in Personal

My blog was under attack

Bad news! guys.. My blog was under attack for several times during this year. (Thanks to my readers who informed me about the problem.) I have successfully removed the injected script from my blog so it’s safe for you guys to read my blog again. (Actually, It was safe for you guys because the domain in the injected script is in the blacklist so the browser will automatically block you from accessing it. ) In this post, I will inform you about the injected script and the list of changes that I did to prevent this from happening again.

The attacker was targeting the footer.php file in the current theme that I’m using. The following script was injected in footer.php file.

The Injected Script

Fig 1: The injected script

Analyzing the Javascript

By looking at the script, I knew that that person was using Javascript function “unescape” to decode his encoded string. But I couldn’t say what he wrote in that encoded text. So, I used the online JavaScript Escape/Unescape Converter tool to decode the string.

I copied the whole text and paste it in “escape text” textbox and click on “Complete Unescape” button.

Here is what I got for the first conversion.

Fig 2: The decoded script - part 1

As you can see, the text was encoded twice so I copied the text between unescape brackets and converted it again in converter webpage.

Here is the second part of the decoded script.

Fig 2: The decoded script - part 2

But there are some % and number (e.g. %62 ) in the URL but it’s very easy to figure out what it is.  I went to the “HTML URL Encoding Reference” page and I got the ASCII character for four numbers.

  • %20 = {whitespace}
  • %62 = b
  • %65 = e
  • %63 = c

The purpose of this script is that when user access my blog then it will show this site below in iframe. But luckily, this site is in black list so the most of browser will warm you or refuse to show that site so the attacker will not get what he wanted.

Fig 3: Black website

I thank to him for not deleting any data or etc. It encourages me to take good care of my site even I’m very busy. :)

What did I change to prevent this?

I changed the following things but honestly, I have no idea whether it will work or not. I will have to wait a few months or year to see the result. I’m posting this because if you are facing the same problem as I had and you don’t know what to do then you can probably try doing the same thing like I did. Please feel free to let me know if you have any better idea or suggestion.

Tips

  1. Ensure WordPress and all plugins are up-to-date.
  2. Delete all unnecessary plugins or themes that you are using in your blog. If you have other extra files in your host, do delete them as well.
  3. Disable unused accounts in your host and change the password of current account that you are using.
  4. Use auto-backup software or plugin or etc to back-up all files (including images, samples) and database.
  5. Double-check the security setting of your blog (You can read the best practice for WordPress Security in this link Hardening WordPress ) If you are not familiar with those things then you should ask your hosting provider to help you or get someone to do this.
  6. Install some security plugins. I installed the following plugins for security in my blogs

Well, That’s all that I did. Like I mentioned, let me know if you have any better way to secure the wordpress blog. Thank you all for reading.. :)

Related ~

Leave a Reply

  1. Michael, thanks for the reference to MalWatch. Yes, this is frustrating stuff! In addition to MalWatch, we solved our problems at the hosting level and have since made the solution publicly via http://wphost.co . The following is a review we got from The Blog Herald. http://www.blogherald.com/2010/09/14/is-wordpress-vip-beyond-reach-let-wphostco-wipe-away-the-tears/

    If your attacks persist, let’s talk about our offering as it is affordable and we feel we have locked it down in the right ways.