Live! Nude! Hacks!

Posted on April 13, 2010 by Scott Jennings| 29 Comments

Edit: thanks to Hellfire in the comments and this post, I’ve discovered I’ve been hit by a currently live exploit that occasionally vandalizes the blog as seen below. AWESOME.

SuperNinjaEdit: I *think* I’ve managed to nuke the exploit from orbit just to be sure. Thanks for everyone’s help. Note that Google still has old viagra-laden pages cached, but following links from Google/Google Reader should no longer lead to sales for Huxley-esque drugs.

Someone sent in this screenshot of my webpage. As best as I can tell, my site hasn’t been hacked. It’s just one guy that has this problem. What could be used to detect client-side hackery that might cause this? (I already had him run MalwareBytes)

Mmm, drug spam.

:

This entry was posted in _. Bookmark the permalink.
  • Vetarnias

    Hmm, pity he didn’t scroll down to the part where Derek Smart orders Cheap Soma from Canada. Legally.

  • ComradePyro

    Check his hosts file, maybe. If he can intelligently read a hijackthis log it would be great and he would definitely find what is up.

  • Brask Mumei

    The google search for this site has the cheap-soma-from-canada title, I figured it was something you had done.

    I don’t see those titles on my system.

  • Brask Mumei
  • http://www.brokentoys.org/ Scott Jennings

    Huh. Wacky. None of my web site files have been tampered with.

  • http://beafraid.com hellfire

    There’s an in-the-wild hack for WordPress right now that sends out “bad” data to all of the crawlers and injects a .js file to your normal stream sending things to known malware infection sites.

    http://www.ghacks.net/2010/04/12/wordpress-hack-terrifies-webmasters/

    2.9.2 (current) is vulnerable, there is no patch as of yet. Some have recommended the use of the “AntiVirus” plugin, but after testing it out on some of my blogs I’m not sure it will protect you.

    In any case, you’ll want to verify that the files your blog is serving are the ones you mean it to be serving.

  • Con

    Scott hates freedom and is a huge Obamacare socialist – confirmed.

  • http://www.brokentoys.org/ Scott Jennings

    Thanks Hellfire. Media Temple is in fact my host. Fuck.

  • http://geldonsgaming.blogspot.com geldonyetich

    Looks like I picked a good time to install the Noscript Firefox add on.

    Alas, we’ll have to put up with these issues until the super-fast cyborg cops of the future are capable of running fast enough to catch Internet cybercrime. Until then, we just can’t have nice things.

  • Iconic

    Does any one know if there’s a way to order Soma cheap and legally?

    I’m told maybe Canada but that’s a long drive. I wish I knew some way to order it.

    Whatever Soma is.

  • http://www.spiderwebsoftware.com/ Jeff Vogel

    “the warm, the richly coloured, the infinitely friendly world of soma-holiday. How kind, how good-looking, how delightfully amusing every one was!”

  • http://www.psychochild.org/ Brian ‘Psychochild’ Green

    Something similar happened to me a while ago: http://www.psychochild.org/?p=882

    It was a redirect instead of injecting content, though. Basically, it would send people away from my blog once if they followed a link referred by Google (which included links in Google Reader). But, it would set a cookie so it only happened to each person once unless they cleared their cookies.

    It was an additional file slipped into my theme, though. This looks even more fun. :/

  • http://wowpanda.blogspot.com/ wowpanda

    what’s soma?

  • http://www.psychochild.org/ Brian ‘Psychochild’ Green

    Ick, looks like you have the same issue. I went to search for “viagra psychochild” as a precaution to see if my blog still had poisoned Google searches, and it looks like its affecting your blog, too. Sixth entry down that links to http://brokentoys.org/2008/01/22/spawn-more-overlords/ is redirected to a pharmacy page. Only works if you follow the link from Google, though.

    Good luck, Scott. :(

  • http://www.brokentoys.org/ Scott Jennings

    Well, lord only knows I have no problem with switching themes!

  • http://geldonsgaming.blogspot.com geldonyetich

    what’s soma?  

    Good question. Poking around Wikipedia a bit, I derived it’s some kind of still-arguably-legal recreational drug. Judging by the side effects and its origin, it was probably inspiration for the drug they had Brock Samson try in Viva Los Muertos!

  • http://geldonsgaming.blogspot.com geldonyetich

    what’s soma?

