Pharma hack

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Pharma hack

Steve Taylor-15
A site I run just got hit by the "pharma hack". There was a common.php and
a /coockies/ directory in the root, and a modification to .htaccess
rerouting all search bots to common.php - encoded but obviously stuffed
with spam keywords, which were appearing in Google's index.

I've cleaned up and all seems fine now, but obviously it'd be good to
identify the point of entry and be sure.

The site has always had an up-to-date core, with minor delays (I think a
week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
as far as I could tell none of the upgrades involved serious security
patches.

The guy who hosts the site (not my choice) says he's 99% certain WP was the
issue, but this seems unlikely to me. He doesn't seem terribly
knowledgeable about security. I can't be 100% there wasn't some odd hole in
my WP installation, but obviously I suspect a server vulnerability -
leaving us pointing the finger at each other.

Personally I would move hosts, but this isn't my decision. Just wondering
what people here thought, and if anyone heard of recent vulnerabilities to
this hack in relatively up-to-date WP installations. Also, what concrete
analysis of the situation should be the bare minimum expected of a host?

Cheers,

Steve
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Pharma hack

Simon Vart
Did you check webserver logs ? You will pages accessed.
Check creation date of common.php and /cookies/ directory and it will tell
you when to look around
Le 28 sept. 2013 10:09, "Steve Taylor" <[hidden email]> a écrit :

> A site I run just got hit by the "pharma hack". There was a common.php and
> a /coockies/ directory in the root, and a modification to .htaccess
> rerouting all search bots to common.php - encoded but obviously stuffed
> with spam keywords, which were appearing in Google's index.
>
> I've cleaned up and all seems fine now, but obviously it'd be good to
> identify the point of entry and be sure.
>
> The site has always had an up-to-date core, with minor delays (I think a
> week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
> as far as I could tell none of the upgrades involved serious security
> patches.
>
> The guy who hosts the site (not my choice) says he's 99% certain WP was the
> issue, but this seems unlikely to me. He doesn't seem terribly
> knowledgeable about security. I can't be 100% there wasn't some odd hole in
> my WP installation, but obviously I suspect a server vulnerability -
> leaving us pointing the finger at each other.
>
> Personally I would move hosts, but this isn't my decision. Just wondering
> what people here thought, and if anyone heard of recent vulnerabilities to
> this hack in relatively up-to-date WP installations. Also, what concrete
> analysis of the situation should be the bare minimum expected of a host?
>
> Cheers,
>
> Steve
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Pharma hack

J.D. Grimes
Simon is right - check the server access logs (if you can). That may tell you how they got in.

J.D.

On Sep 28, 2013, at 5:53 AM, Simon Vart <[hidden email]> wrote:

> Did you check webserver logs ? You will pages accessed.
> Check creation date of common.php and /cookies/ directory and it will tell
> you when to look around
> Le 28 sept. 2013 10:09, "Steve Taylor" <[hidden email]> a écrit :
>
>> A site I run just got hit by the "pharma hack". There was a common.php and
>> a /coockies/ directory in the root, and a modification to .htaccess
>> rerouting all search bots to common.php - encoded but obviously stuffed
>> with spam keywords, which were appearing in Google's index.
>>
>> I've cleaned up and all seems fine now, but obviously it'd be good to
>> identify the point of entry and be sure.
>>
>> The site has always had an up-to-date core, with minor delays (I think a
>> week passed before upgrading to 3.6.1). A few plugins needed upgrading, but
>> as far as I could tell none of the upgrades involved serious security
>> patches.
>>
>> The guy who hosts the site (not my choice) says he's 99% certain WP was the
>> issue, but this seems unlikely to me. He doesn't seem terribly
>> knowledgeable about security. I can't be 100% there wasn't some odd hole in
>> my WP installation, but obviously I suspect a server vulnerability -
>> leaving us pointing the finger at each other.
>>
>> Personally I would move hosts, but this isn't my decision. Just wondering
>> what people here thought, and if anyone heard of recent vulnerabilities to
>> this hack in relatively up-to-date WP installations. Also, what concrete
>> analysis of the situation should be the bare minimum expected of a host?
>>
>> Cheers,
>>
>> Steve
>> _______________________________________________
>> wp-hackers mailing list
>> [hidden email]
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Pharma hack

Hal Burgiss
In reply to this post by Steve Taylor-15
On Sat, Sep 28, 2013 at 4:09 AM, Steve Taylor <[hidden email]> wrote:

> A site I run just got hit by the "pharma hack". There was a common.php and
> a /coockies/ directory in the root, and a modification to .htaccess
> rerouting all search bots to common.php - encoded but obviously stuffed
> with spam keywords, which were appearing in Google's index.
>
> I've cleaned up and all seems fine now, but obviously it'd be good to
> identify the point of entry and be sure.
>
>
>
Definitely. But why is .htaccess writable in the first place? Root
directory? From a systems administration standpoint, the only directory in
a default installation that should be writable is the uploads folder. That
by itself doesn't stop everything, but it stops a helluva lot of stuff.

--
Hal
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Pharma hack

abdussamad
Most shared hosts use php fastcgi and they configure it so that the
entire directory is writeable. This can makes it easier for users to
update WP and allows WP core devs to boast that more WP installations
are up to date compared to other major CMS.

But yeah it isn't ideal from a security point of view.

On 09/28/2013 07:37 PM, Hal Burgiss wrote:

> On Sat, Sep 28, 2013 at 4:09 AM, Steve Taylor <[hidden email]> wrote:
>
>> A site I run just got hit by the "pharma hack". There was a common.php and
>> a /coockies/ directory in the root, and a modification to .htaccess
>> rerouting all search bots to common.php - encoded but obviously stuffed
>> with spam keywords, which were appearing in Google's index.
>>
>> I've cleaned up and all seems fine now, but obviously it'd be good to
>> identify the point of entry and be sure.
>>
>>
>>
> Definitely. But why is .htaccess writable in the first place? Root
> directory? From a systems administration standpoint, the only directory in
> a default installation that should be writable is the uploads folder. That
> by itself doesn't stop everything, but it stops a helluva lot of stuff.
>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers