How did they HACK me?
 

Serious question here. Wondering if someone into security or hobby hacking can suggest the basic hacking procedure most likely used.

When hackers hack what program do they use to spread the codes? How come it gets certain wordpress installs and not others? What's the common factor that links those installs? How do they miss others? Also why did they miss my joomla install but was able to infect php list along with most of my adult wordpress installs on one particular host?

Just curious if someone can explain the basic procedure to me

Thanks

do you use some plugin on all those domains? that may be one of the ways. or if you use weak password :2 cents:

Usually they are done through known exploits of a php system... There are a variety of methods though...

If you allow any sort of user file uploads they can upload a spoof image which contains an image header but also includes a <?=eval($_REQUEST['var'])?> ... If you serve images dynamically, like some people do, then this image would basically allow them to run anything on your system that they want... read files (including conf files) etc... then upload their own script to wreak additional havoc...

They can also use SQL injection methods... Many people don't use the mysql real escape string method and so they can be prone to injection methods... This is done by setting a variable name to something that will terminate the MySQL query that is supposed to run and run an additional query... or just cause the query to do something completely different by extending it...

I don't use prebuilt scripts for that exact reason... there's just too many vulnerabilities and once one has been found... it's open season on that script until there's a patch.

Those cover two of the main "web hacking" methods but there's also a myriad of different ways to hack a box over other ports. Virtually every single port you leave open on a box is vulnerable to attack. From buffer overruns (although those are few and far between now-a-days) to bad character sequences to... there's really a ton of methods. The most important thing to do is make sure you close all the ports you don't want people accessing... get rid of ftp ffs... make sure you have some BFD (Brute Force Detection) on any and every single auth point... and update every library and every service as soon as a new stable version comes out...

once a hack has been succesfull a planted program does all the rest, basically if hacker can run an exe from your server they can pretty much do anything a root user ( you ) can do.
different version or non-default settings
No common factor other than they were all exploitable.

most wordpress hacks are automated hacks , so there is no hacker targetting you , they grab a list of possible wordpress installs from google or other ways and hit go. So in some instances 2 identical copies of wordpress might have different results. 1 may not get hacked simply because they were low on the google results for "wordpress version 4.20"



it's like asking why a burglar missed your rare coin stash, maybe they were lookng for big screen tv's, maybe they forgot to look, remember most of it is automated so its simply a case of something not fitting the criteria for the hackerware

Check your plugins cause if there is a backdoor in one of them which you use on all your sites this could be one way or if you have week passwords as teencat said above.

Keep your wordpress up to date

http://hackrz.wordpress.com/ have a read on that it does give you some info on some aspects of hacking

i suppose thats one way to look at it, another way is to look at it as , there are many people to test it out and find/fix problems before you do

I don't write exploitable code ;) I'm educated and aware of virtually every trick. I've been doing this for 11 years and my code base is _very_ stable.

Think of it this way though... Do you think macs are impervious to viruses? Nope, people just don't bother writing them for macs as they wouldn't be able to target as many people.

Same thing with custom scripts... They want to target large amounts of sites, not one. Additionally, to try and determine the layout of my code without anything to go in is virtually impossible. The only points of access they have to my code base are via web pages. With prebuilt scripts they can download the source and see EXACTLY how it works and test out exploits all day long.

Thanks.

I think it might be as simple as these blogs had a common password and maybe i used that same one on php list, but wanted to get an idea of different ways in case it's something else.

Thanks again :thumbsup

Change your wordpress footprint.

Mass blog "checks" are performed by the hackers to find a certain version of wordpress running that is vunerable to attack.

Typically they search google using a unique wordpress footprint, to spit out 1,000,000 sites using wordpress, then they check the version of each one.

By removing/changing these footprints present on every wordpress install, you leave yourself open to less attacks & less comment spam.

Of course once they find a nest-egg of installs on one "host", they may look up their allocated ip range & start searching every ip owned by said host. Not just for wordpress, but they usually have an entire list of exploits at that point, to perform a more precise scan of the host's ips...or domains. Including joomla, wordpress, mysql, & every other exploit in their list, which i would typically imagine being several thousand.

chmod file settings to 777 , then edit, then change back... never leave at 777

NEVER use 777 ... the world NEVER needs write access to your files.

then you just aren't making very complex code :) think of it this way almost every large program has/had exploits , you saying all wordpress needs is you and there softw would be unhackable ?


theres hundreds of mac viruses, but they know mac users overpaid for their computers and are likely broke :winkwink:

1) Maybe... I haven't even looked at their code base. I do code less complex systems by nature because I design custom code. A custom designed system only needs to perform a fixed set of functionality and doesn't require "hooks" to be left in the code for plugins, extensions, etc...

The problem with Wordpress and other large open source scripts is that they have to code for EVERYTHING for every single option that anyone might need. This causes a LOT of useless code to be run at all times... which is why I have the aversion to large open source scripts like Wordpress. In addition, for each one of these options and hooks that are left open in the code for plugins or whatever else the likelihood of introducing bugs compounds exponentially...

Also, the majority of exploits come from sloppy plugin code... Something which they have no control over.


2) :1orglaugh:1orglaugh:thumbsup

Most major PHP scripts out there (especially wordpress) are notoriously prone to security problems. Part of it is that security was never a major concern when PHP was designed. Users have to sanitize data themselves instead of that being handled for them. The majority of PHP programmers are also entry-level programmers at best and aren't aware of how to write secure code.

One thing that should be done that nobody does is to use a "chroot" environment. This makes it so that the web server component of your server is "sandbox"ed. Even if someone can hack it they can't do anything because they are basically confined inside of box with very little functionality. Also, mounting parts of your filesystem as read-only prevents any changes from being made. The parts of your server that you need to change should not be executable.

Also, please stop using Apache. It is a joke compared to a server like nginx.

I have no idea.

qft

nginx, php fast-cgi + xcache.... mmmm good... Blows the doors off of Apache.

The real issue is a faulty foundation. Books like "The Elements of Programming" talk about having a mathematical foundation to write provable software. It is theoretically possible to write 100% defect free software but we are not quite there yet in practice.

Why is it that a group of engineers can create an airplane that can carry hundreds of people over vast distances without a problem but your average programmer can't write code for more than an hour without an error, bug, typo, or other problem?

It is because they don't know how to program. Nobody does really. It is an ongoing area of research in computer science. Programming is still in its infancy and very much like alchemy was as compared to modern chemistry.

Also, of what has been discovered so far as generally good programming practice, PHP breaks almost every one of these principles.

I like you already. But shhhhh! Hosting companies (especially Amazon Web Services) really don't like people like us though. They don't want their customers knowing that they can get away with 1 server instead of 10. lol

You also may have something like this:

Gumblar
http://blog.tigertech.net/posts/ftp-password-viruses/

a must do !

I bet you $50 you can't post a PHP script I can't exploit - even a one liner.
Perl, sure easy. C, yeah, no problem. But PHP - I can exploit every PHP script I've ever seen.

<?

echo 'Hello World';

?>

$50 please :1orglaugh

Hhahaha seriously ... I have a chat script that uses memcache only for storage. It currently supports about 100k concurrent users at peak hours. We tried Apache at first (couple years ago)... The amount of requests per second even after tuning Apache was keeping a load of like 3-5 on all 10 webheads...

I switched to nginx and there's a load of .2 on 5 webheads ;)

twitter.com

:1orglaugh:1orglaugh:1orglaugh:1orglaugh:1orglaugh

I'm pretty sure now that fatfoo's bot just reads the thread titles.

You wont find an answer to that on a webmaster board. Webmasters are prone to being newbies in the security department.

this is probably the best explanation in the thread :2 cents:

Most third-party software has exploits for the simple reason they don't thoroughly test it.

When a software is free/open-source, or costs a minimal amount of money, their monetization usually comes from getting it to market faster than their competition and/or supporting the software.

They don't have the motivation to try every conceivable way to mess with their code; they are offering a blog tool or plugin, not securing a government registry tool (not to say those can't be exploited heh).

It may sound arrogant, but I'm with BestXXXPorn on this one; when it's an important project, where security is an issue, I make sure the code is tight and I'm more confident using my own code than popular third-party apps.

People say PHP is "more hackable" but that's false; the true reason is PHP is a "loose" language, so people that read a tutorial or two suddenly think they are programmers and program very sloppy, insecure applications.

Regardless, if your code is secure, that doesn't mean much if other ports/software on the machine are vulnerable. It just means you will only have to worry about more targeted hacks and not publicized wordpress holes.

Akbar doesn't understand code,maybe Kindig or Ranjit might have some input

Everything said in this post is helpful. But just to follow up on it......

But let me stress yet once again........on top of spending thousands of dollars/hours tightening up scripts

When using 3rd party applications, change common file names & "footprints" for the script (search able in the major engines). The less your site can be found by exploit scanners, the less likely you are 2 be hacked. P.S. Renaming the files will result in no real adverse effects in your SE rankings.

For instance, hackers will have a program submit the following to google in several formats....

powered by WordPress
Entries (RSS) and Comments (RSS).

or look for /wp-admin/ directories by ip subnets, well known to be owned by hosting companies......simply changing mundane file structures & footprints will leave you 100x less likely to have your blog (for example) scanned every time a new 0-day exploit hits

so yes...tighten your scripts, consult a security expert, BUT ALSO learn to hide subtle indicators hackers use to find your site in the first place...typically site pwnage/blog spam etc. comes directly from a simple mass google lookup......sometimes simplicity beats over-thinking security :2 cents:

finally if you've been with your host for a few years & you're about to start a new site, ask them if they've obtained a new ip block recently, see if you can get 1 or 2 of the new stock for your newest sites :thumbsup

I agree definitely with the theory but see a problem with that advice; a lot of people here, if they are not experienced programmers, will end up just breaking things.

For example, let's say they rename many common page names. Sometimes, they have to find and replace certain variables in the DB just not grep through the code to replace. Not to mention, if they try and use additional modules or plugins, those may no longer work without modifying that code...and so on.

For those who know what they are doing, or have access to someone who does, it is a great suggestion. For the rest, I think it will end up being a problem for them to achieve :2 cents:

Most third-party software has exploits for the simple reason they don't thoroughly test it.

that is true, same as strongbox can be fully exploitable :winkwink:

Xcache is obsolete,i use official php cache solution which updates with every new php version.

Hey, thanks for all the info.

I think I have it cleaned and semi-locked but waiting for second attack from any code I missed getting rid of.

this thread is amusing.

:thumbsup yes, you're awesome! with ZERO to say :1orglaugh

Let me tell you something I learned. It doesn't matter how many firewalls or security you have. If someone wants to hack they will get through your shit. Just make sure you have backups and be ready to counter attack when it happens. ex. knowing how to restore all your shit fast and having a host that sends you texts when your site has been breached or ddosed.