Page 1 of 1

How do I keep getting Blackhole Exploits?

Posted: Mon May 20, 2013 8:21 pm
by Crayon Shin Chan
My blog, which always runs the latest version of Wordpress and has WP Better Security installed somehow keeps getting javascript exploits/blackhole exploits in certain files. Their permissions will somehow always get set to 755, even though I keep setting them back. I cannot change my FTP password. I recently changed my Wordpress password. How are these exploits getting in!?

Re: How do I keep getting Blackhole Exploits?

Posted: Mon May 20, 2013 11:35 pm
by UberGerbil
You may have a vulnerable plug-in (in general the more plugins you have the more potential vulnerabilities). One of the hosting providers I use mentioned a couple of caching plugins (SuperCache and W3 Total Cache) as being exploitable through specially formatted comments. Are you sure you don't have an exploit running as a cron job or something? Once you've been compromised, a nuke from orbit and rebuild of the site might be necessary (hopefully you have backups, though be careful you don't have compromised files in your backup).

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 6:34 am
by just brew it!
If you are using a shared web host, it could even be another user (or the hosting provider themselves) who is vulnerable. The attacker can break in to another account, then use a local privilege escalation exploit to gain root and mess with your files. If this is the case there isn't much you can do unless you can verify the existence of the exploit and get the hosting provider to patch it. Or you could switch to a different web host with more secure infrastructure.

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 6:45 am
by cheesyking
Why can't you change the ftp password? It could easily be how the exploits are being installed.

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 7:15 am
by Crayon Shin Chan
It's hosted by a rather generous guy who had infinite subdomains and a rather generous attitude. I read about this FTP command called CPWD but it isn't supported.

So it could've come in from the FTP, or a vulnerable WP plugin, or another user on the same hosting provider eh...

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 7:46 am
by cheesyking
You're a linux user, why not run your own server? I know it's not free but you can get a VPS for not a lot these days and installing virtualmin only takes a few minutes and takes care of just about everything you'd need to run a simple web host. I wouldn't want to set myself up as a hosting provider based off of just doing these steps as it wouldn't be secure enough for that but if you're just running your own sites it should be good enough.

Obviously it's a bunch of extra work if you just want a hosted wordpress site, not just setting up the server but maintaining it too (backups updates etc). If you just want that wordpress hosted then don't do it but if you think you might be able to use a server for a bunch of other little projects then give it a thought.

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 8:34 am
by just brew it!
Crayon Shin Chan wrote:
It's hosted by a rather generous guy who had infinite subdomains and a rather generous attitude. I read about this FTP command called CPWD but it isn't supported.

OK, the FTP passwords are probably managed by the hosting provider then. Can you take advantage of his "generous attitude" to have him change the password for you?

cheesyking wrote:
You're a linux user, why not run your own server? I know it's not free but you can get a VPS for not a lot these days and installing virtualmin only takes a few minutes and takes care of just about everything you'd need to run a simple web host. I wouldn't want to set myself up as a hosting provider based off of just doing these steps as it wouldn't be secure enough for that but if you're just running your own sites it should be good enough.

Obviously it's a bunch of extra work if you just want a hosted wordpress site, not just setting up the server but maintaining it too (backups updates etc). If you just want that wordpress hosted then don't do it but if you think you might be able to use a server for a bunch of other little projects then give it a thought.

Yeah, I thought about suggesting this too, but decided it was probably overkill. I've hosted my own servers for years (static IP FTW), and in the past year signed up for a VPS as well to get something with better bandwidth than my home DSL connection. Besides hosting various small sites I also use the VPS as a sandbox for testing web apps when I need other people to beat on them (problematic to do this on my home server due to slow upload speed), and as a secure web proxy whenever I'm on the road.

Hmm... Crayon, do you routinely access your FTP server over a public wifi connection? If so, there's pretty high odds your FTP password has been sniffed. "Classic" FTP transmits passwords over the wire (or over the air) unencrypted, making it trivially easy to steal them. Unless you're already doing so, you really ought to be using SFTP (secure FTP), SSH/SCP, or a secure HTTP connection to upload files. If this is not an option, at the very least you should never do FTP uploads of files over a public wifi connection.

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 8:55 am
by Crayon Shin Chan
OK I emailed him. I can understand my password being sniffed over a public unencrypted wireless, but I've always used WPA/WPA2 secured networks. I don't think it's possible to sniff another user's traffic then, is it?

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 9:25 am
by maxxcool
all you need is one user with a key logger. however it is wordpress that is your issue. there are a number of wordpress sites dedicate to scanning and exploiting the site. while free, it may be time to consider another provider with better baseline security.

i'd recommend possibly on a bootable linux image visiting one of these 'security' sites that advert wordpress online scanners and having a go at seeing if the site itself is wide open or unpatched.

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 9:48 am
by cheesyking
Crayon Shin Chan wrote:
OK I emailed him. I can understand my password being sniffed over a public unencrypted wireless, but I've always used WPA/WPA2 secured networks. I don't think it's possible to sniff another user's traffic then, is it?


Well it needn't necessarily be anything to do with the ftp password being sniffed. It's just that if files are getting modified on a site then the first thing to do is change all the passwords that are used to modify files on the site, eliminate the obvious things first.

And there are more ways than just sniffing the password to get it:
The password was emailed to you and either his or your email has been breached or it got intercepted alone the way.
The password was brute forced. (the most likely if it's only 8 characters and he hasn't got fail2ban or some such setup)
The password was guessed based on some other information (like the password was used somewhere else that got hacked)
The server was hacked in some way and the passwords taken.
A bunch of stuff I haven't thought of as I'm not a hacker :wink:

Re: How do I keep getting Blackhole Exploits?

Posted: Tue May 21, 2013 6:47 pm
by NovusBogus
Crayon Shin Chan wrote:
It's hosted by a rather generous guy who had infinite subdomains and a rather generous attitude.

You probably just answered your own question. :)