?

Log in

No account? Create an account

Previous Entry | Next Entry

Pwning WordPress for fun and profit

I have a love/hate relationship with WordPress.

Actually, that's not true. I like WordPress rather a lot, and I wish that more open-source projects had the finish, polish, and sophistication of WordPress. I own about a half-dozen Web sites that run it, and I'm overall very fond of it.

What I don't like is the number of people who set up a WordPress install, then walk away from it and never install any updates or security patches. WordPress is a popular target for hackers, because it's widely deployed and easy to find, and because so, so many people don't keep on top of updates.

Which, frankly, baffles me. It's incredibly easy to update--easier, in fact, than any open-source server software I've ever used. You log in to the admin area. It tells you "There is an update. Click here to install the update." You click one button. Bang, that's it! There literally is nothing else you have to do.

So, anyway, today I found yet another phony bank phish in my email. The phish pretends to be an HSBC Bank page, and it attempts to trick the gullible into handing out their bank account number and password. So far, so bog-standard.

*** WARNING *** WARNING *** WARNING ***
The URLs in this post are live at the time of this writing. They do not lead to malware sites, but they DO lead to phony bank phish sites.

The phish page in my email lives at

http://internalcommunications.co.uk/img/1/IBlogin.html

It's a pretty bog-standard phish, a page living on a hacked server that collects personal financial information and then sends them off to the phishers via a php-to-email script.

The server that it lives on, internalcommunications.co.uk, is hosted by heartinternet.co.uk and belongs to a guy named Simon Wright; his Whois details, including his email address, are protected by a privacy service.

The site itself is completely defaced. The defacement left a hole big enough to drive a truck through, and the phishers put the phony bank page on the site after the person or group who defaced it hacked it and left it wide open. EDIT: The site defacer, who goes by the name "NONE-STOP," is also a phisher who sells stolen credit card numbers, stolen bank account login information, and other stolen identity information. More at the end of this post.

The front page of the hacked site, as of the time of this writing, looks like this (click for larger):



I haven't heard of NONE.STOP, whoever he/she/they are; as near as I can tell, there's only one other site defacement (www.cegm.ca) he/she/thay have claimed responsibility for.

Now is where it gets interesting, and where WordPress comes in.

Normally, when a site is defaced, the images that are used in the defacement are uploaded to the hacked server. Not in this case. In this case, the images used in the defacement are being remote loaded from another server.

A hacked WordPress install, that was set up a while ago, had a single test post added to it, and was abandoned.

Specifically, the images used in the defacement are being loaded from

http://devriestree.com/components/com_content/views/.index/aa__blut.gif
http://devriestree.com/components/com_content/views/.index/4scpcn.jpg

and so on. The Web site devriestree.com is the one running the pwm3d WordPress, and it has been left alone; no defacement, no phishes, nothing. The person or group called NONE.STOP has simply created a hidden .index directory which is being used to store the pictures that he/she/they use when he/she/they deface other sites.

The site devriestree.com is hosted at Server Beach, and belongs to:

$whois devriestree.com

Whois Server Version 2.0

Domain Name: DEVRIESTREE.COM
Registrar: GODADDY.COM, INC.
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS.NETVTECH.COM
Name Server: NS1.GEODNS.NET
Name Server: NS2.GEODNS.NET
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-oct-2008
Creation Date: 19-oct-2005
Expiration Date: 19-oct-2010

Registrant:
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: DEVRIESTREE.COM
Created on: 18-Oct-05
Expires on: 19-Oct-10
Last Updated on: 12-Jul-07

Administrative Contact:
DeVries, James j@netvtech.com
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States
5613016666 Fax -- 5618288035

Technical Contact:
DeVries, James j@netvtech.com
NetVenture Technologies, Inc.
1490 S Military Trail
Suite 13E
West Palm Beach, Florida 33415
United States
5613016666 Fax -- 5618288035

Domain servers in listed order:
NS1.GEODNS.NET
NS2.GEODNS.NET
NS.NETVTECH.COM

The Web site at netvtech.com

Folks, seriously, update your WordPress installs. It's automatic and effortless.




EDITED TO ADD:
The person who defaced the Web site and who is storing his images on hacked WordPress sites has a Web site of his own, through which he sells stolen credit card numbers, phish kits, stolen bank account information, and so on. His Web site is at

http://ne-stop.com/
hosted by Hurricane Electric.

$whois ne-stop.com

Whois Server Version 2.0

Domain Name: NE-STOP.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS1.HE.NET
Name Server: NS2.HE.NET
Name Server: NS3.HE.NET
Status: clientTransferProhibited
Updated Date: 12-jan-2010
Creation Date: 11-jan-2010
Expiration Date: 11-jan-2011

>>> Last update of whois database: Mon, 18 Jan 2010 07:57:57 UTC <<<

Registration Service Provided By: Hurricane Electric Internet Services
Contact: hostmaster@he.net
Visit: hurricanenames.net

Domain name: ne-stop.com

Registrant Contact:
Ladde Weiong
Ladde Weiong ()

Fax:
125 Club Garden Road
Sheffield, S11 8BW
GB

Administrative Contact:
Hurricane Electric Internet Services
Hostmaster he.net (hostmaster@he.net)
+1.5105804100
Fax:
760 Mission Court
Fremont, CA 94539
US

