Hacker or Loser?

by Brad Isaac on May 6, 2008

The past four days I’ve been fighting off and recovering from a hack attack on Persistence Unlimited. 

I noticed a week ago that Windows Live Writer wasn’t connecting to the Blog and letting me post anymore.  WLW was throwing "parse errors" in the connection string as it tried to post.    So I had to use the web interface.

I figured it was because I had started increasing the size of the except fields for the Social search engines.  But when I looked under the hood, I found something far worse.

Someone used a WordPress exploit to inject some nasty code into my site configuration. 

I commenced a clean up effort where I went through and picked out all of the references to the hack.  By downloading all of the site configurations, I could search them quickly on my desktop and re-upload them.

Once I was sure I cleaned everything up, I popped in a movie and took a break.  It wasn’t until Sunday morning that my friend Itzy, hit me with the news that we were down. 

I must have missed some of this jackass’s code.  Because it looks like he came in and wrecked the place.

The payload of the hack

Google referrals down – wayyy down - I noticed a dramatic drop in traffic a few weeks ago.  And I couldn’t figure out what happened.  Did I offend you?  Maybe a Google algorithm change?    Perhaps, but my traffic was cut by over 60%! 

Meanwhile, newsletter and RSS subscriptions were going up. 

Hmm…

In retrospect, I think Google had pegged the blog as a splog and was punishing me.

Stolen Adsense revenue – Here’s where script kiddies cross over into more serious crimes. Their script replaced my Adsense client id with a different one – purportedly their own. 

In my mind, this is the equivalent of breaking into someone’s place of business and stealing money from a cash register.  It’s no longer pranks, the individual has justified the act of stealing in their mind.  But not just stealing once, but stealing repeatedly – for long periods of time.

Numerous prescription drug links - Curiously, this pointed back to another blog where full pages were full of prescription information.  I like to use a "safe" browser when I clicked the link, so I whipped out my Pocket PC and clicked the link.  There was drug order links, etc.  But it froze my device.  So apparently, not only would this person want to sell prescriptions to someone who lands on their site, they have some dangerous scripts running that will damage computer.

What I’ve learned about this particular WP-Footer exploit

  • Dumps usernames/passwords
  • The code obfuscated - I followed the variables and methods into dead end after dead end.  Eventually, I just said I’d trace it back later and do a restore from backup.
  • It shows itself to search engine spiders - not typical web browsers.  This is likely some blackhat SEO technique.  Get 1000 blogs to link back and your site search rating goes up.  Strangely enough, when I looked at the site’s search result in Google, they had 2, count them TWO incoming links.  None of which were from Persistence Unlimited. Gee seems like this hack is really taking them places…
  • The code hides html - If you view the source code of a compromised site in IE7 you cannot see the <_wp-footer reference, but in Firefox it shows in the source.
  • The actual hack links are viewable through Opera browser – If you are seeing some of the same symptoms as me, download Opera and take a look at your site.

 

Cleanup Progress

I am taking my time in cleaning up the mess.  I don’t want to be rash in restoring stuff and letting it back in.  Here are the steps I’ve taken so far.  Yes, there is more to clean up including comments and some images.

1.  Backed up the site

2.  Deleted all files from the Server

3.  Backed up the SQL database

4.  Reinstall WordPress fresh

5.  Re-uploaded my theme

6.  Tested everything FAILED – The theme had some of the code in it. 

7.  Grabbed an older backup that tested to work!  Thankfully, I’ve been taking my own advice about backing up frequently.

8.  Report them to Google for Adsense fraud

Oh, and I changed all my passwords…

To conclude, I’ll say that this experience was a big disappointment.   Having someone hurt you and steal from you isn’t fun.  But it makes me more determined than ever.  As Sgt. Major might put it: you think your little spam attack script kiddie bullshit is gonna make me stop spreading the news!? my readers feel the need! the need. . . to succeed!   And while you’re jerking around with your 2 incoming links, I’ll go back to a real community….

Set powerful goals online with our new online goal management tool

{ 5 comments }

May 7, 2008 at 12:56 pm

What version of Wordpress were you running? Have you reported the problem to wordpress.org? If I don’t get much traffic and I don’t use adsense (no point with no traffic) how do I know if I’m at risk?

Thanks!

May 7, 2008 at 12:58 pm

Oh man, Brad, that utterly sucks. I am really sorry to hear about that, but I hope you persevere and “keep spreading the news”.

I love your blog. It’s a regular haunt of mine, so I really appreciate what you do to keep it up and running. Thanks! :)

Brad Isaac May 7, 2008 at 2:13 pm

Anne, I took a quick glance at your source code on your site. I don’t see anything out of the ordinary. I was running Wordpress 2.2 at the time. Now I’m running the latest version.

Wordpress is aware of the issue, so I didn’t report it.

May 7, 2008 at 10:15 pm

Thanks for checking – I appreciate it! All the more reason I have to stop procrastinating at installing WP updates when they come out ;)

Brad Isaac May 8, 2008 at 5:34 pm

Ria, thanks for your support. It’s interesting that someone hacking the server of my old site got me into blogging. So there is some good that will come of it.

For instance, I am doing a whole heck of a lot of cleanup. Installing plugins fresh – meeting w3 standards, etc.

{ 2 trackbacks }

Previous post:

Next post: