Lvl1.org

[Matt Buckley]

I just visited http://lvl1.org and clicked on the first blog post and was redirected to something like ad7788 then the URL below. It's a CPA gateway of some kind. I *assume* no one here was dumb enough to think this was a good idea. Will reply with more info if discovered.

http://dailyprizesurvey.com/red/us/index.php?voluumdata=BASE64dmlkLi4wMDAwMDAwMi1lODk1LTRjZTctODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjI4NmI2ODAwLTM1ZTUtMTFlNy04ODUzLThlNzBlYjI4OWEyZV9fY2FpZC4uMDFhMTZmNWItODdmOS00MGRmLTlhZjQtNWY5ZjI2ZDc0MGNiX19ydC4uSF9fbGlkLi5jNjJhMmQ1MC04ZGZmLTRjZmMtYTg2Ny01MGIwYzZjZGU2NzFfX29pZDEuLjA4NjQ1MjAwLTgxMjItNGMyMi1hOTc3LTk0ZTE0ZjFjMWQ5OV9fdmFyMS4uNTM4MV9fdmFyMi4uczY0MjE0MDFfX3JkLi5fX2FpZC4uX19hYi4uX19zaWQuLl9fY3JpLi5fX3B1Yi4uX19kaWQuLl9fZGl0Li5fX3BpZC4uX19pdC4uX192dC4uMTQ5NDQ2NzM5NDY3Mw&SourceID=5381&SubID=s6421401

[Matt Buckley]

Yep. Looks like the WP installation has been hacked, or maybe Danielle's account. Not sure who maintains the server but let me know if you need help.

[Ben Hibben]

I'm looking into this.

It looks like there's a URL redirection happening after the page loads.Probably some malicious javascript or XSS.

Blenster

ᐧ

On Wed, May 10, 2017 at 9:57 PM, Matt Buckley <mbu...@gmail.com> wrote:

Yep. Looks like the WP installation has been hacked, or maybe Danielle's account. Not sure who maintains the server but let me know if you need help.

--
You received this message because you are subscribed to the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lvl1+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ben Hibben]

Found the infection - Base64 encoded javascript in the footer.php file.  Removed.

Blenster

ᐧ

[Matt B.]

Glad you found it. Any idea how it got in? Is everything up to date? Do you have root access to wherever the site is hosted? 

[Ben Hibben]

Probably an insecure plugin.

I do not have root.

Everything is up to date.

Blenster

ᐧ

[Matt B.]

Looks like one of those plugins hasn't been updated in over two years.

Does another member have root access?  It's possible that the server or VM has packages that aren't up to date and are insecure.

You received this message because you are subscribed to a topic in the Google Groups "LVL1 - Louisville's Hackerspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lvl1/T0p1YasyEko/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lvl1+unsubscribe@googlegroups.com.

[Ben Hibben]

Root access isn't required.

You'll want to talk to Chris Cprek about the server details I believe.

Blenster

ᐧ

[Christopher Cprek]

I just looked over it and all packages and plugins are up to date. There was a XSS vulnerability in late January that allowed a post's contents to be overwritten. This seems similar and possibly it's a regression, since I updated WP most recently on Tuesday.

I added another LVL1 admin on Tuesday, but I think that's merely coincidental.  I'll have to audit the logs for clues on the culprit. For the time being, the post has been quarantined.

[Ben Hibben]

It wasn't on the post; it was in the footer.php file.  That would apply to pretty much any page.  Standard base64 encoded javascript redirect exploit.

Blenster

ᐧ

[Tim VanSant]

I use a plug-in called Wordfence Security on some WP sites that I manage. It does a good job of finding and alerting me to potential problems. I have no idea what security measures lvl1 uses on its site, but this might be worth a look.