London Web Design & SEO Services

Some changes were made in the BST with the attempt to reduce useless posts along with bumping of threads, and to avoid affiliate links being sent via PM. Affiliate Links in PMs You MAY NOT post threads to promote affiliate programs via PM. Masking an affiliate link via PM or otherwise is still subject to an infraction. Trying to get around the ‘no affiliate links in PMs’ rule by instead linking to your own landing pages is still not allowed. That is still posting a thread to promote an affiliate program via PM! Making People Bump Your Threads for More Information You may not ASK for people to bump your thread by telling them to post things like, “I’m interested,” “PM me the details,” “Sold,” “Give me the money,” or other similar terms. (This includes things like asking “Who’s interested?” knowing you’ll get a bunch of bump posts, unless you specifically give instructions to PM you directly instead of posting in the thread.) You MAY NOT refuse to receive PMs if you’re not offering all product / service / offer details directly in your thread. If you don’t want to give the details in the thread then you HAVE to accept PM’s. - Note: This includes asking everyone to post their rates. If you don’t include the rates you’re paying for a service, you must accept those quotes via PM directly and not through thread bumping. If you respond to an OP’s request to post inappropriate thread comments (see above), you will receive an infraction for bumping, regardless of what the OP told you to do. In addition, when responding to someone’s thread, you may not post in the thread to “send more information,” “PM me the details,” or anything similar. If you are interested and don’t have a valid question that applies to everyone else then you must PM the OP.

A wrist watch covered with gold is a part of an image of any successful man regardless of it is a man or a woman. The one thing that can confuse even quite a wealthy man is the price which should be paid for the sign of prestige – a genuine golden Japanese watch. You may have known that the prime cost of the original Swiss watches can be for instance several hundreds dollars, while they can be sold for several thousands in case of breitling bentley watch. That is the basic motive why replica watches get more and more popular. If we are speaking about replica cartier watches we should mention that there are replicas that are identical to genuine watches. The difference is only in the clockwork and the substances.
A male watch is an integral part of style of every modern man who wants to be fashionable. If you are a considerable businessman you would better choose a classic watch, or a sport version for active persons. You have got an excellent opportunity to underline your personal status and display other people your personality. For any woman the perfect watch is the sign of the wealthy man and she would be pleased to look at you.
A female watch is a stylish accessory, brilliant adornment for your status, surely. The highest quality of the replica watches may be found in every part of the watch. The basic benefit of the replica watches is that you don’t have to pay huge amounts of money but buy the watches of the highest quality.
Most of replica watches are produced by real professionals in accordance with the functional and appearance similar to the genuine artwork. Lots of replica watches imply utilizing of Japanese and Swiss mechanisms, but the producers are situated in various countries. In Europe there are lots of developers in Austria and Belgium. Thanks to the technical progress we have a possibility to create the copies of original watches making even the littlest parts the same. Replica watch ought to have the same appearance as the genuine watch. In case you want to select a replica watch of the highest class, it is better to purchase a watch with Japanese or Swiss mechanism. Pay attention to the glass that is utilized in the watch. The glass of the greatest quality watches is commonly made of sapphire and the body should be created of the best material. Be thorough as there are a lot of unlawful companies which may sell you a bad replica watch and provide no guarantee service during a definite period of time. Replica watch may be an excellent gift for your mates or relatives and you won’t have to expend a lot to purchase tag heuer swiss replicas.

A phone card or calling card - a phone credit card with a Personal Identification Code (Pin) used for a pre-chosen international carrier when far from home or not at work. Verizon calling plans allow to dial a phone anywhere from Virginia Islands to India with a Phone Card dialing a preregulated number (not seldom toll free call). It is not fully free, like the majority Voice over IP carriers promote, but the quality is remarkable and you doen’t have to be on-line to make a
call. Give it a try!

International phone cards are rather sparing, often three times cheaper than collect calling, coin operated payphones or having the phone call invoiced to the hotel or motel room be it a call from Canada, US, Mexico City, Australia, Ireland or India. We recommend calling cards to India or prepaid Philippines calling cards in America - from the Earth to the Moon to 149 more countries…

Pre paid phonecards and monthly billed phone cards often offer aloud lower long distance rates (3 to 10 times) than the more traditional call services such as coin (landline), cellular (wireless) and collect calling. Additionally prepaid phone card calling rates remain the same no matter what time or day the call is placed.

