Thread

So it was just brought to my attention that our site is infected with what appears to be the WP Pharma Hack. When searching our site via google, the description shows all kinds of spam relating to Viagra and meds. Also, when viewing the cached version and then checking out the source, there’s tons of links and other spam relating to buying Viagra.

domain / keywords: 12ozprophet.com, 12ozprophet, 12oz

Like the WP Pharma Hack, it only shows via Google with no hints on other search engines or in the actual template code.

Here’s some info google supplies about it: http://www.google.com/safebrowsing/diagnostic?site=www.12ozprophet.com

What is the current listing status for http://www.12ozprophet.com?
This site is not currently listed as suspicious.

What happened when Google visited this site?
Of the 26 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-05-19, and suspicious content was never found on this site within the past 90 days.
Malicious software includes 2 scripting exploit(s).

This site was hosted on 1 network(s) including AS36351 (SOFTLAYER).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, http://www.12ozprophet.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

We’re running EE Version 2.1.3 Build 20101220 on a dedicated server at SoftLayer. We connect with SFTP, disable root and run SSH on a non-standard port.

Only thing I can thing of is that EE is compromised or that possibly the old version of vBulletin we’re running has been compromised.

Anyone know for sure or have experience with this?

Any other help or leads?

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

  While we work through this, please check through these files:

  * path.php (if using EE 1.x)
  * config.php
  * database.php (if using EE 2.x)
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  You may also wish to refresh your files by following the build update instructions.

  Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Hello Sue,

Most your questions are answered in my original post…

1. Version 2.1.3 Build 20101220
2. vBulletin, OpenX and Active Campaign

*Dedicated server.

*All the files you’ve listed look clean and are fairly straightforward.

Again, I believe this to be a variant of the WP Pharma Hack as the behavior is exactly the same as described, except it’s on ExpressionEngine. As such, none of the solutions listed for it work, as the infected files are named differently on EE.

Also, I haven’t reported it to our host. As mentioned, we’re on a dedicated server, which means we’re largely on our own and expected to admin our own system. Also, I have no clue what files are infected, let alone when it happened. We get appx 6 million views a month, so I couldn’t begin to figure out where I might find something like this in our logs, as they’re updated at a pretty steady clip.

Hi, superaven.

Have you looked at the vBulletin settings? That’s the next place I’d look.

superaven:

I’m suspecting a directory traversal attack, and without analyzing logs, it’s hard to say if it came from EE or from VBulletin.  Trying to prevent nefarious visitors from uploading naughty things is why we are extremely cautious on upload xss_cleaning. 

My recommendations would be the following:

- Update everything.  EE, VBulletin…any other things running on that server?  If you don’t use them, remove them or update them.
- Check your box to make sure they didn’t install a root kit.  (If you don’t put compilers on your systems, your a bit safer)

*chkrootkit

  Ubuntu - apt-get install chkrootkit
  RHEL - http://download.fedora.redhat.com/pub/epel/5Server/x86_64/chkrootkit-0.49-1.el5.x86_64.rpm

*rkhunter

  Ubuntu - apt-get install rkhunter
  RHEL - http://download.fedora.redhat.com/pub/epel/5Server/x86_64/rkhunter-1.3.8-3.el5.noarch.rpm

*Run using*

sudo rkhunter—update && sudo rkhunter -c -sk

I hope that helps,

-greg

No, I have not looked at my vBulletin settings. Like I said, this seems to be something plaguing Word Press, which has now affected my ExpressionEngine site. I’ve seen no references at all in regards to it affecting vBulletin. Though I also see no references in my hunting about it affecting EE, fact is my EE install has been compromised, which is why I’m here asking for help.

I do not believe this has anything to do with vB for the simple fact that a google search of our forums, shows the correct meta description in Google’s results. A google search of the main site (powered by ExpressionEngine), shows infected meta description in the search results. This means that EE has been affected, while my vB install apparently is not.

No offense, but I’d really appreciate some support on this. I know EE is working on improving this side of their business, but a reply every 24 hours that feels kind of like a canned response isn’t really helping me solve the issue, which arguably is very significant if indeed this winds up being a vulnerability with ExpressionEngine, which is appearing to be likely.

