Fix for WordPress Hack

Posted on March 20, 2012 by

Hey kids.

Been interesting watching the traffic around here since posting about that shazzamfrazzam hacking adventure a while back. The comments garnered some good interest and some great suggestions, and then thankfully the comment form broke when Julio Marchi went to comment, so he emailed me this:

From Julio Marchi:

Here is my “comment” (or “mini-tutorial” if you want to call it):

I’d like to present here some of my discoveries about this exploit, and also to disclose the solution that worked on my sites (several sites, actually). It is a bit long comment (kind of a “tutorial”), and I hope you guys forgive me for that! My goal was to be as most descriptive as possible, so anyone suffering with this exploit can get rid of this thing for good (if not using the presented fix, at least with enough information to find a better solution to resolve the problem)!

I’ve found that this “site hacking” explores a well known vulnerability in a file called “timthumb.php”. Most WP themes use this small php script for cropping, zooming and resizing web images, and in the case of the WP themes, it is commonly found at /library/ folder inside the theme’s folder.

What I’ve done to get rid of this site hacking, once and for all, was the following:

1) Download and use the “Fix Hacker Shit” Judd has provided above in his original post. It is a very good piece of work, and it will help you to temporarily “disable” this exploit. Please, notice that the Base64 Code may vary from one hack to another (as the called domain may differ), and then you may have to edit the line 14 of Judd’s file to change the “aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA” by the Base64 Code found on your installation.

2) After using Judd’s tool to clean your files, simply re-install WordPress. You don’t need to delete or backup anything (although a backup is always highly recommended), just go to your UPDATES page in the ADMIN PANEL and click the button “Re-install Now”.

3) After done with steps 1 and 2, now you MUST install the following plugins in the presented order (do it from INSIDE your WordPress installation, searching by the plugin name on wordpress.org. DO NOT DOWNLOAD IT FROM ANY OTHER SOURCE DIFFERENT THAN WORDPRESS.ORG):

- TimThumb Vulnerability Scanner
- Exploit Scanner
- BulletProof Security
- 6Scan Security

The “TimThumb Vulnerability Scanner” will detect bad versions of the “timthumb.php” file and replace it with a safer one. It is a must have plugin nowadays.

The “Exploit Scanner” will allow you to check your entire site against common vulnerabilities and exploits dirty tricks. However, please notice that this plugin DO NOT FIX ANYTHING, it will only CHECK and LIST potential threats. Notwithstanding, not everything listed will be an actually hacking. You will be required to review the listed files manually and identify if it is a real threat or a “false positive”. Most “base64_decode” will be a BAD THING, but in my case I’ve found that the WP E-Commerce plugin was using this function in a legit piece of code. Also, the newer version of the “timthumb.php” file uses it in ONE position only to implement a “anti-leech access”, and the code that starts with the following code IS legit:

$imgData = base64_decode(“R0lGODlhUAAMAIAAAP8AAP///yH5BAAHAP8ALAAAAABQAA (…)

More info about this specific base64_decode can be found here: http://code.google.com/p/timthumb/issues/detail?id=237

It being said, please be careful before editing or deleting anything as you can manage your site broken.

What I actually like about the “Exploit Scanner” plugin is that it match some installation files with its original versions, making it a great tool to have when looking for unknown or new potential hack attempts.

The “BulletProof Security” is something that should be a default plugin in any WP installation. It creates a very decent and well thought boundary of protection around your sites, protecting folders and files using the Apache .htaccess level, also reviewing them periodically. Please, notice the “settings” for this plugin may be somehow a little bit tricky for beginners, as there is a lot of reading and “clicks” required (please, do so). However, if you really want to have a clean site, you cannot afford not to have this plugin fully installed!

Finally, the “6Scan Security” will imply extra security levels, complementing the “BulletProof Security” protection layer. However, the “6Scan Security” will disable some of the “BulletProof Security” implementations to add its own security levels, but they will not conflict or interfere with each other. Just remember to fully setu the “BulletProof Security”, then install and setup the “6Scan Security” on top of it.

4) In the future, DO NOT install and/or use ANY theme from ANY source without reviewing its contents. You can use the “Exploit Scanner” to test your site after coping the theme into your installation (and priory from enabling it, of course). WP themes are the most well known cause of site infections and for each 100 one I’ve downloaded, 98 have some “crap” hidden in it. So, BE CAREFUL.