Technical Contact:
Hurricane Electric Internet Services
Hostmaster he.net (hostmaster@he.net)
+1.5105804100
Fax:
760 Mission Court
Fremont, CA 94539
US

Status: Locked

Name Servers:
ns1.he.net
ns2.he.net
ns3.he.net

Creation date: 11 Jan 2010 11:56:14
Expiration date: 11 Jan 2011 11:56:14

As of the time of this writing, the front page of the site looked like this (click for larger):



Comments

( 11 comments — Leave a comment )
greenquotebook
Jan. 18th, 2010 03:10 pm (UTC)
Oddly enough, I have a friend named Simon Wright who lives in Leicester, England. Is it worth asking him if he owns the hacked site, or not?
tacit
Jan. 19th, 2010 01:24 am (UTC)
It certainly couldn't hurt. I'd be surprised if it were the same person, but on the off chance it is, it might be worth pinging him.
ladyj_kat
Jan. 18th, 2010 03:54 pm (UTC)
I actually don't update my word press sites because (generally speaking) it breaks my word press plug-ins and results in an uncomfortable week of my 'clients' (primarily student organizations, setting up their sites is part of my job) yelling at me and hanging over my shoulder while I 'fix something' they can't live without--that's usually a result of a plug-in editor ending support just as wordpress releases yet another code-breaking patch. Even if I find another plug-in, or cobble one together that does the same thing myself, they're never 'quite' the same and I get constant kvitching about it.

I'm a big plan of choosing a version, releasing in that version, and maintaining in that version. I do the same thing with java, visual studio, ruby, and python projects I'm working on too.
tacit
Jan. 19th, 2010 01:28 am (UTC)
Hmm, really? I've not had any problems with WP plugins breaking; in fact,t he modern versions of WordPress can even automatically update plug-ins as well as the WordPress core files. It's been effortless and hassle-free for me.

Are these sites using older plug-ins that are no longer maintained, or plug-ins designed for old WP versions?

I can understand why the WP maintainers release security patches only for the most current WP version; it takes considerable developer resources to continue to provide security updates for multiple codebases. Given the potential seriousness of a security breach, which could result in complete compromise of a server and/or uploading phishing pages or other illegal content to the server, I would tend to find that staying current with security patches outweighs potential pain with plug-ins, especially in light of the fact that recent, maintained plug-ins offer one-click updates themselves.
fallingupthesky
Jan. 19th, 2010 01:15 am (UTC)
I'm wondering why we don't hear more about site defacement which occurs simply to remind people that websites are vulnerable. (Or at least just some teen being an annoying 133+ h4xx0r.) I mean, surely deluded or crazy "good guys" still exist, right?
tacit
Jan. 19th, 2010 01:28 am (UTC)
White-hat hackers probably don't want to risk going to prison for doing good deeds, perhaps?
krellis
Jan. 20th, 2010 09:45 pm (UTC)
Hurricane Electric is generally considered reasonably white-hat, I'm pretty sure that ne-stop.com site's content is against their AUP, I'd suggest an e-mail to abuse@he.net with the details of it and how it's being (ab)used, if you haven't already sent one, and hopefully they'd nuke it.
tacit
Jan. 21st, 2010 07:26 pm (UTC)
I fired off an email to HE right after I posted this, and they nuked the site two days later.

I also sent an email to ServerBeach, host of the hacked WordPress install at devriestree.com. They responded with a "your ticket has been closed" without doing anything at all. I emailed them twice more and got the same results both times; it was not until I emailed them again with a pointer to this post that they fixed the problem and nuked the directory that was being used up to serve images for defaced Web sites.
politas
Jan. 21st, 2010 08:47 am (UTC)
One has to wonder what kind of stupid optimism it takes to think that buying stolen credit card and bank details online is a good idea.

Though I suppose if you pay for it using a stolen credit card, you've got nothing to lose.
claws_n_stripes
Jan. 26th, 2010 11:00 pm (UTC)
Hey, have you seen this? LiveJournal, Malware, Interstitial Advertising and You.

I'm thinking of pulling up stakes and going to DreamWidth permanently; I can surf the web at work but due to the way things are set up, if the computer I'm on gets a virus, I can't do my job. Which pretty much means I'm fired. Not a risk I can afford to take and paying for an account looks like an extortion fee right about now. And no-- they won't let us install a browser that doesn't suck; we have to use IE goddamn 7. >:(
tacit
Jan. 26th, 2010 11:54 pm (UTC)
I hadn't seen that, but now that I have, I've left a lengthy comment in reply.

This problem isn't realted to LiveJournal at all. Any site anywhere that accepts Flash ads can potentially end up with poisoned banner ads that redirect to malware sites. The official Major League Baseball site, the New York Times site, Expedia, Delta.com, Travelocity, and other top-tier sites have all been hit with these attacks.

The only way to prevent them, short of strict law enforcement in Eastern Europe (ha!), is for ad placement services like DoubleClick to insist on receiving the source files for any Flash ad and to comb through the ad source looking for hidden redirection scripts. Microsoft does this on Bing now that they've been found serving up poisoned ads themselves, and other ad networks are beginning to do it too.

If Dreamwidth starts accepting ads, they will become vulnerable too.
( 11 comments — Leave a comment )