Pre-paid cards have superseded coin pay phones and subsist with VoIP. Why to purchase? Calling cards are also extensively used to make domestic or international calls where the local phone carrier is unable to give low rates. Additional services: internet accounts, pinless dialing, SMS messaging, internet conference calls, voice-mail, mobile phone service, international call back.

Want to make a call? Then you’re prompted for a user ID and a Password or both, prior to dialing the indicated number they demand. “Card” is a misnomer as some through the Internet callingcards are widely available without the issue of an genuine plastic “credit card” and are released immediately in pin only form.
With a re-fillable call card you can in a minute add more calling time using a credit card. It is safe, because of the VeriSign SSL & HackerSafe modern technologies used. Calling service providers have toll-free numbers or you can go to their web stores. Certain cards permit you to prepay using drafts or checks - this obviously has a time implication and the recharge can take up to half a month to be activated. Up-to-date providers now have an email payment system like Google Checkout. Preserve up to 95% on your long distance call with discount rates from now on!

WordPress Security
You can protect your administration scripts (scripts under wp-admin), where most attacks originate including this one, by restricting access to your admin scripts to specific IP address or IP address range. You can also add a basic authentication on top of WordPress by using your httpd.conf file or .htaccess. This adds a layer of security which any hacker will have to overcome before he gets to your WordPress vulnerabilities.

This WordPress blog was hacked for few hours on 24th December (nice Christmas present!) from Russia. The hacker exploited several WordPress vulnerabilities in administrative scripts to gain full access to the website (as permitted to apache user), including the ability to upload & run scripts, delete any file owned by apache user, view the file and directories etc. This is a full disclosure on the how the site was hacked and how I detected and removed the hack along with few comments on the state of WordPress security. I added a WordPress plugin and made modifications to prevent any such hacking attempts in future using WordPress. This is a must read for WordPress bloggers.

How the site hacking was detected?

The website was normal. However when I tried to publish or even save a post, it simply showed a blank page. The post was never published or even saved. I knew something was wrong.

My first suspect were couple of plugins which contacted external servers after a publish. I disabled them. I also disabled the ping sites as they were sometimes known to cause problems. None of that helped. I progressively disabled all of the plugins. Even with all the plugins disabled, the post wouldn’t publish. I was left with only one option.

I decided to trace WordPress code to find out the cause of error. I started with the file for post submission - post.php. I found something startling with WordPress code which seriously undermines its security, a flawed design choice but more on it later. post.php calls admin.php which calls wp-config.php which in turn calls wp-settings.php. wp-settings is an interesting file. This file isn’t just about settings. It loads tons of files, loads and executes the plugins and more. The problem was, as I originally suspected, in the plugins but which one? The code which loads the plugins in WordPress is:

if ( get_option('active_plugins') ) {
	$current_plugins = get_option('active_plugins');
	if ( is_array($current_plugins) ) {
		foreach ($current_plugins as $plugin) {
			if ('’ != $plugin && file_exists(ABSPATH . PLUGINDIR . ‘/’ . $plugin))
				include_once(ABSPATH . PLUGINDIR . ‘/’ . $plugin);
		}
	}
}

The active plugins, as you can see, are loaded directly with include_once. How do I find the plugin which while loading is causing the script to die?
I added simple syslog() statements before and after the plugin. However it generated copious output from all the traffic.
Remember I was debugging on a heavily trafficked live site. So I added a define in post.php which I was checking before doing a syslog. The debugging code was:
if (’’ != $plugin && file_exists(ABSPATH . ‘wp-content/plugins/’ . $plugin)) {
if(defined(’TG_ADMIN’)) syslog(LOG_ALERT, “Loading $plugin…”);
include_once(ABSPATH . ‘wp-content/plugins/’ . $plugin);
if(defined(’TG_ADMIN’)) syslog(LOG_ALERT, “Loaded $plugin…”);
}

The result was surprising. The first plugin loaded was not even a plugin I knew existed, let alone use it. It was named ro8kbsmawge.txt. The full path to the plugin was /../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt
Effectively the file path was /tmp/ro8kbsmawge.txt. A telltale sign of this hacker is the presence of the file ro8kbsmawge.txt in your tmp directory.

I renamed the file and the problem was solved for now. I could publish posts finally. However my site was still not secure against future attacks. I will detail next at how I secured my site and provide more information on the perpetrator and how the site was hacked in the first place.

How the site was hacked using WordPress?

The site exploited a vulnerability in /wp-admin/options.php which allowed it to get the authentication cookies it required to upload the file ro8kbsmawge.txt to my /tmp directory using /wp-admin/inline-uploading.php. It then used /wp-admin/plugins.php to activate the ro8kbsmawge.txt as a plugin while using options-misc along the way.

