Diybio site hacked

[Jonathan Street]

It looks like the diybio site has been hacked.  I'm getting your typical pharmacy spam (http://jonathanstreet.com/downloads/diybio-hacked.png)

For me it's showing up in firefox but not chrome though that may be because I accessed the site via google in firefox but directly in chrome.

I'm not sure how long ago this is from but it's long enough for the spam content to be showing up in the google search results.

[Isabelle Hakala]

You have a google redirect virus. Its really hard to get rid of. Your system is compromised.

--
You received this message because you are subscribed to the Google Groups "DIYbio" group.
To post to this group, send email to diy...@googlegroups.com.
To unsubscribe from this group, send email to diybio+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diybio?hl=en.

[leaking pen]

This. I would run malwarebytes.
Alex

[J. S. John]

On Wed, Jul 14, 2010 at 5:37 AM, Isabelle Hakala <ism...@gmail.com> wrote:
> You have a google redirect virus. Its really hard to get rid of. Your system
> is compromised.
>

Yep, I got one of those last year and still haven't gotten it all out.
I need a full reboot to get rid of it all. Pesky stuff. It doesn't
affect chrome so you're kinda ok.

[Isabelle Hakala]

As long as it is still on your system it will keep 'fetching' other viruses... at least that is what happened on the work computers. We had to wipe and reinstall the OS. That was after 20+ hours were spent on various tools that were specifically designed to get rid of it. It is the most nasty of nasties that I have come across so far. During that time a root kit kept installing itself and trying to send all the stored passwords. Also, there were issues with it blocking the updating of not only the anti-virus software, but ANY update process, including for the OS.
~~~~~~~~~~~~~~~~~~~~~~~
Isabelle Hakala
"Any person who says 'it can't be done' shouldn't be interrupting the people getting it done."
"Do every single thing in life with love in your heart."

[Cathal Garvey]

Basically once a virus hits windows, your best bet is to boot a Linux livecd, back up your stuff, and do a complete wipe and reinstall. Sorry for your misfortune!

---
Twitter: @onetruecathal
Sent from my beloved Android phone.

On 14 Jul 2010 15:14, "Isabelle Hakala" <ism...@gmail.com> wrote:

As long as it is still on your system it will keep 'fetching' other viruses... at least that is what happened on the work computers. We had to wipe and reinstall the OS. That was after 20+ hours were spent on various tools that were specifically designed to get rid of it. It is the most nasty of nasties that I have come across so far. During that time a root kit kept installing itself and trying to send all the stored passwords. Also, there were issues with it blocking the updating of not only the anti-virus software, but ANY update process, including for the OS.
~~~~~~~~~~~~~~~~~~~~~~~
Isabelle Hakala
"Any person who says 'it can't be done' shouldn't be interrupting the people getting it done."
"Do every single thing in life with love in your heart."

On Wed, Jul 14, 2010 at 10:04 AM, J. S. John <phill...@gmail.com> wrote:
>

> On Wed, Jul 14, 20...

[jarkko moilanen]

"Basically once a virus hits windows, your best bet is to boot a Linux livecd" or install linux.

2010/7/14 Cathal Garvey <cathal...@gmail.com>

--

You received this message because you are subscribed to the Google Groups "DIYbio" group.
To post to this group, send email to diy...@googlegroups.com.
To unsubscribe from this group, send email to diybio+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diybio?hl=en.

--
************************************************************
Profound XML -technology Expert |
5w - Finnish hackerspace in Tampere  |
http://5w.fi                                           
************************************************************

[Cathal Garvey]

It is certainly hoped that such learning experiences and ideal first-use scenarios encourage more Ubuntu users, yes. But I leave it to the individual whether to leave themselves open to future timewasting or not! :P

---
Twitter: @onetruecathal
Sent from my beloved Android phone.

On 14 Jul 2010 15:25, "jarkko moilanen" <jm6...@gmail.com> wrote:

"Basically once a virus hits windows, your best bet is to boot a Linux livecd" or install linux.

2010/7/14 Cathal Garvey <cathal...@gmail.com>

>
> Basically once a virus hits windows, your best bet is to boot a Linux livecd, back up your stuff...

--

> You received this message because you are subscribed to the Google Groups "DIYbio" group.

> To pos...

--
************************************************************
Profound XML -technology Expert |
5w - Finnish hackerspace in Tampere  |
http://5w.fi                                           
************************************************************

--

You received this message because you are subscribed to the Google Groups "DIYbio" group.

