Famous Bloggers - You’ve Been Hacked!

Posted: 28 Apr 2011 07:53 PM PDT

If you are one of the many computer users or web hostmasters who think that they have not been hacked before, you should think again! And if you truly believe you are invincible or unsusceptible to attacks, well, let's just say, "There is wishful thinking in Hell as well as on Earth" – C.S. Lewis

Getting hacked is one thing and not being aware of it is another. I can go on and on talking about the many incidents I personally experienced with clients I consulted with, who were totally unaware of their network or data compromise for months, but for now, I'll just stick to an incident we had last night.

Last night, I was asked by Hesham to help him look into some strange server behaviors he has been witnessing. The server had been requesting connections to a couple of unrecognized domains; mainly though, airschk.com. We had to dig deeper into Hesham's web files to finally find a php script added at the very top of many of the apache .php files of Hesham's sites. Apparently, the attacker gained access somehow to those particular domains' FTP, downloaded the .php code, added the malicious script and uploaded the files back into the server.

Before we all roll up our sleeves here, let's first discuss what airschk attack (or web-bug) does.

What does the airschk attack do exactly?

cyber face eyes

The malicious code embeds an IMG SRC tag into your web pages that would normally be interpreted by browsers as a .gif image hosted in a remote address. In reality however, the script is actually collecting a lot of information about the target site and the site visitors like visitor location, IP, etc.; moreover, the code is sending massive distributed requests back to Google for possible future alterations of page/domain rankings.

How do I check if I have been attacked by airschk?

You can use “grep” or “find” Unix commands to look for the infected files,

From your main web server documents' directory,

Use the following grep command to list the files and the lines containing the script,

$ grep "airschk" –r *

Or, for a more extensive search (the entire machine), listing only the infected files, use the find command with the grep together as follows (searching from the root directory "/"). Replace "public_html" with your web server document base directory name.

$ find / -type f -name '*' -exec grep -s airschk {} \; -print | grep public_html

The output of the command above will show you all filenames infected.

How can I remove it?

First of all, you need to change your login password NOW. Choose a hard-to-guess password, preferably at least 10 characters long that contain small and capital letters, at least one numeric character and at least one punctuation character.

I am currently working on a Linux script that would clean-up the infected files. I will post another blog article with details on that as soon as I finish.

How did this happen anyway?

Do you ever use Telnet to remotely manage your server? Or may be FTP to upload files? If you do, then you may want to check your php files now; especially if you are using WordPress or similar CMS.

Both Telnet and FTP use clear-text to authenticate, it is very likely that your password has been compromised by the attacker during one of your FTP/Telnet sessions. There are many possibilities on which your password could have been compromised, without getting into many technical details, one possibility is that telnet or FTP traffic was captured in transit between your server and your workstation. Another possibility is that another server/machine in the hosting company's network was compromised and used as a launching pad for sniffing traffic within your hosting company's network.

We actually examined the server's log file /var/log/messages

Here is a snippet from what we found:

Apr 27 04:26:46 fam pure-ftpd: (?@76.26.91.229) [INFO] New connection from 76.26.91.229 Apr 27 04:26:47 fam pure-ftpd: (?@76.26.91.229) [INFO] user@famousbloggers.net is now logged in Apr 27 04:27:05 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_vti_inf.html downloaded (1754 bytes, 127.67KB/sec) Apr 27 04:27:05 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_vti_inf.html uploaded (1995 bytes, 25.33KB/sec) Apr 27 04:27:06 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_wp-settings.php downloaded (9655 bytes, 530.69KB/sec) Apr 27 04:27:06 fam pure-ftpd: (user@famousbloggers.net@76.26.91.229) [NOTICE] /home/famous//public_html/_wp-settings.php uploaded (12410 bytes, 54.37KB/sec) : :

As you see above, the IP address (76.26.91.229) which comes from West Virginia (not necessarily where the actual hack originated from, it could be another machine that has been compromised and used as a divert for launching attacks to remote servers) successfully gained FTP access to the machine, downloaded the WordPress files and then uploaded the files back into the server. From the timestamp of the logs, you can easily tell that this is an automated script ran by the attacker. This process has continuously repeated itself for many other files in other domains running on the server.

Can I prevent similar incidents from happening again?

I hate to break it to you, but the answer is "No", but the good news is that there are a few precautions you could take to protect yourself from similar attacks.

As mentioned above, the first important precaution you should take is to use a hard-to-guess password and never share that password with others.
The use of Telnet and FTP over a public cloud is highly discouraged. Please consider using SSH to remotely login to your server's command-line, and SFTP (Secure-FTP) to transfer files in between; both protocols encrypt the flow of information between your computer and your server.
Unfortunately, some of the hosting companies provide remote management tools like control panels, etc. that use clear-text authentication. Make sure your site Control/Admin Panel uses HTTPS, at least during the login process. Consult with your hosting company on the authentication protocol or method used on the provided Control Panel. If your hosting company does not offer an encrypted authentication for managing your server, well, you may not be in the right hosting company to begin with.
Periodically check your FTP/Telnet logs; you can do that by examining the /var/log/messages file for suspicious activities.

Hope this article was helpful. As always, your comments and suggestions are welcome.