Blog attack!

My blog went down for about 36 hours this week.  A hacker exploited a friend’s blog that I’m hosting. My host, 1&1, took down all my hosted sites without notice.  At first, I freaked out.  I mean, who does this?  Who takes down a whole host because of an attack? Then, I remembered that I pay about $6 / month and well, what do you expect for cheap hosting?  Also, it’s probably better that the attack was stopped rather than just let it go longer than necessary. I would have appreciated a faster response but I’m not going to be losing sleep over it because everything came back functional.  Now’s probably a good time to backup though in case this happens again.

Now for the fun part 🙂  How was the site hacked?  1&1 sent me the details:

1.1  The hackers processed the attack through a security leak in your software – TimThumb

They misused at least the following modules or files of this software:


1.2  Via this security leak, the hackers have uploaded the following malicious files to your webspace:

[path]/3rdparty/API/api.php [path]/3rdparty/API/api.php [path]/wp-content/themes/premiumnews/cache/external_25b63d0508d2d6374ebc92c12e309517.php [path]/wp-content/uploads/2011/07/catalog/* [path]wp-content/uploads/_cache_t1hw1hza.php [path]wp-content/uploads/_cache_xvh2mwac.php [path]/wp-content/uploads/sm5vs7.php [path]/wp-content/uploads/sm6vm1.php [path]/wp-content/uploads/edw.php [path]wp-content/uploads/r2mo2.html [path]/wp-content/uploads/r2lm3.html [path]/wp-content/uploads/htaccess

So there you have it.  Exploited a WordPress image thumbnail plugin, then uploaded a spam script, and then locked out the directory with an htaccess file.  Let’s take a look at what the scripts do 🙂  I don’t have time this morning but soon!