To post to...

[Mackenzie Cowell]

Fuuuuuuuuuuuu....

Thanks.  I'll get on it

231.313.9062 // @100ideas // iPhoned

--
You received this message because you are subscribed to the Google Groups "DIYbio" group.

[Jonathan Street]

Oh boy you're a scary lot!

I've been experimenting with having no routine virus scanning so a virus might have gone by undetected.  I'm running a scan now but after a little further investigation I really don't think it's just me.

For example:
http://jonathanstreet.com/downloads/google-must-be-hacked.png

You might also notice that the screenshot this time is from my ubuntu box (yep I'm down with the cool kids ;) ) which also happens to be an almost new install.  It looks like the spam content isn't served to firefox on ubuntu but it is being served to google and I would expect the majority of people who visit the site via google on a windows system.

[ruphos]

Confirmed Google results, though doesn't show up for me in Firefox on a windows machine. I'd check it on IE, but I'm on a work computer and don't feel like risking any driveby malware.

"And if ye cannot be saints of knowledge, then be at least its warriors."
-- Friedrich Nietzsche

[Nathan McCorkle]

confirmed google results as well, but navigating to diybio.org in chrome works as it should, no spam.... dunno about firefox as my computer is crashing for other reasons

Nathan McCorkle
Rochester Institute of Technology
College of Science, Biotechnology/Bioinformatics

[leaking pen]

Ahh, hmm. might have been tempo hacked, and then corrected, but not
before a webspider visited. that, or a google computer got infected.

On Wed, Jul 14, 2010 at 10:59 AM, Jonathan Street

in that case, yeah, whatver computer

[Mackenzie Cowell]

My only thought so far is that diybio.org (and also a friend's site, hostprods.net) have been infected with spamware that changes the page title and adds redirect links to spam sites for requests from the googlebot's IP block.

Practically, how could I verify that?  Some log file somewhere, or a system process... ?

Mac

+1.231.313.9062 / m...@diybio.org / @100ideas

[Bryan Bishop]

On Wed, Jul 14, 2010 at 2:18 PM, Mackenzie Cowell wrote:
> Practically, how could I verify that?  Some log file somewhere, or a system
> process... ?

You could change your user agent to the Googlebot, then start tracing
it through the wordpress code.

- Bryan
http://heybryan.org/
1 512 203 0507

[Mackenzie Cowell]

Ok, I think I have a lead.  I'm working on it now.

Description of a similar attack:

http://www.google.com/support/forum/p/Webmasters/thread?tid=4799ce616e2bddde&hl=en

Resolution:

http://www.swhistlesoft.com/component/content/article/55-project-ideas-and-theories/99-my-google-site-says-viagara-or-cialis

Mac

[Mackenzie Cowell]

As the article states, the malicious code at diybio.org appears to look for the googlebot user-agent and selectively feed it the spam content (instead of using an IP block as I thought before).

Try this from your terminal: 

curl -A 'Googlebot/2.1 (+http://www.googlebot.com/bot.html)' http://diybio.org

Mac

On Wed, Jul 14, 2010 at 3:18 PM, Mackenzie Cowell <m...@diybio.org> wrote:

[Jonathan Street]

Very strange.

Forwarding as requested.  Let's hope it's not contagious.

On 14 July 2010 20:04, Kive <ki...@kive.me> wrote:

Jonathan,

No clue why it isn't working. I tried posting at the group directly, sending several e-mails to the list from my kive.me (google apps domain) which works to other google groups, and even unsubscribing/resubscribing -- no luck.

Anyways, feel free to forward this on to the list.

Thanks,

-Kive

---------- Forwarded message ----------
From: Kive <ki...@kive.me>
Date: Wed, Jul 14, 2010 at 3:01 PM
Subject: Re: Diybio site hacked
To: diy...@googlegroups.com



I sent e-mails to the group on this at 4:17am and 7:26am, but for whatever reason, they didn't post to the group. Going to the google group itself also did not let me post -- and I have no clue why -- anyone else had a similar experience? I tried unjoining and rejoining, and we'll see if that works.

This was my 7:26am message -- provided since it provides a little more information from my observations, as well as a bit more confidence in what is happening, or rather, what is not. Regardless, it sounds like Mac is taking a look into what's going on. Thanks to Jonathan for confirming that my mails weren't being received to the group for whatever reason.

