I discovered that my webhost account had been compromised in some fashion.

Originally, it started with my FTP not connecting; not because of an authentication failure, but because it simply timed out. I don't know why; it could be a hiccup on the webhost end, or perhaps some configuration chyanged I've not discovered yet.

So I ended up having to use the webhost Cpanel. Nothing strange so far.

Then I was scrolling through the folders and files, and I noticed a folder that had a strange name. "dimethylamine" and contained a single PHP file- "corisica.php". Looking inside, and it seemed clear it was some sort of backdoor to use the webhost as a bouncing off point for viewing other sites; it basically would act as a proxy. Naturally, I found this to be a CAUSE for concern.

After that initial websearch(I had to google the comments at the top, which made it appear as if it was a wordpress plugin) I decided to find out where it came from.

I looked through my FTP logs for each month. There should be only two IP Addresses Accessing FTP; my address and the address of a IRC chatbot that uploads channel logs. As I went backwards, I found a discrepancy, going back to May!



This Mystery IP was in France- definitely not me and Definitely not anybody who should be able to be logging into my Primary FTP Account. I continued my investigation by getting the raw FTP Access Logs. I'm only masking the IP because it could be some innocent third-party compromised in a similar fashion:

Code: [Select]Thu May 09 13:13:26 2013 0 99.999.99.999 45 /home/bcprogra/__check.html a _ i r bcprogra ftp 1 * c
Thu May 09 13:13:30 2013 0 99.999.99.999 45 /home/bcprogra/public_html/__check.html a _ i r bcprogra ftp 1 * c
Thu May 09 13:13:31 2013 0 99.999.99.999 21762 /home/bcprogra/public_html/index.php a _ o r bcprogra ftp 1 * c
Thu May 09 13:13:31 2013 0 99.999.99.999 20971 /home/bcprogra/public_html/index.php a _ i r bcprogra ftp 1 * c
Thu May 09 13:13:33 2013 0 99.999.99.999 20951 /home/bcprogra/public_html/index.php a _ i r bcprogra ftp 1 * c
Thu May 09 13:13:37 2013 0 99.999.99.999 2027 /home/bcprogra/public_html/dimethylamine/check.php a _ i r bcprogra ftp 1 * c
Thu May 09 13:13:37 2013 0 99.999.99.999 21977 /home/bcprogra/public_html/dimethylamine/corisica.php a _ i r bcprogra ftp 1 * c
Yep, it was definitely logging in with my main FTP password. I tried looking backwards to see if there was some other access that would manage to get that password, but I wasn't able to find any; so this was the first occurence. Just some guy in France waltzing right in, which means the password must have been discovered some other way; it was a strong password that is unlikely to be guessed. My investigations led me to first decide to INVESTIGATE some of the other raw logs for that time; It seems reasonable that if they had acquired the password, they couldn't wait to use it, so it's likely they accessed and somehow got the password through standard HTTP; it's possible it was an exploit in the blog software or even my own CMS.

As luck would have it, I did indeed find that same IP WITHIN the HTTP logs, on the very same day- in fact, only seconds before it was used, so I think it is fair to conclude that this was an automated tool of some sort. I surmised that perhaps the HTTP log would give insight over how it acquired the password:

There was quite a bit of visual noise, so I used the Command Prompt and find to filter the file and create a new one that contained only the target IP Address.

I then filtered the log by the suspect files. It seems reasonable to assume that the only person expecting these files would be the person trying to gain unauthorized access, so I filtered them; this got me another IP Address as well, though I didn't find much.

Thing is, once I filtered it, the earliest attempts were 404's trying to access a "__check.html" in the root of my server directory.  After a few tries, it succeeded; it then proceeded to run a "corisica.php" in the dimethyline folder, which appeared to widen the crack.

Now, my supposition based on this was to first see the same area in the plain, unfiltered logs, to see if some buddy IP was doing something. I didn't find anything. I was stumped for a few moments. How does a file magically appear on the server, with seemingly no outside intervention?

Then it hit me, when I saw some of the queries being made by the other, mystery IP.

WordPress Cron, "/blogs/wp-cron.php?doing_wp_cron was" being accessed by those IPs. I thought this was standard fare, but only that IP was accessing it. More importantly, as I learned, that particular PHP file should never be accessed. It would appear that in my ignorance I had left the site wide open! The attacker had used the AVAILABLE wp-cron.php file to schedule their own, custom event, which then fired on the server; this caused a cascade of activity that basically installed the backdoor; at which point the waiting bot was then able to successfully access the file.

I am not really certain what it did; It appeared to change .htaccess, which explains some really weird stuff I had to reset in .htaccess (looking back, it should have raised a red flag at the time, also). Apparently it also tried to change index.php; presumably, that would infect the site with some sort of  backdoor, though I don't know what. This was apparently not to be, as at the same time the hacker was busy doing this, I was evidently updating index.php; less than a minute after they made their changes, I uploaded mine- obliviously overwriting them.

I've been able to secure the site by learning about wp-cron; After messing around with it for a bit, I downloaded a Wordpress plugin that disables WP's cron, and changes it to require a "secret" parameter to run. Then I configured the cPanel and added a cron job that called it every 20 minutes, allowing for the cron task to execute, while preventing any and all unauthorized access to it.