Cleaning eval(base64_decode()) from a Hacked WordPress Website via SSH

I received an email from a friend yesterday informing me that his WordPress site was loading with a blank white page. I SSH'ed into the server and looked at his wp-config.php file:

That eval(base64_decode("ZXJy.... line is a classic sign of a compromised site. Attackers obfuscate malicious code by hiding it with the PHP base64_encode() function. Then they use the base64_decode() function to decode (i.e. un-hide) it. Finally, the PHP eval() function is used to 'run' (or EVALuate) the malicious code. They place the malicious line at the top of as many PHP files as they can.

What Does the Malicious Code Do?

If you're curious what the obfuscated code looks like, you can copy and paste the whole line into a new PHP file and then replace eval(base64_decode(....)); with echo base64_decode(...);. That will print out the PHP code that the attacker is trying to run.

Hacks like these usually involve redirecting sites somewhere else on the Internet so that the attacker makes money. If someone earns $0.01 per redirection to an ad somewhere on the web, imagine how much they could make if they infected a popular site.

Temporarily Blocking Access to the Site

While we're fixing the problem, we don't want the attacker to have any access to the site. To block all access to the website, you can add the following to the top of the .htaccess in the root folder of the website (if an .htaccess file doesn't already exist, you'll want to create it).

To allow access from just your IP address, replace "!!Your IP Address Here!!" with your IP address:

order deny,allow
deny from all
allow from !!Your IP Address Here!!

Now we're ready to start cleaning things up.

Automating the Cleanup Process

When one file has been compromised, there's a good chance that many more files have been compromised. The attacker wants to ensure that as many files have been infected as possible so as to maximize the chances that his code will be run.

With this being a WordPress site, the easiest solution is to simply replace all the existing files with a clean copy of the WordPress files. However, you don't want to replace the wp-content/ directory because that contains your themes, plugins, and any media that you may have uploaded.

Since we want to keep the contents of the wp-content/ directory, we'll first need to clean it out. The first step is to search the directory for any files that may contain the malicious code:

As I suspected, the list of infected files was quite long. It would be a long tedious task to edit each file and remove the malicious line, but thanks to the power of the Linux command line, we can automate the process.

Using a few Linux commands, we'll find all .php files in the current directory and all subdirectories and then pipe those files into another command that uses the sed program (sed is short for 'stream editor') to search for the malicious line and replace it with nothing, effectively deleting that line from each file.

Now we can run the search command again to see if all the files were cleaned out:

Nothing was found, so that means the files were cleaned.

The next step is to replace the core WordPress files with a clean copy of the latest version of WordPress. First, we'll move all the current files to a backup folder and then create a backup tarball:

Now we have a backup just in case anything goes wrong with the next steps.

The next step is to download the latest version of WordPress and extract the files:

You may need to change the ownership of the files to that of the user:

Now we're ready to move the original wp-config.php file back, along with the original wp-content/ directory:

Since we only cleaned the files in the wp-content/ directory, you'll want to edit wp-config.php using your favorite editor (nano is a simple Linux command line editor) and make sure that the malicious eval() line is not present at the top. If it is, you'll want to delete it before proceeding.

And that's it! If you visit your website now, the site should be up and running again. If you were previously running an older version of WordPress, you may be prompted to upgrade the database.

Tips for Staying Safe in the Future

Here are a few tips to avoid a hacked WordPress site in the future:

  • Only run WordPress plugins that you absolutely need, as most vulnerabilities come from badly coded WordPress plugins.
  • Before downloading and installing a plugin, see how many downloads it has; the more the better. Also, when was the last update to the plugin? The earlier the better.
  • Always keep your WordPress core files and your WordPress plugins updated. If you're prompted to install an update on your WordPress dashboard, it's best to do it immediately.
  • Install an SSL Certificate and always use SSL when logging into your WordPress Dashboard (see Administration over SSL).
  • Read the entire Hardening WordPress page on the WordPress Codex and implement the suggestions.
  • Keep regular backups. Make sure you have a weekly and a monthly backup.
  • Check out this post by Kinsta on WordPress security.

That's it! If you have any questions or suggestions, please let me know.



My failed attempt to hack the AT&T free iPhone WiFi

You may remember that AT&T began offering free wifi for iPhone users earlier this year. Shortly thereafter they pulled the service. Why? Because someone discovered the security applied to the system was extremely weak: simply changing the User Agent of your browser to make it look like you were using an iPhone browser allowed you to gain free WiFi access on your laptop. This could easily be done using the Firefox User Agent Switcher extension, or by simply firing up Safari, enabling Developer mode (Safari->Preferences->Advanced->Show Develop menu), and selecting the iPhone User Agent (Develop->User Agent->Mobile Safari 1.1.3 - iPhone).