-kive

 -- Original --

Date: Wed, Jul 14, 2010 at 7:26 AM
Subject: Re: Diybio site hacked
To: diy...@googlegroups.com



Isabelle and Alex,

I'm certain that this isn't a google redirect virus, although something along those lines was one of my first thoughts. I mentioned in response to Jonathan's e-mail this morning that I tested this using lynx on one of my servers and was able to reproduce what Jonathan saw. That server of mine is an extremely well locked-down ubuntu system, and lynx is not susceptible to any known spyware of this type (and my host and resolution files have full integrity). I can state with 100% confidence that this issue is not on Jonathan's computer, and I verified it using independent systems -- heck, go to babelfish and translate the content if anyone wants to verify this independently.

Whoever the site owner is, please feel free to reach out to me off-list if you need any help determining what has happened, how it happened, or how to keep it from happening again.

-kive

[Jonathan Street]

I don't use wordpress, partly for this reason, but my understanding is that most issues of hacked sites are caused by vulnerabilities in wordpress.  Are you able to roll back your files to a known good configuration?

Figuring out how the attack happened/is happening would be interesting but right now getting a working site back online is more important.  Are you on the latest version of wordpress?  If you are then figuring out what's happening is definitely interesting/important.

[Isabelle Hakala]

Thanks! I'm sorry all of this is happening, and on the other hand I am happy that it ISN'T the darned redirect virus! I am currently on my work computer (meaning: windows) so I don't want to go investigate from here. If I have time I can snoop around from my kubuntu box at home. I am sure with all of the brilliant people on this list that we can figure it out:)

I have no idea why you couldn't post. Not my domain (both meanings:)).