Finally the hacker accessed the site using his magic word piska233 and browsed few directories on my server before retiring for the day. All of these was done within a span of 3 minutes which leads to the conclusion that a script was used to exploit the holes and orchestrate the hacking.

The full log, except the IP address 217.74.245.85 which was removed for redundancy, of hackers action on my site is:

[24/Dec/2007:07:40:22 -0600] “POST /wp-admin/options.php HTTP/1.0? 200 1713 “http://blog.taragana.com/wp-admin/options.php” “Opera”
[24/Dec/2007:07:40:24 -0600] “POST /wp-admin/options.php HTTP/1.0? 302 471 “http://blog.taragana.com/wp-admin/options.php” “Opera”
[24/Dec/2007:07:40:26 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0? 200 1645 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera”
[24/Dec/2007:07:40:29 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0? 200 142 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera”
[24/Dec/2007:07:40:52 -0600] “POST /wp-admin/options.php HTTP/1.0? 200 1713 “http://blog.taragana.com/wp-admin/options.php” “Opera”
[24/Dec/2007:07:40:54 -0600] “POST /wp-admin/options.php HTTP/1.0? 302 471 “http://blog.taragana.com/wp-admin/options.php” “Opera”
[24/Dec/2007:07:40:57 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0? 200 1645 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera”
[24/Dec/2007:07:41:11 -0600] “GET /wp-admin/options-misc.php HTTP/1.1? 200 7764 “-” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:15 -0600] “GET /wp-admin/wp-admin.css?version=2.0.7 HTTP/1.1? 304 - “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:15 -0600] “GET /wp-includes/js/fat.js HTTP/1.1? 304 - “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:12 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0? 302 - “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera”
[24/Dec/2007:07:41:21 -0600] “GET /wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt&_wpnonce= HTTP/1.1? 200 1474 “http://blog.taragana.com/wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt” “Opera”
[24/Dec/2007:07:41:23 -0600] “GET /wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt&_wpnonce=7b4c8019bd HTTP/1.1? 302 - “http://blog.taragana.com/wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt” “Opera”
[24/Dec/2007:07:41:30 -0600] “GET /?piska23 HTTP/1.1? 200 95716 “http://lamer/mwpep/?mode=shell&what=20? “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:36 -0600] “GET /?piska233 HTTP/1.1? 200 15840 “-” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:44 -0600] “POST /wp-admin/options.php HTTP/1.1? 302 471 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:47 -0600] “POST /wp-admin/options.php HTTP/1.1? 302 471 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:55 -0600] “GET /?piska233&dira=/tmp HTTP/1.1? 200 9930 “-” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:41:54 -0600] “GET /wp-admin/options-misc.php?updated=true HTTP/1.1? 200 7842 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:42:36 -0600] “POST /index.php?piska233&dira=./ HTTP/1.1? 200 36721 “http://blog.taragana.com/?piska233? “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:43:23 -0600] “GET /index.php?piska233&dira=./wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images HTTP/1.1? 200 6506 “-” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:43:38 -0600] “GET /wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images HTTP/1.1? 301 298 “-” “Opera/9.24 (Windows NT 5.1; U; ru)”
[24/Dec/2007:07:43:40 -0600] “GET /wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images/ HTTP/1.1? 200 604 “-” “Opera/9.24 (Windows NT 5.1; U; ru)”

The good news is that no harm was done.

WordPress security issues & design flaw

The basic design flaw is that loading WordPress configuration (required for database access for authentication checks) loads wp-settings which loads tons of other PHP files as well as all the WordPress plugins and any hacks. All of these are done even before you have a chance to authenticate the user. This is extremely dangerous for administration scripts as it allows a hacker to pass arguments to and execute gazillions of WordPress files which may or may not have proper security checks in place. User authentication and entitlement should be done at the very beginning to prevent unauthenticated scripts from proceeding any further. To do that wp-config must be modified to not include wp-settings. It should be separately included where required, even at the cost of redundancy. Administration scripts (under wp-admin) requires only wp-config to get the database details to authenticate the user and identify its entitlements. After authentication the rest should be loaded. This flaw was exploited to get the authentication cookie details which was subsequently used. The exact exploit used in this case is hard to find from just server logs. However it was caused by late authentication problem as described above.

There arewere known issues with both options.php & upload script, some of which are detailed here.

