem to be [known] WP exploit, hosting security department is looking into it (or will be on Monday… I hope).
Conclusion – I need to tighten control over admin area of my blog, it turned out to be weak spot. And default security measures can fall short of expectations.