Hi, superaven.

Do your server logs point to anything?

How are you generating meta tags via your templates? If you look at your templates, do they appear to have been comprised?

My server logs look like a phone book. We do appx 6 million views a month, so you can imagine how many requests its logging.

Meta tags are via NSM Better Meta.

If this is indeed a variation on the Pharma Hack, then it uses a very discreet method to do what it does:

What Does the WordPress Pharma Hack Do?

There are three facets of the pharma hack that I find particularly interesting. First, the results of the hack are only visible to search engines, and if your site is hacked, the public-facing portion of it will remain visibly unaffected. In other words, you won’t be able to spot the hack just by viewing the HTML source. The goal of any hack like this is to gain valuable links from high-ranking pages, and these hackers have wisely chosen to disturb the water as little as possible while going about their dirty business.

Second, like other hacks, the pharma hack must place malicious files in your WordPress folders in order to work its evil. However, unlike other hacks that I’ve encountered, the pharma hack disguises a majority of its code and saves it in the WordPress database, thereby making it more difficult to find and eliminate.

The third remarkable aspect of the pharma hack was that it didn’t affect every page of my site. Further, it only targeted the pages of my site that receive the most search traffic

superaven:

I’m suspecting a directory traversal attack, and without analyzing logs, it’s hard to say if it came from EE or from VBulletin.  Trying to prevent nefarious visitors from uploading naughty things is why we are extremely cautious on upload xss_cleaning. 

My recommendations would be the following:

- Update everything.  EE, VBulletin…any other things running on that server?  If you don’t use them, remove them or update them.
- Check your box to make sure they didn’t install a root kit.  (If you don’t put compilers on your systems, your a bit safer)

*chkrootkit

  Ubuntu - apt-get install chkrootkit
  RHEL - http://download.fedora.redhat.com/pub/epel/5Server/x86_64/chkrootkit-0.49-1.el5.x86_64.rpm

*rkhunter

  Ubuntu - apt-get install rkhunter
  RHEL - http://download.fedora.redhat.com/pub/epel/5Server/x86_64/rkhunter-1.3.8-3.el5.noarch.rpm

*Run using*

sudo rkhunter—update && sudo rkhunter -c -sk

I hope that helps,

-greg

thanks for the info, let me look into this and I’ll report back. as far as the logs, what should I be looking for?

in the meantime, it might be helpful for you guys to read up on the Pharma Hack and see if anything clues you into how it might be able to also compromise EE.

thanks again!

Grep is your best friend when searching logs.  Going line by line would be miserable.  😛

Look at POST or CURL hits in your logs.  eg:

grep -Ri 'CURL' /path/to/logs
grep -Ri 'POST' /path/to/logs
grep -Ri '12ozprophet' /path/to/logs

But without forensic analysis of your server logs, conclusions on where the attack originated from, and how it happen can’t be made.

I look forward to hearing what you come up with.  😊

-greg

hey greg,

was researching this a bit more before starting (and reaching out to some sys admin friends) and was wondering if this might not be better for all involved if I were to give you ssh access to check into it. i know that intimate support like that isn’t something you guys typically do, but all things considered, it might be a good idea.

if possible, I can PM or email you ssh credentials.

thanks

Hi, superaven. We can certainly go look around.. check your email in a few minutes.

I just returned from a looong trip (photo assignment) and just getting back to this now. I just submitted the support ticket with all my credentials (keep in mind we restrict ftp and only use sftp).

Also, I just noticed something that I believe ties into this issue… I found a site that shows load times (similar to many developer tools out there) and noticed that largest load (672ms) is an encrypted GET command. Search http://www.12ozprophet.com using the tool at: http://loads.in/

Also, occasionally when using FF or Chrome, we see a massive block of text at the bottom of the page with hundreds of links to spam offers. This is only seen on some EE pages (probably the highest ranked ones) and not on any other section / page of the site that uses a script other than EE.

Thanks for any help!

Hi, superaven -

Greg was the person working closely with you on this and he will be back on Tuesday.  I’m going to see if another dev team member can have a look at this tomorrow, but we’ll get you what help we can as soon as possible.

Thank you!