    Looking into this a bit, apparently it’s some Indian-imported hippy drug that makes you throw up in exchange for feeling somewhat trippy. Word hasn’t quite gotten around that it’s a controlled substance yet.

  • Akjosch

    Specifically, the exploit looks for the “Referer” line, and thus only works when viewed as a link from Google (presumably, also from other search engines). And yes, it DOES mean either your server itself or at least the dynamic parts of the page in your database carry this code.

    Proof of concept command line check, works for me every time:

    curl -s -v \
    -e ‘http://www.google.com/search?q=viagra+psychochild‘ \
    http://brokentoys.org/2008/01/22/spawn-more-overlords/
    * About to connect() to brokentoys.org port 80 (#0)
    * Trying 70.32.68.246… connected
    * Connected to brokentoys.org (70.32.68.246) port 80 (#0)
    > GET /2008/01/22/spawn-more-overlords/ HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.4.5 zlib/1.2.3 libidn/1.9 libssh2/1.2.2
    > Host: brokentoys.org
    > Accept: */*
    > Referer: http://www.google.com/search?q=viagra+psychochild
    >
    < HTTP/1.1 302
    < Date: Tue, 13 Apr 2010 21:59:24 GMT
    < Server: Apache/2.0.54
    < X-Powered-By: PHP/4.4.8
    < Location: http://94.76.241.4/sutra/in.cgi?5&from=32747644dcf27af7b3172a5c36768309
    < Vary: Accept-Encoding
    < Transfer-Encoding: chunked
    < Content-Type: text/html
    <
    * Connection #0 to host brokentoys.org left intact
    * Closing connection #0

  • sinij

    Looks like I picked a good time to install the Noscript Firefox add on.

    Browsing web without Nocript Firefox is like fucking a whore without a condom.

    Don’t do it.

  • Boanerges

    At the risk of being shameless in plugging this, I run Atomic Secured Linux http://www.atomicorp.com/products.html and it stops most attacks like this cold (and tons of spam to boot) because it sits in the web server and looks for bad requests. I wish more hosts would subscribe.

  • ethereal.wolf

    hrmm wow. *puts on web condom before visiting lum’s page* lol.

  • http://www.xdroop.com/404.html David Mackintosh

    Mmmm…. fresh WordPress hell. Even though I surrendered my immortal soul to Google in exchange for shiny Blogger ‘blogs, it sure takes a lot less time to maintain things.

  • Hatch

    More importantly, where can I get some Viagra? I have an office pot luck coming up and I need to liven things up a bit.

  • http://beafraid.com hellfire

    You may want to add this to the mix as well. It successfully thwarts the attack vector (allegedly?) that hit you.

    Still no direct word from WordPress on this issue. They are conspicuous in their silence.

  • http://www.brokentoys.org/ Scott Jennings

    They did comment actually yesterday – denying all responsibility.

    http://wordpress.org/development/2010/04/file-permissions/

    It may have been related to wp-supercache as well (which most wp installations include by default now) – at least I found a lot of attack vectors in cached files, at any rate.

    At this point that plugin plus my switching some files around successfully closed the vector I THINK (the telltale entry in my database hasn’t reappeared – like the original report, it was popping back up after a few secs, probably every time someone was triggering it). I’m still probably going to restore the whole site from backups this weekend just to be safe.

    Goddamn hackers – bad enough I have to deal with them in my day job.

  • Akjosch

    My little test still says the blog redirects people coming from Google to some spammer site, sorry. A simple “Referer: http://www.google.com/search?q=viagra” header in the request is all it takes to trigger it. See the curl line I posted earlier and which your blog managed to break subtly by exchanging single quotes around the strings with some weird slanted ones.

    If you have your blog’s PHP files in Subversion repository (I like to do that, as well as moving attachments, caches and so on to a different tree so they don’t clutter my checks), checking what got changed is a simple matter of running “svn status -u” or “svn diff” on that. Else, see if you can find a file which got changed recently (Linux: “find /directory/to/search -mtime -14 -type f” for the last 14 days, for example) or which contain both “referer” and “google” inside (though they might be obfuscated, good luck with that).

  • RIckard

    wow. Sorry for the long paste. Just grabbed it from VS and didn’t notice the link. Yeah no post editing and my lameness for not previewing.

  • Scott Jennings

    Guess who nuked the site from orbit, just to be sure.

  • Nathan Johnston

    Wasn’t Soma the drug in “A Brave New World”? The ‘alternative to sex’ drug.