Last night, I noticed it was taking me forever to log in to Global Geek News but didn’t think much of it as I was currently getting slammed by traffic from Reddit for an old post. It turns out, the massive traffic spike wasn’t the problem. The real problem was that we have been hacked!
Earlier today, I went to log in to Global Geek News to find it was still taking forever to do so. The traffic spike from Reddit had died down and while traffic was still higher than normal for a Sunday, things were still very slow. In hopes of trying to figure out what the problem was, I went to my web hosting’s cpanel page and noticed the CPU usage was pegged at 100%. This was the point when I knew something was wrong.
I immediately contacted my host’s support and thanks to a little digging from both them and myself, we determined that Global Geek News had been hacked. I don’t know everything about the hack but I will tell you what I have found out and what it means for you.
The support guy, Brandon, that helped me with this issue noticed some suspicious files in an upload directory for the WordPress theme (Standard Theme by 8Bit) that I use and alerted me to them. Not knowing all of the innards of the Standard Theme, I didn’t know if I would have an idea what I would be looking at but decided to check out the suspicious files. And suspicious they were!
It turns out that the upload directory that they were stored in (which I didn’t even realize existed) was used by the theme to store images that I had uploaded for the ad spots on the top and right of the site. Once in the directory, that was pretty obvious as I recognized all of those files. Knowing which files I had uploaded (none recently), it made it pretty obvious which files were the problem.
There were 4 files that had been uploaded between June 14th, 2012 and June 22nd 2012 that were the problem. Being the curious person I am, I decided to download and inspect these 4 files that had been uploaded without my knowledge.
Immediately upon downloading one of the files, Microsoft Security Essentials said it had cleaned a virus from my system. After looking into it, apparently I ended up getting hit with some kind of Java exploit (luckily I keep Java up to date). However, that was just the beginning.
The two files uploaded on the 14th turned out to be some sort of PHP injection scripts and the other two files from June 22nd were a couple of trojan viruses. Luckily, my antivirus (Microsoft Security Essentials and Sophos AntiVirus on my Mac) wouldn’t let me open the files and they were immediately quarantined.
Just how dangerous these files were, I’m not really sure but MSE called them severe and I believe it. For those curious, it flagged the “Backdoor:Perl/Shellbot.AH” and “Backdoor:PHP/Lollusc.A” trojans. So when I found this out, I knew it was not good news.
After realizing I had been hacked and these files had been placed on my server, I worked with Brandon to try to find out who did this and how. Unfortunately, the how is unknown. We don’t know if it was the theme itself that was exploited, a plugin or WordPress. We are fairly confident my password wasn’t compromised so we are pretty sure it was one of those three options.
However, he was able to find two IP addresses in the logs pointing to the hackers. One indicated a hacker was attacking from the city of Jaworzno, Poland, and another from Houston Texas. Now I don’t know if two people were involved in the hack, a person who travels a lot or just somebody using a proxy to appear to be coming from those places. Not being a computer forensics person, I don’t really know.
After finding out everything I could, I deleted the files and everything appears to be back to normal. I wish I knew more but sadly, that is all I know.
As for what this means for you, the reader of Global Geek News, I am really not sure. I don’t know if you were ever exposed to any of the malicious files or not. I’ve visited pages on Global Geek News many times since they trojans were placed on the server on Friday and noticed nothing so I would suspect you are fine, however I would highly recommend running your antivirus and antimalware software of choice to make sure that you haven’t been compromised (it is a good idea to do those things routinely anyway).
I sincerely apologize if this has harmed any of our loyal readers and I will do everything I can to keep it from happening again. If anybody out there likes to pour over code to look for security exploits, let me know as I would love to find the flaw that gave rise to this hack and kill it.