5) Same advice above for the PLUGINS! I’d never (ever) install any plugin from any other source different than wordpress.org. And, even trusting WordPress, I’d never activate them before checking the installation against the aforementioned security plugins (and, immediately after activated, check it all over again).

It all may sound very paranoid, but we have no much choice nowadays. I’d say it is “better safe than sorry” (as you can also be a victim of the virus yourself, being accidentally infected by those scripts by simply accessing the Admin Panel of your own site if you don’t check the new plugins and themes before and after enabling them).

BTW, changing FTP and CPANEL passwords won’t fix a thing in this case, you will NEED to clean the “timthumb.php” file to prevent its vulnerability from being exploited. I haven’t review it indepth myself, as I have no time for chasing ghosts, but looks like the “hackers” are using some sort of injection code related to images internal compression method/algorithm to download their backdoor in the site as it was a thumbnail, then they “call it” unsuspectingly by rendering the generated thumbnail, executing the code that will result in a script that will use another vulnerability from the the FTP DAEMON to download a file that will scan and edit your files locally, adding the crap code Judd has disclosed above. It seems to be a lot of work, but it may take no more than a few seconds for it all to happen, and then they erase all traces of those files after the job is done. The only digital footprint I’ve found in my case was a FTP access log from an IP 88.80.17.89 (which is from Stockholm, Sweden) that accessed the exactly infected files and folders pointed by the “Exploit Scanner” plugin. I’ve traced back this IP and it is only used by ONE site, the iforex.to. If you want to complaint (as I did) send emails to abuse@prq.se, which is the major authority for that IP!

As you can see, this exploit “dirty trick” is not as well elaborated as most people may think, but the vulnerability is real and it renders your site widely open for many other possible attacks. It being said, if you take care of the “timthumb.php” vulnerability, it will help prevent these and other hackers from accessing your local files, as they really DO NOT KNOW and DO NOT NEED your FTP/CPANEL password.

Please, notice that “timthumb.php” is not the bad guy here, and it is a widely used “piece of code” in many other CMS and Open Source tools. In fact, any other code that uses same image management methods may be exploit using same techniques, however, in most cases hackers do not know your PHP code, but they can systematically search for the presence of the “timthumb.php” script on ANY site (as its code and functions are well known). It being said, this vulnerability is not only affecting WordPress sites, but looks like those hackers have a crunch on WordPress installations (God knows why?).

Finally, don’t forget to ALWAYS review your /cgi-bin/ folder, as many hackers also use it to run “email spam routers” on your sites. Also, if you don’t use the FrontPage Extensions, simply delete all folder and files related to it from your /public_html/ folder. For more information about the FrontPage Server Extensions you can access here: http://aquesthosting.headtreez.com/doc/6939a3f3-281d-4a83-a14a-3bda9459702b

I hope this quick “tutorial” can help some of you guys to clean your sites and keep it safe.

I’d like to say a expecial thanks to Judd, as this was the most well informative page I’ve found about this hacking, the one that brought me the initial clues of how to track, kill and prevent this hacking from happening again. That’s why I am writing this “tutorial” here!

Please, share this page! Everyone must know about this threat and how to fix it for good!

Bets Regards.
Julio Marchi
http://about.me/jcmarchi

Some really good suggestions in there, and something that hadn’t occurred to me about other plugins using “timthumb”.

So The Plot Thickens as well all delve deeper into not only what sh*tbags perpetrated this craptasticulatude, but how to prevent it for ever and ever and ever.

Many thanks Julio and everybody else reading and commenting and emailing!

-Judd

Category: Latest News | 3 Comments

A New Beginning…

Posted on September 10, 2011 by

When I started this company over 4 years ago, I named it “Jex Analytics” because I loved Web Analytics.  I knew that no matter what I did in All Things Web, I would always be able to fall back on my skills in reporting and analysis.

Not because it’s sexy, because it’s not.  By any means.

Not because it’s safe either, though it pretty much is.

No, I loved analysis and reporting because it was what really told the truth about your success.  You can look at stats and graphs all day, but without something interpreting them into your language, you’ll never really know what they can mean.

