How do I keep getting Blackhole Exploits?

The network is the forum.

Moderators: Steel, notfred

How do I keep getting Blackhole Exploits?

Postposted on Mon May 20, 2013 8:21 pm

My blog, which always runs the latest version of Wordpress and has WP Better Security installed somehow keeps getting javascript exploits/blackhole exploits in certain files. Their permissions will somehow always get set to 755, even though I keep setting them back. I cannot change my FTP password. I recently changed my Wordpress password. How are these exploits getting in!?
Mothership: Thuban 1055T@3.7GHz, 12GB DDR3, M5A99X EVO, GTX470+Icy Vision Rev.2@840/3800, Vertex 2E 60GB
Supply ship: Sargas@2.8GHz, 12GB DDR3, M4A88TD-V EVO/USB3
Corsair: Macbook Air Ivy Bridge
Crayon Shin Chan
Minister of Gerbil Affairs
 
Posts: 2238
Joined: Fri Sep 06, 2002 11:14 am
Location: Malaysia

Re: How do I keep getting Blackhole Exploits?

Postposted on Mon May 20, 2013 11:35 pm

You may have a vulnerable plug-in (in general the more plugins you have the more potential vulnerabilities). One of the hosting providers I use mentioned a couple of caching plugins (SuperCache and W3 Total Cache) as being exploitable through specially formatted comments. Are you sure you don't have an exploit running as a cron job or something? Once you've been compromised, a nuke from orbit and rebuild of the site might be necessary (hopefully you have backups, though be careful you don't have compromised files in your backup).
UberGerbil
Gerbil Khan
 
Posts: 9976
Joined: Thu Jun 19, 2003 3:11 pm

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 6:34 am

If you are using a shared web host, it could even be another user (or the hosting provider themselves) who is vulnerable. The attacker can break in to another account, then use a local privilege escalation exploit to gain root and mess with your files. If this is the case there isn't much you can do unless you can verify the existence of the exploit and get the hosting provider to patch it. Or you could switch to a different web host with more secure infrastructure.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37673
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 6:45 am

Why can't you change the ftp password? It could easily be how the exploits are being installed.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2254
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 7:15 am

It's hosted by a rather generous guy who had infinite subdomains and a rather generous attitude. I read about this FTP command called CPWD but it isn't supported.

So it could've come in from the FTP, or a vulnerable WP plugin, or another user on the same hosting provider eh...
Mothership: Thuban 1055T@3.7GHz, 12GB DDR3, M5A99X EVO, GTX470+Icy Vision Rev.2@840/3800, Vertex 2E 60GB
Supply ship: Sargas@2.8GHz, 12GB DDR3, M4A88TD-V EVO/USB3
Corsair: Macbook Air Ivy Bridge
Crayon Shin Chan
Minister of Gerbil Affairs
 
Posts: 2238
Joined: Fri Sep 06, 2002 11:14 am
Location: Malaysia

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 7:46 am

You're a linux user, why not run your own server? I know it's not free but you can get a VPS for not a lot these days and installing virtualmin only takes a few minutes and takes care of just about everything you'd need to run a simple web host. I wouldn't want to set myself up as a hosting provider based off of just doing these steps as it wouldn't be secure enough for that but if you're just running your own sites it should be good enough.

Obviously it's a bunch of extra work if you just want a hosted wordpress site, not just setting up the server but maintaining it too (backups updates etc). If you just want that wordpress hosted then don't do it but if you think you might be able to use a server for a bunch of other little projects then give it a thought.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2254
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 8:34 am

Crayon Shin Chan wrote:It's hosted by a rather generous guy who had infinite subdomains and a rather generous attitude. I read about this FTP command called CPWD but it isn't supported.