Cheers! -Isabelle

~~~~~~~~~~~~~~~~~~~~~~~
Isabelle Hakala
"Any person who says 'it can't be done' shouldn't be interrupting the people getting it done."
"Do every single thing in life with love in your heart."

[leaking pen]

im kinda curious as to the POINT. the spam isnt getting any links,
isnt redireting page views..

[Dakota Hamill]

diybio.org works for me now.  On a side note, what ever happened with the T-shirts?  

[kingjacob]

I had issues finding a screenprinter that could handle an allover design. But no worries. They ship next week. :)

On Wed, Jul 14, 2010 at 3:53 PM, Dakota Hamill <dko...@gmail.com> wrote:

diybio.org works for me now.  On a side note, what ever happened with the T-shirts?  

--

You received this message because you are subscribed to the Google Groups "DIYbio" group.
To post to this group, send email to diy...@googlegroups.com.
To unsubscribe from this group, send email to diybio+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diybio?hl=en.

--
From,
Jacob Shiach
http://opensciencefund.org

[Jonathan Street]

Has there been any progress on resolving this?

Anything we can do to help?

[Mackenzie Cowell]

I'll hop on #diybio on freenode later today.  I'm busy until 11:00 pm est tonight, but I have cycles in the meantime to formulate a plan.

The wordpress's directory with all the image folders in it has 755 permissions.  According to the writeup I found yesterday, jpeg comment fields may have malicious code in them... But I don't know if turning off execute access for the directory will prevent something from running code that may be hidden in the image files.  I guess it depends how the code works, if it is being run by the webserver process itself or something else.

Mac

[Jonathan Street]

The thread you mentioned yesterday with a similar problem and a claimed solution looked very scarce on details.  Have you seen http://codex.wordpress.org/FAQ_My_site_was_hacked and this linked writeup http://ocaoimh.ie/did-your-wordpress-site-get-hacked/

Those two links go into a lot more detail and seem to be more generic.

The second point at http://www.socialmediatoday.com/SMC/192718 is probably a good additional point while you're fixing the blog.  You don't want to be in the position of fixing page B while someone innocently visits page C which triggers a script which re-infects page A which you had just finished cleaning.

Is the site on dedicated/vps hosting or is it shared?  I suspect the hack will be limited to the web server but if you're on dedicated or vps the advice in the slicehost articles on rootkit checking (http://articles.slicehost.com/2010/3/24/scanning-for-rootkits-with-rkhunter-updated and http://articles.slicehost.com/2010/3/24/scanning-for-rootkits-with-rootcheck) and recovering from a hack (http://articles.slicehost.com/2010/3/24/security-checks-during-possible-compromise) may be useful even if you're not on slicehost.

I'm UK based so will likely be offline by 11pm EST but I wish you luck and do let me know if there is anything you need following up tomorrow.

[Kive]

If diybio.org has a Google page rank of 4, for example, and it links out to that Cialis site, then the Cialis site gets a boost to a certain degree. The motivation is SEO (search engine optimization), an attempt to have the site(s) advertised get a jump in Google (and other search engine rankings).

The links themselves don't really matter to the attacker in this case -- they aren't looking for your clicks. By allowing the initial page to coexist for most users, they greatly extend the longevity of the SEO-maneuver.

In effect, they are raising their search engine rankings, which causes a couple of effects:

1) They can now get higher PR, which increases search result placement.
2) Higher PR sites are considered less "spammy" when it comes to e-mail filtering.
3) A higher PR site can link to something else and bestow even more PR. (if the Cialis site wants to promote a gambling site, or Viagra site, for example)

Hope this helps,

-kive

[Kive]

For all intents and purposes, the site is still working. As long as you're using a mainline browser (Firefox or IE) you shouldn't have any problems. And if you're using something else, just change your browser type to mimic one of those that works. It's a pretty nifty execution, if flawed, actually -- try to avoid disrupting the users, while getting the SEO credit from the traffic.

I sent Mac a few specific recommendations, one of which was to upgrade WordPress to the current, stable, and only secure version they have (3.0). Personally, speaking as a security person, given the site should be functional for most, I think it's actually more important to figure out what happened before it gets patched up. Otherwise, you don't know what all needs patching, and whether or not you've closed down -all- the possible attack vectors (hacker 101 -- if you successfully get root on a box, leave enough ways to get in so that you can always get in, even once things are patched up; to be fair, I don't think diybio.org has the visibility, and the SEO nature of the attack doesn't support someone spending real effort on something, so my gut is calling this a 85% chance of being a simple WordPress exploit).

Hope you folks see this message. ;)

-kive

[Kive]

I sent e-mails to the group on this at 4:17am and 7:26am, but for whatever reason, they didn't post to the group. Going to the google group itself also did not let me post -- and I have no clue why -- anyone else had a similar experience? I tried unjoining and rejoining, and we'll see if that works.

This was my 7:26am message -- provided since it provides a little more information from my observations, as well as a bit more confidence in what is happening, or rather, what is not. Regardless, it sounds like Mac is taking a look into what's going on. Thanks to Jonathan for confirming that my mails weren't being received to the group for whatever reason.

-kive

---------- Forwarded message ----------
From: Kive <ki...@kive.me>
Date: Wed, Jul 14, 2010 at 7:26 AM
Subject: Re: Diybio site hacked
To: diy...@googlegroups.com



Isabelle and Alex,