And don’t even get me started on rankings.  Rankings are useless if they don’t improve your business, and too many shysters in the SEO industry have been trying to say differently for years now.

Rankings do NOT tell you about your success.

They can, but they’re not all of it.

But, for a while, I had to focus on rankings.  SEO was what people knew how to ask for and what they thought was going to bring them success.  For years, I’ve been telling them that it’s only a step, but not the whole deal.  For years now, only my clients (most of them) have been listening.

So I was an SEO expert for a while.  I still am, but I don’t like most people to know that, because then they’ll want me to weave that Black Magic on their website, and I don’t do that any more.

With the most recent addition to the Exleys Down Under, my life is changing, and it only stands to reason that my business should change too.

In short: Out with the SEO, in with the Analytics & Reporting.

I’m sure I’ll rant later on how important it all is, consider yourself warned.

For now though, an introduction to the next chapter.

Have a Good Website.

-Judd

Category: Latest News | No Comments

Flood Relief Donation Info

Posted on January 14, 2011 by

When I got tired of hearing "oh, just send cash, not goods" I got super stoked to hear that there’s someone here in Perth that’s organising to ship tangible goods to help out for not just the Queensland Flood Relief, but also help for the Gascoyne River Floods up near Carnarvon and also south of Perth to the victims of those horrible arson Bushfires in Lake Clifton.

His name is Cam Wilkie, his outfit is Cambuild, and he actually packs more awesome than a roundhouse kick from Chuck Norris.

From information from his website (for those of you too lazy to click):

Thank you very much for offering your much-needed assistance. Here’s a list of useful essentials that will be transported to the Queensland Flood Appeal over east.

• Tinned food/Pet food
• Toothpaste
• Toothbrush
• Soap/Shower gel
• Shampoo/Conditioner
• Deodorant
• Detergent
• Baby formula
• Nappies
• Battery operated radios
• Sanitary products
• Shoes/boots		 • Camp beds
• Pillows
• Sleeping bags/blankets
• Towels
• Mosquito nets/repellents
• Lanterns
• Torches
• Batteries
• Tools
• Tarpaulin
• Plastic cups, plates, cutlery
• Veterinary supplies


Please box your donations and label them (on the side of the box) to assist in locating and distributing items.

The first truck will be leaving Friday 14th January in the afternoon. This will be the first of a number of trucks which will leave over the next couple of weeks.

Please deliver your items to:

Cambuild, 1/5 Leeway Court, Osborne Park, WA 6017

If you have any other queries please feel free to contact the Cambuild office on

(08) 9244 8522.

cam@cambuild.com.au

When a wonderful gal in my family asked about a dropoff point South of the River here in Perth, I said that if there wasn’t one, I’d put my hand up to run one.

*raises hand*

I’ll run one!  I’m in Langford, so email me for an address (judd AT jexanalytics.com).

I’m planning on making a run to Osborne Park next Friday afternoon, so try and get stuff here before then.

Here’s the best part too, the part I know you’ve been waiting for, this guy Cam rang me and explained that this isn’t just a truckload of your second-hand crap getting dumped on the streets of Brisbane.  This is a corporate-level organised effort involving Salvos and the Red Cross to sort, box, ship, store and eventually distribute items that are relatively non-perishable and are going to be sorely needed in the coming weeks and months.  He did it for the Victoria Bushfires and he’s doing it now.

Yes, the Queensland Government would rather money, who wouldn’t?  For those of us that want to do more than just punch in some credit card numbers and feel smug while we sip our latte and marvel at how dry our feet are, this is right up our alley.

Cam’s got a crew of volunteers sorting things and they will send you home if you try to dump junk.  Bring good items, usable items, that can survive being sorted, packed, shipped and stored.  Do your best to sort them beforehand and I’ll do some sorting here.

When wondering what to donate, the best way I thought of it was to remember what I was after when our house flooded during the huge storm here in Perth last March.

Yes, Salvo’s has heaps of clothing, so keep it, and when I was flooded I was happy enough to dry a t-shirt out, but boots and shoes get wet, armpits stink, mozzies bite, and when all that shits pouring down and wearing you down nothing on this earth feels as good as a nice shower and getting clean again.  Particularly after you’re digging out the wet and mouldy fuzzy slippers from under your bed.

