My blog went down for about 36 hours this week. A hacker exploited a friend’s blog that I’m hosting. My host, 1&1, took down all my hosted sites without notice. At first, I freaked out. I mean, who does this? Who takes down a whole host because of an attack? Then, I remembered that I pay about $6 / month and well, what do you expect for cheap hosting? Also, it’s probably better that the attack was stopped rather than just let it go longer than necessary. I would have appreciated a faster response but I’m not going to be losing sleep over it because everything came back functional. Now’s probably a good time to backup though in case this happens again.
Now for the fun part 🙂 How was the site hacked? 1&1 sent me the details:
1.1 The hackers processed the attack through a security leak in your software – TimThumb
They misused at least the following modules or files of this software:
1.2 Via this security leak, the hackers have uploaded the following malicious files to your webspace:
[path]/3rdparty/API/api.php [path]/3rdparty/API/api.php [path]/wp-content/themes/premiumnews/cache/external_25b63d0508d2d6374ebc92c12e309517.php [path]/wp-content/uploads/2011/07/catalog/* [path]wp-content/uploads/_cache_t1hw1hza.php [path]wp-content/uploads/_cache_xvh2mwac.php [path]/wp-content/uploads/sm5vs7.php [path]/wp-content/uploads/sm6vm1.php [path]/wp-content/uploads/edw.php [path]wp-content/uploads/r2mo2.html [path]/wp-content/uploads/r2lm3.html [path]/wp-content/uploads/htaccess
So there you have it. Exploited a WordPress image thumbnail plugin, then uploaded a spam script, and then locked out the directory with an htaccess file. Let’s take a look at what the scripts do 🙂 I don’t have time this morning but soon!