How a site on my host was hacked

I wrote previously about why my site had gone offline.  I looked a little more into what had happened and here’s a synopsis.

Tampering with data

First, a script was uploaded using a zero day hack in tim thumb. Tim thumb, an image resizer, could be tricked into uploading any file to WordPress and give it +x permissions.

The script that was uploaded with +x permissions would test for the availability of the SMTP port (25) then also expose some generic file handling capabilities such as upload.  This is pretty much a script that was added with the intent of doing something more malicious. I’m guessing that this was mass exploited across vulnerable WordPress sites discovered through Google.

Next some random files, ads and html pages, were uploaded to the share.

Elevation of privelege

Not satisfied with just having one exploit script propped to my host, the attacker also added a second script which was given a random-looking name. This script was a mailer.  The attacker actually uploaded the same script twice, with different seeds – either that or the attacker mistakenly ran the same upload script twice. I’m assuming this script basically gave the attacker a dashboard for loading more scripts or even using my host like an ftp server – my host then had discovered the offending scripts and he was shut down. At which point my host took me down until they could remove permissions for everything that was compromised.

Thoughts…

Sharing your hosting creates interesting attack vectors. Since my friend’s site was essentially hosted in a folder on a shared host somewhere, my host was only as secure as their folder. I should have done a better job of applying the STRIDE model for thinking about threats – I probably was pretty much vulnerable to the entire gamut of bad things that could happen. It also made me think about the power of client-side. If everything on my host were JavaScript, nothing on my host would have to have +x. If all application storage was isolated from the web site, that would probably help too. It’s definitely time for me to do an audit of my site for anything I have that can execute server-side.