Cleaning up the Wordpress Pharma Hack

Cotton Rohrscheib called me a few days back wanting help fixing an apparent defacement (of sorts) on his website. Normally when a site is defaced, the pictures, text and other content are modified to make some sort of statement (be it political or otherwise). This hack was different - it only modified page titles and/or meta tags in order to exploit a site's search engine ranking to advertise cheap pharmaceuticals. So, instead of seeing the page titles in the search results you get this instead:

Not exactly what you wanted to see huh? It's a pretty clever concept but I'm not sure just how effective it is in selling these meds. I guess their thought is that if they can get high ranking sites to "advertise" for them then their trusted readers will purchase these items. Pretty sorry if you ask me, but as long as someone is making a dollar off of it, stuff like this will just continue.

So - how do you get rid of it? Well, it ain't so easy. Let me state up front that I am no Wordpress expert nor am I overly familiar with it's internal workings so it's possible I'm taking the long-way around. We scoured the web reading a ton of sites (special props to Sucuri) all with bits-and-pieces of the answer. None seemed to have the entire solution, so we're going to try to present our findings here. The first time we "removed" it wasn't complete - so checking periodically to see if it stays clean is pretty much mandatory. All of our servers run suPHP, but the hack was able to run successfully. I'm also not exactly sure how they "got in" so to speak, but irregardless of what others may say I believe it was a bug in Wordpress that was exploited before we applied the patch for it. suPHP will not allow a file to be read/executed unless it has correct permissions, so Wordpress itself (or one of it's many plugins) had to be the culprit. The latest ModSecurity ruleset will also help prevent these sort of attacks, but is not a solution for not patching sites as soon as possible. Security is a continuous process, not a "set it and forget it" model.

Ravencore and PHP 5.3

If you use Ravencore (it's a pretty simple little web control panel) you've probably figured out by now that it doesn't work under PHP 5.3. The reason is that the author wrote a custom function called "goto." PHP never had a goto until 5.3. His custom goto conflicts with the standard one. PHP was attempting to interpret his function as the built-in. So, one quick command line and you can fix this

cd /usr/local/ravencore/httpdocs
find . -type f -exec sed -i "s/goto/openfile/g" '{}' \;

His function was basically "opening" these files, so I just renamed "goto" as "openfile." Now your nifty little control panel works like a charm and the customer who uses it is happy once more. btw - I prefer grep, awk, sed, and vi as my control panel...;)

Using suPHP with Plesk

I wrote a while back about how we use ModSecurity as part of our standard server configuration. It has done a wonderful job in the past few years keeping all sorts of nasties away from our systems, but another layer of defense is never a bad thing right? We recently started using suPHP to add yet another level of security to our sites. suPHP is an Apache module "for executing PHP scripts with the permissions of their owners." It forces end users to run all php scripts with the proper (user configurable) permissions as well as keeping the script from executing as any other user except the owner of the file. This has some very distinct security advantages in that an end-user can be configured to have less access than the standard apache (or nobody) user/group.

Below is a typical file you might find on any Linux-based webserver:

I miss Sun

Yeah, I said it. I miss Sun Microsystems. Sun was a company that had some way-cool stuff years ago. They also had probably the best commercially available UNIX on the market (note I sad HAD) for quite a while (side note - I'm partially biased as I have certifications for Solaris 7 and 8 but I also think IBM's AIX is way cool). Then Linux happened. That threw a wrench in all of the UNIX vendors plans. Sun, IBM, DEC (Digital Equipment Corp.), Compaq (who I still despise for killing DEC), SCO, etc....all weren't really prepared for what hit them. Linux (as well as the BSD's of the world) weren't really any more feature rich than other UNIX OS's - in fact, they lacked many of the features that commercial versions had. Skip forward about 15yrs and Linux is fully featured and can go toe-to-toe with any commercial UNIX OS on the market.

Old Big

I have a 1987 Dodge Ramcharger that my nieces have named Old Big. We bought this rig June 3, 1994 in Little Rock and have had it ever since. 300,000 miles later it is still running. I've spent quite a lot of time tinkering with it over the last few months getting rid of the stupid Lean Burn crap that Chrysler (and Uncle Sam) thought was such a good idea back in the 80's, as well as fixing a ton of little stuff.

I found this website - and found the totally cool why didn't I think of that idea of dropping a 6bt Cummins Turbo Diesel Engine from a 3/4 ton-1ton Dodge pickup into it. Damn. Now I'm obsessed. There are dozens of threads on that show people doing this and I want, no NEED to be one of them. Damn.

Anyone got a 89-93 model 4X4 Diesel Dodge Pickup they wanna sell (cheap)?

I Got Married!!!

Well, I went and did it. I got married to the girl of my dreams! Candy and I were married in a private ceremony in Hot Springs on June 27th, and are leaving for Paris for a honeymoon on July 7th.

Pics are available here

Vienna et al

have had spotty internet service for the past few days. we're in vienna at the moment. when i get a better connection i'll post a large update.

pics are here
videos are here

Day 6 and 7 - Goodbye Poland, Hello Prague

The train ride from Krakow to Prague was supposed to be about 8 hours. Well, what ever works like it is supposed to? First, we were on the right, but wrong train. Apparently there are 2 trains that run between Krakow and Katovice (our connection to Prague) at roughly the same time. The one we got one was apparently not covered by our Eurail Pass. It was about 45 minutes late and arrived at the time the train we needed did. Oh well. We made our connection, and some 11 1/2 hours later we roll into Prague (remember those floods I mentioned earlier? Huge delays across the entire rail system). The whole trip wasn't a wash - I did have the single best meal I'd ever had on a train. Chicken Schnitzel, roasted potatoes, cabbage, potato soup, rye bread, and chocolate crepes. All for $18.



What can you say about Poland? The picture that many people have is that of a cold, hard, and unforgiving place existing only in shades of grey; a sad old black and white film that made it off the big screen and onto the map. The last thousand years haven't exactly been kind to Poland. They've been invaded, conquered, re-invaded, conquered, re-invaded, Nazi's, Holocaust, Soviet Bloc, and so on (and that's just the last 200 or so years). More recently their President was killed in a plane crash, but due to the rumblings of one aforementioned Icelandic Volcano a large majority of world leaders were prevented from attending. Now unseasonal rains have caused quite massive flooding in the south and west of the country. Does this place ever catch a break?

We arrived here a day late, and were greeted by what can best be described as weather resembling a typical wet Arkansas winter day. Rain, cold, wind - all the main players had tuned up a wonderful symphony intended to lower our spirits and dampen our plans. Sounds Polish right?

Day 4 - Auschwitz and Updates

Today we went to Auschwitz. I don't really know what to say except that it is the most horrible thing that I've ever experienced. Your first view of the camp is red-brick buildings and lush green grass, but hidden behind that is the site of the extermination of 1.1 million people. I don't have and won't attempt to put into words how seeing it makes you feel. The buildings have piles of suitcases, clothes, shoes, childrens clothing, pots/pans, human hair from the victims - rooms for each one. Terrible. Simply terrible. Most of the Birkenau portion of the camp has been destroyed, including the gas chambers and crematoriums. Only parts of one unit still remain.

There are now photos of our adventure available here.

More to follow.....

Syndicate content