Blog attack! Pt. 2: What happened?
How a site on my host was hacked
I wrote previously about why my site had gone offline. I looked a little more into what had happened and here’s a synopsis.
Tampering with data
First, a script was uploaded using a zero day hack in tim thumb. Tim thumb, an image resizer, could be tricked into uploading any file to WordPress and give it +x permissions.
The script that was uploaded with +x permissions would test for the availability of the SMTP port (25) then also expose some generic file handling capabilities such as upload. This is pretty much a script that was added with the intent of doing something more malicious. I’m guessing that this was mass exploited across vulnerable WordPress sites discovered through Google.
Next some random files, ads and html pages, were uploaded to the share.
Elevation of privelege
Not satisfied with just having one exploit script propped to my host, the attacker also added a second script which was given a random-looking name. This script was a mailer. The attacker actually uploaded the same script twice, with different seeds – either that or the attacker mistakenly ran the same upload script twice. I’m assuming this script basically gave the attacker a dashboard for loading more scripts or even using my host like an ftp server – my host then had discovered the offending scripts and he was shut down. At which point my host took me down until they could remove permissions for everything that was compromised.