Also the battery-powered/windup radio thing.  One of the most comforting things that got us through a long and lonely, wet, candlelit night was hearing "the world" out there.  Even if it was just some DJ reporting things and playing Bon Jovi for the 17th time that day.  It’s nice to hear from others in your community.

So there you go.  There are going to be pallets of stuff headed for the areas that need this stuff.  It won’t get there tomorrow but it WILL BE THERE when they need it, and that’s awesome.

Email or ring me and we’ll rock from there.

Category: Latest News | 2 Comments

Stone Soup – A Great Tale

Posted on September 1, 2010 by

Not long ago, an idea hit me.  I was thinking of ways to make The Web a better place, even if only a little bit.

See, I know all these designers and developers and content writers and usability experts and all-around seriously smart people, ALL of whom are quite good at whatever Web Thing it is that they do.  Some blog, some don’t, but most don’t blog a lot, or are writing at least intermittently enough that I miss out on much of their stuff because I forget to check back.

So, I have all of these smart people, most in different areas of Web Awesomeness, most of whom like to write already… hmmm…

You see where I’m going with this?

So I sent an email with a reference to the Story of Stone Soup.  If you’re unfamiliar with it, give it a quick read.  If you hate links, it’s about some Ye Olde Worlde folks passing through a town, who dupe the townspeople into creating a huge and wonderful meal, just by combining their meagre resources.

The main lesson being someone gave everyone a starting point with really no fixed direction past that other than a decent meal.

I hadn’t even named it yet, but after that email I went out got it registered straightaway.  One of my favourite folks, the lovely and talented Patrick Templeman Twells (a web designer and developer in Mandurah) offered to design it and even gave me the HTML and CSS for it!  Grabbed a quick deal on hosting, installed WordPress, slapped in a theme, and…

Stone Soup – Recipes for a Better Web was born!

I’ve got a brilliant smattering of folks signing into it too, and some are even writing already.

I reckon it’s time to start promoting this thing!  I think it’s going to get quite popular.

Category: Latest News | No Comments

Jex Solutions is HERE.

Posted on March 31, 2010 by

I’m stoked and have finally taken that bold step and launched Jex Solutions – SEO Tools & Services.

In what’s a bit of a departure from the somewhat corporate-sounding and formal copy on this site (well, except the blog… heh) I’ve written all of the copy on the Jex Solutions site in about as much of a "real me" voice as I could.  Hell, I wrote some of it from flat on my back in the hospital (compressed spinal nerve) while high on morphine, you don’t get much more "real" than that!  It’s cool though, I edited out the parts where I mentioned that I wanted to hug everyone and how Care Bears really are magic.

So, on to more important matters, like what this sucker’s all about.

Basically, I found that I was doing lots of data gathering and figure-finding for each of my clients on every project.  Even the reporting I was doing on some relatively simple things was very time-consuming and I was troubled by the need to do it every single day (even weekends!).

So, I climbed into the PHP side of things in the backend of a (gloriously) hacked-up WordPress site and wrote some applications that would do a lot of the important stuff for me.  Then, I wrote another one and made the first one better.  Then I even woke up in the wee hours of the morning for one that NOBODY was doing, not even WebCEO or any of those other mobs.  Then I made them all better and better until, as stated at the beginning of this missive, bit the bullet and launched it to the public.

I would love to say that none of it would be possible without the help of so-and-so or whats-his-name, but I really did do it all by myself.

I’m kidding!  Sort of.  Though Myles, Alex, Patrick and Brendan were all awesome for their feedback and help with things that are only going to make all of my stuff better.  Thanks guys!

And thanks to those of you that have played with it, even as a concept, and offered up what you thought for me to ponder over.  I may or may not have actually used any of your thoughts, but I liked having that coffee with you.

I’m kidding again!  You’re awesome, all 10 of you.

So, if you’ve made it this far, GO and check it out.  SEO Tools to make you say things like "cool" and "awesome" not only to yourself, but out loud.

Oh yeah, FREE first month’s membership.  FREE, FREE, FREE.  Get in there!

Category: Latest News | No Comments

Next »