I was looking over some settings on my website earlier and I just happened to check on my Google Webmaster Tools account where I discovered that something was not quite right. Google’s site crawler was reporting that there were 24(?) unlinked pages on one of my WordPress pages. I clicked through to find that there was an entirely new directory (/pdd) on my website that linked to a radio podcasting site from the Netherlands. But that directory didn’t exist! Here’s the worrisome part: whoever managed to hack into my account was able to change my root .htaccess file. So they created a new rewrite rule to route the tiago.kamots.net/pdd requests through another vector.
The Altered .htaccess File: RewriteEngine On RewriteRule pdd/(.*)/(.*)/(.*)/$ /wp-admin/includes/?post=$3|$1|$2 [L] RewriteRule pdd/$ /wp-admin/includes/ [L] RewriteBase /
Whatever changed the .htaccess file was smart enough to create the new rewrite rules near the top of the file for full effect. Had it simply been appended, it would not have worked.
I transferred a part of the Kamots Network from Netfirms to DreamHost on January 15, 2010, and I originally thought that it was during this small window that the attack was made. But I was wrong. I checked back on the Netfirms servers and there were several files with a last modified timestamp of interest (November 15, 2009). They are (using relative pathnames):
WordPress root directory represented as ~ ~/.htaccess [Last Modified: 2009-October-23] ~/wp-includes/class-read.php [8 KB] ~/wp-includes/common.php [0 bytes] ~/wp-includes/wp-common.php [69 KB] ~/wp-includes/wp-vars.php [0 bytes] ~/wp-includes/wp-version.php [105 bytes]
When transferring these files to my desktop computer, my Norton Antivirus detected a High severity PHP.Backdoor.Trojan in wp-common.php. It turns out that this file was written by a “security group” in China, which is also where 90% of my spam messages on WordPress originate from. You can download this toolkit off of this group’s website so there is a strong chance it was used as part of an automated/scripted attack by another entity entirely.
Running a Hidden Website Within a WordPress Installation
What interests me is how this attack was able to implant 46 hidden pages within my WordPress installation. For example, this URL:
actually gets redirected through the .htaccess rule into:
tiago.kamots.net/wp-admin/includes/?post= hoorspelcast-raquo-gezocht |41|hoor
But none of those 46 pages are anywhere in my database or file structure! What an ingenious exploit, and it’s been known since at least 2008 which is the date that this wp-common.php Trojan file was written.
This was quite a learning experience.
You may need to look into your file system security. And shouldn’t you have an antivirus scan of some sort running on your servers? Also, your FTP users are limited with passwords of only 6 characters. That’s way too small! Since you randomly generate them for your customers, you may as well go all the way and have longer (and more complicated) passwords created.