I'm certain that this isn't a google redirect virus, although something along those lines was one of my first thoughts. I mentioned in response to Jonathan's e-mail this morning that I tested this using lynx on one of my servers and was able to reproduce what Jonathan saw. That server of mine is an extremely well locked-down ubuntu system, and lynx is not susceptible to any known spyware of this type (and my host and resolution files have full integrity). I can state with 100% confidence that this issue is not on Jonathan's computer, and I verified it using independent systems -- heck, go to babelfish and translate the content if anyone wants to verify this independently.

Whoever the site owner is, please feel free to reach out to me off-list if you need any help determining what has happened, how it happened, or how to keep it from happening again.

-kive

On Wed, Jul 14, 2010 at 7:22 AM, leaking pen <itsa...@gmail.com> wrote:

This.   I would run malwarebytes.
Alex

On Wed, Jul 14, 2010 at 2:37 AM, Isabelle Hakala <ism...@gmail.com> wrote:
> You have a google redirect virus. Its really hard to get rid of. Your system
> is compromised.
>

[Kive]

diybio.org looks correct to me with Firefox 4 and IE via my laptop.

diybio.org looks hacked with lynx via one of my servers.

Comcast might be caching the old (correct) content, or the site might be displaying content based on the browser identification submitted in the request.

Hope this helps.

-kive

[Meredith L. Patterson]

On Wed, Jul 14, 2010 at 10:17 AM, Kive <ki...@kive.me> wrote:
> diybio.org looks correct to me with Firefox 4 and IE via my laptop.
>
> diybio.org looks hacked with lynx via one of my servers.

curl http://diybio.org == lots of spammy links, no diybio.org HTML at all.

curl -A "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)
AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.A.B.C Safari/525.13"
http://diybio.org == no viagra links whatsoever.

Output attached. The image linked in the 'tainted' file does not
appear to exist on diybio.org.

Mac, can I get a look at today's apache logs for diybio.org?

Cheers,
--mlp

[Mackenzie Cowell]

you sure can.  I'll get them to you in the next hour.

Mac

--
You received this message because you are subscribed to the Google Groups "DIYbio" group.
To post to this group, send email to diy...@googlegroups.com.
To unsubscribe from this group, send email to diybio+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/diybio?hl=en.

[Bryan Bishop]

On Thu, Jul 15, 2010 at 6:15 PM, Mackenzie Cowell wrote:

you sure can.  I'll get them to you in the next hour.

My guess so far is that this is an xmlrpc.php or image-upload attack (the imagepayload being php). Any other guessers?

[Meredith L. Patterson]

On Sun, Jul 18, 2010 at 4:40 PM, Bryan Bishop <kan...@gmail.com> wrote:
> On Thu, Jul 15, 2010 at 6:15 PM, Mackenzie Cowell wrote:
>>
>> you sure can.  I'll get them to you in the next hour.
>
> My guess so far is that this is an xmlrpc.php or image-upload attack (the
> imagepayload being php). Any other guessers?

That's a possible input vector. It seems to be trying to do some kind
of blackhat SEO thing; in addition to the front page appearing weird
to curl but normal to regular browsers, the logs have a number of
googlebot (and other spiders) hits to URLs of the form '/pressN',
where N is an integer between ... 52 and 176 I think it was.
Attempting to retrieve one of these URLs via curl yields, guess what,
more spam. Strangely, the following:

telnet diybio.org 80
GET /press126 HTTP/1.1
[hit return twice]

retrieves the correct pages.

I'm still wondering if there's a strange setting in mod_rewrite.

--mlp

[Bryan Bishop]

On Sun, Jul 18, 2010 at 10:27 AM, Meredith L. Patterson wrote:

I'd like the logs too if you don't figure out the vector.. the rest of the internet doesn't know either. Actually, I bet someone does know, but since it's a security issue, it's not widely publicized. Some others think that it's a wordpress plugin that has a backdoor somewhere; the grapevine says that 3.0 is also vulnerable, but then this makes me wonder why more blogs aren't compromised (other than just being select in what blogs are being targeted, or just some standard bruteforce activities). Quite interesting.

[Meredith L. Patterson]

On Sun, Jul 18, 2010 at 5:32 PM, Bryan Bishop <kan...@gmail.com> wrote:
> I'd like the logs too if you don't figure out the vector.. the rest of the
> internet doesn't know either. Actually, I bet someone does know, but since
> it's a security issue, it's not widely publicized. Some others think that
> it's a wordpress plugin that has a backdoor somewhere; the grapevine says
> that 3.0 is also vulnerable, but then this makes me wonder why more blogs
> aren't compromised (other than just being select in what blogs are being
> targeted, or just some standard bruteforce activities). Quite interesting.

If Mac doesn't have a problem with my doing so, I'm happy to forward a
copy to anyone who wants one. The file is just under 1MB, so I won't
send it to the list, but certainly the more people looking for
anomalies the better.

--mlp

[Mackenzie Cowell]

Please email Meredith and myself to request log access. Let the sleuthing continue.

Mac

231.313.9062 // @100ideas // iPhoned

[Meredith L. Patterson]

Still not sure what the vector was, but this is almost certainly a
WordPress spam injection.

http://jungleg.com/2009/04/20/the-aftermath-of-a-wordpress-spam-injection-and-a-tool-to-prevent-it/
http://www.davidmihm.com/blog/google/wordpress-spam-injection-solution/
http://robertogaloppini.net/2007/12/12/wordpress-spam-injection-goro-hacked-my-blog/

Mac, is WP something that Dreamhost provides or did you install it yourself?

--mlp

[Len Sassaman]

I think we might be losing sight of the problem here -- it doesn't really
matter what the server is being used for; it's been compromised. I assume
there are backups; what needs to happen now is 1) the exploit vector needs
to be identified, 2) the server wiped, reinstalled, and the exploit vector
patched, and 3) the content restored, without restoring any malware.

--Len.

[Jonathan Street]

I would actually say that your third item needs to be addressed first.  We need some clean content put up.  It doesn't need to be a fully dynamic wordpress install.  A totally static dump of the (clean) content on the site would suffice.  Full functionality can be restored later when we've figured out what's going on.

I'll take a look at the logs as well if I can get a copy.