Not a moment too soon

It wasn’t a moment too soon – and in fact a few too late – that I moved my site from Wordpress to Hexo. The other two dozen – not just my friend’s blogs – Wordpress sites on the server – with versions from 3.8 to 4.1 – were broken into and scripts created that would send mail. Some interesting features of the hack though!

  • They installed PHP with innocuous-sounding files like gallery.php inside of plugins and themes for Wordpress.
  • They installed a .so file, loaded it into the /usr/bin/host program with a dynamic loader trick, then deleted the .so so it’d be hard to find. This created a daemon used to send junk mail, and quite efficiently too.
  • Having PHP record what URL was posted to when sending mail is the best thing ever for tracking this down.
  • lsof is great for verifying that things are shut down.
  • They wrote to every directory that they had privilege to that was web accessible. Very adept hack.