With the new service, you connect your iPhone to the wireless network, launch the browser, and get redirected to a page that displays a single field requesting you to enter your iPhone phone number. After submitting your phone number, you receive a (free) text message containing a URL. Loading this URL from your iPhone grants you free wifi access to the Internet.

When I tried the User Agent hack mentioned above from my laptop, I expected to at least get the box prompting me for my iPhone phone number. But to my surprise, all I got was a mobile-formatted page with options to purchase service.

So I suspected they were checking the MAC address of the computer connected to the router and checking if it looked like an iPhone MAC address. Luckily, spoofing the MAC address of my wifi card is easy on OSX:

sudo ifconfig en1 lladdr 00:21:E9:52:6A:E3

BAM! Now as far as the AT&T router can tell, my requests are coming from my iPhone. This time when I connected, I got the form asking me for my iPhone phone number. I submitted the number and a few seconds later received an SMS with a link.

I hoped that simply typing this URL in my laptop browser and visiting it would grant me free wifi access, but unfortunately it did not. Instead, it gave me an error saying that page doesn't exist.

A commenter on the original LifeHacker post describing the User Agent hack left this comment about the new security features applied by AT&T:

AT&T has locked out non iPhones by using an encrypted log on tied to each iphone number. The key is transmitted to the iPhone over the AT&T cell network a minute before login.

By using the AT&T network to transmit the key, they have definitely made it more difficult to gain free access from your laptop. I'm sure it's still possible (perhaps by sniffing the wifi traffic between the iPhone and the router after a successful connection), but I'm not sure it's worth the time and effort.

I heard that an official AT&T tethering option for the iPhone will be coming soon, so that might make this a moot point (assuming they make it a free option). Still, it seems only fair that existing iPhone users should be able to access the free wifi via their laptops. Transmitting a password via SMS seems like a safe way to guarantee the person connecting to the wifi actually has an iPhone.

Boston FU: Retractable Earbud Hack

The first Boston Freehacker's Union meeting was tonight at Trident Cafe. FU rule #3 states,

Everyone who attends has to eventually show something they did. Not something someone else did. This is your time to give a performance, not to teach people how to use something so you get a book deal.

I didn't really have anything to show, but I wanted to show something. Tangled earbuds are one of the things that have been bugging me for, literally, years. (I prefer real headphones, but sometimes size matters.)

Every time I take the earbuds out of my bag, they're all tangled and I have to spend 30 seconds or so untangling them. I wanted something like the retractable cables in my Belkin 7-in-1 Retractable Cable Travel Pack, but for my Apple earbuds. Well, here's my 30 minute retractable earbud hack:

Retractable Earbud Hack

The most interesting part about this hack was what I learned about the locking mechanism. The recoil system was very simple; a twisted metal coil that increases tension as it is twisted. However, as you pull the wire out of the coil, something stops the device from retracting.

Retractable Earbud Hack - Ball Bearing Track

That something turned out to be a tiny metal ball bearing, sitting inside the funny looking track on top of the spinning center coil. The single straight track on the top stationary cover sandwiches the ball bearing inside the track and keeps the ball bearing in place. I actually lost the ball bearing twice and ended up taking apart all three of the retractable cables that came with the Belkin kit.

There's definitely lots of room for improvement. A removable retractable device would be much nicer and the size and weight is also an issue. The guys I met at the FU meeting seemed to like it and I'm definitely going to keep using it whenever I use the earbuds. I'll add any further observations to the bottom of this post.

My own version of the $1 Image Stabilizer

I've seen the $14 Steadycam "The Poor Mans Steadicam" in the past and always thought it would be a cool project to tackle whenever I have some free time (aka never). Even though I own more tools than I'm able to name (when you take care of your own rental properties you need a wide array of tools!), the large number of tools and parts required for the "Poor Mans Steadicam" always turned me off.

Then I saw this cool $1 Image Stabilizer video from MetaCafe:

$1 Image Stabilizer For Any Camera - Lose The Tripod - The best free videos are right here

Sure enough, I found an immediate need for an image stabilizer when I took pictures of the box for my new MacBook Pro power supply. I had some rope in my closet and I remembered the tripod adapter which screws into the bottom of my camera already had a little hole that I could loop the rope through. It took two minutes of my time to tie the rope around the tripod adapter. I then stood on the excess rope and pulled up to steady the camera:

It worked great! Here is the first picture I took without the stabilizer and here is the second picture taken with the stabilizer. You can clearly see the difference!

