Trojan on this website

flu-virus-e06074-ga

I just received an e-mail from a reader of this blog, who pointed out that his virus scanner went mental when trying to access this blog, stating that the web page was infected with an Exploit-IFrame.gen.c virus.

At first, I thought this was completely ludicrous, and that the good man was completely a) insane, b) computer illiterate and c) on a spamware-infested computer. Upon closer examination, however, it turns out that I was, indeed, the culprit.

It turns out that there is a security flaw in WordPress – the nature of which I haven’t quite been able to identify – which managed to insert a snippet of obfuscated Javascript code into the header of the blog. I had a look at the header file in my new theme template, and there was a block with the header ‘Searchbot_111’, which inserted an encoded block of JavaScript, which in turn pulled in the malicious code.

I have no idea what Exploit-IFrame.gen.c actually does, and there’s not a lot of information on the internet with specifics.

I’ve removed the offending code from my blog and I’ve locked down my file permissions – it turns out they were set to ‘world write’ (or 777 in octal, if you’re into that kind of thing), which is of course a complete beginner’s mistake – for which I hope you’ll be able to forgive me: Trust it won’t happen again.

I know most of you will be doing this already, but please remember to update your anti-virus software, ensure that you use a decent browser (use IE7 if you must, Firefox or Safari if you can, and trash IE6 if you’re still using that).

My apologies again,

- Haje

PS: I endeavour to track down how this happened in the first place and update this post with a guide as to how it can be avoided if possible and removed if necessary

Additional information about this server

This site is running the latest stable WordPress release (2.7)

I’m running a series of plug-ins to WordPress: Adsense-Deluxe v0.8 (ad serving), Akismet v2.2.3 (Spam blocking), Democracy v2.0.1 (voting/polls), Digg This v1.0.1 (social network promotion), FeedBurner FeedSmith v2.3.1 (RSS feeds), FlickrRSS v4.0 (Flickr pics in the sidebar), Google Sitemaps v2.7.1 and WP Super Cache v0.9 (caching)

In addition, I’m running a series of widgets: Democracy Widget 1.0 (voting/polls), KB Advanced RSS widget v2.1.2 (Twitter feeds) and PHP.Text widget v1.3 (To show the FlickrRSS as widgets).

The server is running a Ubuntu 8.04.1 (Hardy Heron) LTS virtual shared server hosted on a 1GB slice at Slicehost. I’m running PHP Version 5.2.4 hardened with Suhosin Patch 0.9.6.2 and MySQL 5.0.51a on an Apache 2.2.8 server.

Update

The symptom of this problem can definitely be removed by deleting any lines you don’t recognise from your header file. It’s likely to be right before the </head> tag. Look for a PHP snippet which appears to be trying to identify search engines.

It appears that the cause of this issue is an cross server scripting vulnerability in the RSS/Atom engine in WordPress, which appears to have come to light late in 2008. There is quite a bit of information about this all around the internet, but the technobrabble is a little bit beyond me. I’ll try and put together an understandable explanation for what’s going on as soon as I figure it out myself.

If I grok this correctly, It appears that the exploit is fixed in versions of WordPress beyond 2.6.5, but that the WP Super Cache plug-in continues to allow the exploit somehow.

If you’re affected by this, fix the issue, and then read Hardening WordPress and Did your WordPress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening again.

There’s also a plug-in which can help you scan your WordPress for exploits.

More updates to follow as the investigation continues


Do you enjoy a smattering of random photography links? Well, squire, I welcome thee to join me on Twitter -

© Kamps Consulting Ltd. This article is licenced for use on Pixiq only. Please do not reproduce wholly or in part without a license. More info.