A Hacked website & Lessons Learned

It was 9AM when one of my clients called me and asked if I know why none of the pages of his website, which is Wordpress based, is shown. I started checking his Wordpress dashboard first, and everything was looking fine, but when I tried any page, it just could not show them. It took me a while to conclude it may be a hack attack. So using an FTP client, I checked the files on the website to see if everything was normal. The first thing I noticed was a small file with the name of “default.php” was added to the root and several other places like “wp-includes” folder. The time of the file was 2:44AM, which indicates it was just 6 hours that the website was hacked.

When I opened the file, it had just one line of encoded code like this:

<?php eval(base64_decode(‘…’); ?>

Also I noticed that the file of “.htaccess” is changed. I opened it and the last line of it was:

RewriteRule . default.php [L]

Which basically redirects a request for any page to the malicious code. So I replaced .htaccess file with the backup I had on my computer and removed all the instances of that “default.php” file. By doing this, the website was back to work again. But I knew that there are way more things to check.

I started comparing all the files on Wordpress installation with the backup. Interestingly I found a folder with the name of “default” which was not in my backups. By further investigation I found 3000 newly added empty files which their names were just an IP address. I could find 4 or 5 other files with the size of 200 to 600 kBytes, which their names where just a big number and no extension. Also I found a log file named “default.log” which included all the aforementioned IP addresses. The log file goes like this:

init 1369046284 108.245.232.62
task 1369046285 108.245.232.62 469109513d3961b497f5f0bb52ed5e33 3f30e19eaf614e3fbfd50664c6fa72b3 65a5050869ee8ef006243e8ecba05e3d
load 1369046286 108.245.232.62 469109513d3961b497f5f0bb52ed5e33

The first number is a time- stamp and the others were the name of files on that folder.

I do not know why I was so out-of-mind at that moment. I was just curious to know what kind of file the other 3000 people received from that website. I downloaded those files, and renamed one or two of them and gave them an extension of “.exe” and ran them. Nothing happened immediately. After a few minutes I saw some advertisements are shown on my screen, and later a window showed up, saying it’s “System Care Antivirus”. At that point I realized those files were computer viruses. I cleaned that scareware, but later I found that my computer crashes every few minutes, so I realized that the problem is not over. By further investigation, I found my computer is infected by a Trojan named Rovnix.D. It cost me one night’s sleep to get rid of that. To get the job done, I had to download TDSS killer from Kaspersky to remove that rootkit Trojan.

I learned it the hard way that what other 3000 people got from that hacked website in just 6 hours.

Later that day I suggested to my client it would be better to report the hosting company of what happened, so they investigate if there are some security flaws in their servers. Thanks god he did so. Because they investigated and they found four more places that the malware of “default.php” was injected, and they removed it. What they reported back was that malware was injected in a folder outside Wordpress installation, 40 days before hacking the website, for the first time. And the hacker used a compromised password to upload malware to that account. I have no idea how the hacker could get the password, but the technical support of hosting company believes it can be due to a virus-infected PC.

Anyway, the point is whoever injected that backdoor, waited for 40 days before hacking the website, maybe to reduce the chance of being traced.

It means we had 40 days to catch that backdoor before hacking materializes. But we missed it.

How that backdoor is exploited

The malicious code was injected to a remote and out of sight folder, and whoever knows where the file is, can use it as a backdoor. That backdoor allows the hacker to execute any PHP code sent from the browser. So the hacker can copy the backdoor to several places, alter the files on the site, execute SQL queries, and everything else they want to do.

Lessons Learned

  • If a website is running well, it does not mean there are no backdoors injected to the site. It’s quite possible that the hacker is just waiting for an appropriate time to exploit it.
  • FTP accounts of a website should be reduced to minimum, and its password should change more often.
  • If a backdoor is found, it means the hacker could read the database password in “wp-config.php”, so changing the password and checking the integrity of the database is important.
  • Sometimes hackers do not want to cause any harm to the website, and all they want is to send viruses to other people who visit some other websites, without anyone can trace them.
  • The malicious code can have a very harmless name, and it can be injected anywhere in the website. So you should not look for just strange names. Even any change in the size and time of legitimate files, should raise an alarm.
  • Updating plugins may not remove the backdoors injected in their folders. So comparing the files in their folders is necessary.