My co-worker, Raf, spontaneously came up with the idea of using a giant rubber band instead of string or rope. Just as he was laughing it off as a silly idea, I told him I actually have giant rubber bands that I use for fitness. As I was writing this post, I decided to try out his idea:

It also worked well, however the because the rubber band needs to loop around the camera, it was uncomfortable and also difficult to access the camera controls. Besides, not only would I not want to carry around a giant rubber band, I also wouldn't want the camera to slip out of my hands and go crashing to the ground just as I lifted it to take a picture!

I love the way pictures come out when taken with natural light (no flash). However, when the camera detects low light it slows the shutter speed down so it can absorb enough light to make a clear picture. Even the slightest movement during this slow shutter speed will cause the picture to come out blurry. It's quite amazing how such a simple image stabilizer fixes that problem!

My First (Real) Electronics Project / Invention

When I was 13 or 14 years old I discovered the need for something to easily change the connections made between VCR's, tape decks, and speakers. I needed to change inputs and move cables around to different ports. Constantly moving around equipment to access the ports on the back was becoming very cumbersome. I needed an AV Selector. Although one probably existed at the time, I didn't know of its existence and so I marched on with inventing one.

I had never soldered before, and this was the first time I found a real purpose to solder. My solution was simple: Connect each of the cables coming from the equipment into a box that was easily accessible. For each port on the equipment, the box would have two ports: one that connects from the equipment to the box and then another on the box that connects to another one of these boxes, which is connected to yet more equipment. This would allow me to be able to unplug and change the connections easily by simply manging the connections on the boxes.

To help you understand how this actually worked, I whipped up a quick diagram:

So I bought some parts from the local RadioShack, including a little plastic project box which needed to have openings cut out for the ports (very difficult without the right tools -- I think I used a razor and broke a few blades). A few hours later, and my invention was complete. It certainly wasn't pretty, but it worked exactly as I planned!

Of course there are much more professional AV Switchers out there now, such as this one made by Sony:

A Paper Solution to an Electronic Problem

I started to get a sore throat during the day on Sunday and by Monday morning it had become a lot worse. I feel the full effects of a cold or flu, but I'm doing my best to ignore them. Yesterday I decided to take a one week break from working out to let my body recuperate. I completed four straight weeks of my workout routine and with the exception of the aerobic part, I'm going to continue with this routine for another four week cycle. It's only three days a week and I feel that it works each of my major muscles very well. I've also increased my protein intake, so I'm now consuming between 150g - 180g of protein per day.

My new phone, the Nextel i560 has been randomly shutting off. Every 30 minutes or so, I would take it out of the holster only to find that it's not even on. So I turn it back on and put it back in the holster. A little while later, same thing. A couple of times I actually saw it turn off right after I took it out of the holster. So I figured it must have been something I pressed to make it turn off. After a little pushing, poking, and other general torture, I was able replicate the problem, the most important step in diagnosing a something.

Either the phone is defective, or the battery is defective. But whichever it is, the problem is that the area the battery fits into is not the correct size. This makes it possible to press on the back of the phone (or the top when pulling it out of the holster) in just the right spot to push the battery off the gold contacts inside the phone, resulting in the phone shutting off. My solution?

I was on the train to Boston this morning when I figured this out, so I used a piece of paper from the bag of Honey Herb Ricola throat drops I bought earlier this morning. The solution works like a charm! My phone has not turned off once since I "fixed" it. The discovery of this solution makes me wonder if this could be the same problem my mom had when her phone was constantly turning off. She kept bringing it back to the Nextel store but they never seemed to fix it...

My work at Aerva has been going well. I have so much programming work to finish, it's overwhelming. But I love programming, so I'm enjoying it. If only I didn't have so many other responsibilities to worry about. The house on Ware street still hasn't sold, despite being the cheapest 4 family house on the market in this area. I haven't even had anyone interested in taking a look at it! Hopefully the $5k I spent to renovate two of the units will help it sell more quickly.

The temperature for tomorrow is supposed to hit 115F in pockets around southern New England, a new record. All the heat is causing such a drain on the electric grid that New York City is taking measures to conserve electricity wherever it can. This kind of stuff is going to become the norm over the next 10 - 15 years. The extreme heat in the summer and stormy blizzard winters will increase. Ah, another reason for me to start putting money aside to buy a plow this winter.