OK, the FTP passwords are probably managed by the hosting provider then. Can you take advantage of his "generous attitude" to have him change the password for you?

cheesyking wrote:You're a linux user, why not run your own server? I know it's not free but you can get a VPS for not a lot these days and installing virtualmin only takes a few minutes and takes care of just about everything you'd need to run a simple web host. I wouldn't want to set myself up as a hosting provider based off of just doing these steps as it wouldn't be secure enough for that but if you're just running your own sites it should be good enough.

Obviously it's a bunch of extra work if you just want a hosted wordpress site, not just setting up the server but maintaining it too (backups updates etc). If you just want that wordpress hosted then don't do it but if you think you might be able to use a server for a bunch of other little projects then give it a thought.

Yeah, I thought about suggesting this too, but decided it was probably overkill. I've hosted my own servers for years (static IP FTW), and in the past year signed up for a VPS as well to get something with better bandwidth than my home DSL connection. Besides hosting various small sites I also use the VPS as a sandbox for testing web apps when I need other people to beat on them (problematic to do this on my home server due to slow upload speed), and as a secure web proxy whenever I'm on the road.

Hmm... Crayon, do you routinely access your FTP server over a public wifi connection? If so, there's pretty high odds your FTP password has been sniffed. "Classic" FTP transmits passwords over the wire (or over the air) unencrypted, making it trivially easy to steal them. Unless you're already doing so, you really ought to be using SFTP (secure FTP), SSH/SCP, or a secure HTTP connection to upload files. If this is not an option, at the very least you should never do FTP uploads of files over a public wifi connection.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37673
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 8:55 am

OK I emailed him. I can understand my password being sniffed over a public unencrypted wireless, but I've always used WPA/WPA2 secured networks. I don't think it's possible to sniff another user's traffic then, is it?
Mothership: Thuban 1055T@3.7GHz, 12GB DDR3, M5A99X EVO, GTX470+Icy Vision Rev.2@840/3800, Vertex 2E 60GB
Supply ship: Sargas@2.8GHz, 12GB DDR3, M4A88TD-V EVO/USB3
Corsair: Macbook Air Ivy Bridge
Crayon Shin Chan
Minister of Gerbil Affairs
 
Posts: 2238
Joined: Fri Sep 06, 2002 11:14 am
Location: Malaysia

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 9:25 am

all you need is one user with a key logger. however it is wordpress that is your issue. there are a number of wordpress sites dedicate to scanning and exploiting the site. while free, it may be time to consider another provider with better baseline security.

i'd recommend possibly on a bootable linux image visiting one of these 'security' sites that advert wordpress online scanners and having a go at seeing if the site itself is wide open or unpatched.
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
maxxcool
Gerbil Elite
Silver subscriber
 
 
Posts: 645
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 9:48 am

Crayon Shin Chan wrote:OK I emailed him. I can understand my password being sniffed over a public unencrypted wireless, but I've always used WPA/WPA2 secured networks. I don't think it's possible to sniff another user's traffic then, is it?


Well it needn't necessarily be anything to do with the ftp password being sniffed. It's just that if files are getting modified on a site then the first thing to do is change all the passwords that are used to modify files on the site, eliminate the obvious things first.

And there are more ways than just sniffing the password to get it:
The password was emailed to you and either his or your email has been breached or it got intercepted alone the way.
The password was brute forced. (the most likely if it's only 8 characters and he hasn't got fail2ban or some such setup)
The password was guessed based on some other information (like the password was used somewhere else that got hacked)
The server was hacked in some way and the passwords taken.
A bunch of stuff I haven't thought of as I'm not a hacker :wink:
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2254
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: How do I keep getting Blackhole Exploits?

Postposted on Tue May 21, 2013 6:47 pm

Crayon Shin Chan wrote:It's hosted by a rather generous guy who had infinite subdomains and a rather generous attitude.

You probably just answered your own question. :)
NovusBogus
Gerbil Elite
 
Posts: 512
Joined: Sun Jan 06, 2013 12:37 am


Return to Networking

Who is online

Users browsing this forum: No registered users and 5 guests