One of the challenges with WordPress is that security considerations was mostly an afterthought (feel free to disagree) which were latched on as WordPress became more and more popular. You have to continuously update your WordPress to keep up with the latest patches.

There are 71 reported security advisories in Secunia (22 reported in 2007) and 9 viruses based on WordPress (one from 2007).

Most likely the site was hacked using the cookies authentication vulnerability as detailed here.

Several WordPress plugins and themes also have security advisories:
- AdSense-Deluxe 0.x (plugin for WordPress)
- AndyBlue 1.x (theme for WordPress)
- Blix 0.x (theme for WordPress)
- Blixed 1.x (theme for WordPress)
- BlixKrieg 2.x (theme for WordPress)
- Blue Memories 1.x (theme for WordPress)
- myGallery 1.x (plugin for WordPress)
- PictPress 1.x (plugin for WordPress)
- Pool 1.x (theme for Wordpress)
- Redoable 1.x (theme for WordPress)

You can read all the Secunia advisories on WordPress here.

Who was the hacker?

The IP address of the user responsible for hacking my site is 217.74.245.85. The IP address belongs to KUBANGSM-NET:

% Information related to '217.74.245.0/24AS29497'

route:          217.74.245.0/24
descr:          KUBANGSM-NET
origin:         AS29497
mnt-by:         KUBANGSM-MNT
source:         RIPE # Filtered

It is owned by:

person:       Volkov Denis
address:      61, Gimnazicheskaya str. 350000, Krasnodar, Russia
phone:        +7 8612 660126
fax-no:       +7 8612 401505
e-mail:       d.volkov@kuban.mts.ru
nic-hdl:      VD370-RIPE
source:       RIPE # Filtered

Their website is http://www.kuban.mts.ru/. They appear to be legitimate mobile & internet service provider. Most likely their internet service is being abused by the spammer. Nevertheless I decided to ban this IP address from accessing my server.

The hacker was most likely using Opera 9.24 browser (almost latest version) on Windows XP (NT 5.1). While user agent can be faked, there is no reason to suspect so in this case. The user agent string also shows that he was using the russian language file of Opera.

Anatomy of the hacking script

The hacking script is a php script with a a nice comment and TODO line:
/*Magic Include Shell by Mag icq 884888*/
//TODO: ????? ????? ?? ???? ??? (!)

Effectively it is a file manager, probably adapted from any of the free php file manager’s on the net. It allows you to:

• Browse directories and files
• Edit files
• Rename files
• Delete files
• zip & unzip files
• Upload & download files & directories
• Execute arbitrary PHP scripts
• Execute arbitrary shell commands
• Provides basic server, system & PHP information

The bulk of the code is executed when it receives a particular query string to a normal HTTP GET request. So while http://blog.taragana.com/ will work as usual, http://blog.taragana.com/?piska233 will open with this magical hidden shell which will expose your entire website to an outside hacker.
Note: There is nothing magical about piska233. It is a password which was most likely allowed to be chosen and given as input to the original script which injected this trojan horse on my site.

A trojan which protects itself against worms…

The trojan takes steps to protect itself against worm! The code at the end which is always executed is:

$post_arr=implode('.',$_POST);
$get_arr=implode('.',$_GET);
$cook_arr=implode('.',$_COOKIE);
$post_arr_key=implode('.',@array_flip($_POST));
$get_arr_key=implode('.',@array_flip($_GET));
$cook_arr_key=implode('.',@array_flip($_COOKIE));
$other_shtuki=@file_get_contents('php://input');
$cracktrack = strtolower($post_arr.$get_arr.$cook_arr.$post_arr_key.$get_arr_key.$cook_arr_key.$other_shtuki);
$wormprotector = array('base64','user_pass','union','select','substring','or id=');
$checkworm = str_replace($wormprotector, '*', $cracktrack);
if ($cracktrack != $checkworm) die(”");


It checks for certain keywords (in $wormprotector array) within GET, POST & COOKIE data. When they are present it simply aborts. This is one of the means to detect the current version of the script. This is also the reason why it failed to submit a post. An url such as this would also die - http://localhost/wordpress/?select as would http://localhost/wordpress/?base64.
However there is nothing to be happy about. It will take less than a minute to modify the script and make it immune to detection in WordPress.

This is the list of sites we currently submit to.  Note that not all sites will accept your title.  For example, if you have a business utility, sites that list only games would not be appropriate for us to submit to since they will not accept that type of software.  However, we can still guarantee that a huge number of sites will be submitted to.  The list below currently has over 300 entries!