***WARNING*** TO ANY VISITORS TO CYBERUNIONS.ORG BETWEEN AUGUST 21 TO SEPTEMBER 3RD YOUR IP ADDRESS MAY HAVE BEEN TRACKED BY A NEFARIOUS CHARACTER WITH INTENTIONS WE ARE NOT ENTIRELY CLEAR BELOW IS OUR BEST ASSESSMENT OF WHAT HAPPENED ***WARNING***
Yes we were hacked and before reading any further I encourage all people reading this to make sure their browser is up to date, we recommend Firefox…
The Hacking or cracking…
When ever I saw a site got “hacked”, cracked is the better term here, I never really thought about it cause I was not a member and most the time one hears about it, it is for some very popular site or a place that has credit card information (something last I checked we do not have). So yesterday after releasing both a blog post and podcast I was on the site and forums as well as status instance…so it came to a big surprise when firefox gave me a warning that the main site cyberunions.org was hacked. Upon further investigation and consulting some tech friends at mayfirst i verified it was not just me…so we moved forward on figuring out how to resolve it and figure how and when they gained access.
It is actually exciting to have comrades that know a lot about technology that they do forensics work to figure these things out and we at cyberunions owe a great debt to nat from mayfirst for investigating the hack on the site and figuring out what the hell happened. Unfortunately for WordPress this is not the first time for nat to actually investigate a WordPress intall being hacked, as from our discussion it is from investigating WordPress specifically for being hacked that he has learned about WordPress (this causes Stephen to think more and more about moving to drupal as well as securing the site with an ssl certificate).
What was discovered…
So through the evidence of log files and altered files it was discovered that on August 21st the site was hacked. This occurred when the attackers focused on a specific file in a theme that we were not using but was installed on the site. The file was thumb.php in the Bueno theme, this file was write-able by other visitors to the site, this was news to me, but a common issue with a number of WordPress sites and themes using the Timthumb image resizing php file (do a search for wordpress and thumb.php and you will see man vulnerability concerns). The good thing is that Platformpro which is the theme we use on the site defended the attack, but the attackers found another theme installed on the site that did not, that was the them Bueno, as mentioned. Which raises another concern that is to reduce your sites vulnerabilities to attacks remove any unused pugins or themes as they can or might be vulnerable to attacks. So through the thumb.php vulnerabilities in the Bueno theme the attackers were able to gain access to the server and have other php files loaded into the site to carry out specific instructions. The instructions were to install base64 code to carry out specific instructions when people visited our site.
What did the code do?
The code and script involved did a number of things, first it would track the IP address of a visitor and send that same IP address back to the user, forcing the useragent (or Web browser) to identify itself to the script. The script would then determine if the IP address is something it wanted to store based on criteria we were unable to determine. The script then created a database on the server for the attackers to visit at a later date so they could harvest the information. We discovered that they visited the site on August 28th. As many of you know we have been on vacation or a break cause of other circumstances so site visits had been lower than in the past, but since they started to track on the 21st of August it is possible that they understood that Mondays are usually our higher traffic days. So with us releasing both the podcast after a month off and a blog post September 3rd was a very very active day, and they happened to visit the site to harvest the information kept in their database. So by the end of September 3rd they had done the most malicious activities that led to google flagging the site and any site ending with cyberunions.org (surprisingly the wiki was not hit by the flag). We can speculate that they were looking for a specific type of browser but we are unsure, in either case not all IPs visiting the site were in fact tracked but certainly some were, this was determined as nat had actually visited the site the day before and was unable to locate his IP address in the db. So clearly some IPs were in fact tracked by some attacker for whatever reason.
What did we do to clean it up
Being a member and an active one of the Mayfirst/Peoples Link community the first thing i did was jump to their IRC and then filed a support ticket (the ticket has more technical details if you are so inclined to read). Pretty quickly both bame and nat from the IRC room where assisting me in diagnosing what was happening, which turned up the above information. To resolve this required a full backup of the site and the database of the site (the database is where all the blog postings and content are stored) we then moved to wipe clean the installation of wordpress on the site and did a fresh install of wordpress as well as the plugins we use (note we did not reinstall google-analytics forgot that was installed and would rather the FBI I am mean google not track us). Fortunately we did not have to mess with the database on the site as there was no coding evidence pointing to access to the database or alterations to it, though in theory once one has access to a server one can get access to the database if they know where to look. After reinstalling wordpress and reconnecting it to the existing database as well as importing the image files and theme from the backup (after we cleaned up the theme since it’s index.php file was altered) we got the site back up and running at about 3am CST. We also have installed the TimThumb vulnerability scanner to our site to further protect the site, but it is not the solution just a security feature we are taking, a better solution is to fix thumb.php .
The final step was a bit of a google hassle…
Because google was the identifying agent of the hack one has to use the google webtools to request a review of the site, this becomes a bit of a cartel type thing…cause well you need a google account to access the tools and make the request. So that meant we had to put some google bits into the web pages that were identified as hacked…but after following their instructions for a review of the site I am glad to report that the sites are clear of malware. However if you are a union or social movement using WordPress, it is popular and much like popular tools they are also popularly attacked (i.e. see Windows OS). Reading up on vulnerabilities is something we will do more now that we have been attacked but should have been doing before we were, we encourage others to do the same.