TuxTweaks Got Hacked

October 10, 2009 by
Filed under: General, news, security, web development 

Today I was trying to debug why my Feedburner feed would not display properly in Google's Chrome browser. What I discovered was that there was some code creating errors in my site's original RSS feed. After a bit of searching on the offending code, I ran across a post on my hosting provider's support forum.

According to the response from the forum mod,

This is an issue that's going all around the Internet. These 'hackers' are not getting your FTP information from us - they are logging into our server with your FTP credentials, so they had to have gotten them from somewhere else first.

Well, that sounds like a nice story. However, a quick search of the internet yields results pointing to websites hosted by the same provider (confirmed by doing a whois search on the domain name).

Affiliate Link

What happened was that my index.php file got overwritten/modified. Here's what the hacked file looked like. The code shown in bold is what I had to remove.

<?php @register_shutdown_function("__sfd1252523454__");function __sfd1252523454__() { global $__sdv1252523454__; if (!empty($__sdv1252523454__)) return; $__sdv1252523454__=1; echo <<<DOC__DOC
<!-- [55cdd10ce02d4e8abf6256391a917480 --><!-- 4543252521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://2309h34b34b34b.cc/sl">.</a></li></ul></div><!-- 55cdd10ce02d4e8abf6256391a917480] -->
DOC__DOC;
} ?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/

/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>
<?php error_reporting(0); echo "\n"; @__sfd1252523454__(); ?>

The lesson here I guess is that I'll have to be more vigilant about checking the files on my site. According to the time stamp on my index.php file, it had been changed on Sept. 11! That stinkin' hack had been on my site for a month!

It's unclear to me what problems this might have caused for any of my readers. My deepest appologies to anyone who may have experienced any problems due to this hack.

Comments

2 Responses to “TuxTweaks Got Hacked”

  1. Matt says:

    The same thing happened to me but I'm hosting with Hostgater not Inmotion. The search you showed though doesnt seem like its all the same kind of problem. With mine Hostgator showed me the logs and I saw that the problem was an exploit in WordPress 2.8.3. When I upgraded WordPress and changed my FTP password I never had this problem again. Sorry man but the problem is your site not your host.

    • Linerd says:

      Well, if it was a problem with my site, it was an exploit in WordPress 2.8.4. I upgraded the site to 2.8.4 in August and my site got hacked on Sept. 11. It seems like more than coincidence that 9 out of 10 sites I found showing the same problem were all with Inmotion. BTW, it's been reported on Drupal sites as well.

      Perhaps it's my fault for not changing my cPanel password since signing up. Account login information was included in the site activation email, so if someone got into the sent mail at Inmotion they would have several ID's and passwords.

      The disappointing thing is that Inmotion knew that there was an issue. They could have run a simple

      rgrep 2309h34b34b34b *

      on each of their servers and found all the hacked accounts. It wouldn't have been too much to ask to send out an email to the affected account holders letting them know of the problem and their proposed solution. Instead, they chose to simply deny any responsibility and left their customers to discover the problem on their own.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>