RSS Feed!Click to Subscribe!

My website was hacked, infected sam.php, thumbs.db and index.php files found

Today I received an email from Dreamhost security bot, my host automatic scanner that checks for hacked sites in the server, the email contained the full URL path where an infected file had been found, and a template message with the steps that I should take to make sure my website is secure. The bot also changed permissions to the infected file so that it can no longer be used to harm others while waiting for the webmaster to clean the mess.

The security steps that the email points to are not specific, this is to be expected as no human was involved in this incident, the security scan is automatic, this saves lots of time and money to Dreamhost.

I am not going to complain about them as Dreamhost job is to make sure that the server can not be hacked and this was not a server problem, it is me, the webmaster, who made the sites vulnerable with the wrong file permissions or by not updating something.  In a cheap shared hosting environment like the one I have it is unreasonable for me to expect webhosting staff to manage my sites security for me.

I have been with other hosts and I know that it is the same everywhere and 99% of hacking incidents are webmasters fault, not the host. It is impossible for a hosting company to check software vulnerabilities for the thousands of dynamic sites they host. I am highlighting this because I often come across people in forums blaming the host for their incompetence, I don’t want to be one of those, I know it was my fault that the site was hacked and it is me who has to fix it, if anything, I am thankful that Dreamhost provides me with this free security scanning service.

Cleaning hacking incident

I have spent dozens of hours troubleshooting the incident and I hope this post will help others coming across the same modus operandi. Lets start by my set up.

1) My setup: A shared hosting account containing 1 WordPress blog and 7 HTML plain sites made up of 5 pages each, with no PHP or any other coding that could be exploited, other than the blog.

2) Dreamhost security bot found a file called index.php in one of my plain HTML sites, hidden in path: /home/wwwdream/wipingdata.com/banners/index.php

3) I download the index.php file and everything is encrypted with what looks like Base64 code, hackers often encrypt their code to make it harder to understand what it does.

4) I look at file stamps, the last time I uploaded that HTML site was 3 months ago, I see a few files have with timestamps of 1 month ago, this is because the hacker uploaded them there. Browsing I find another infected file, called sam.php inside another directory, this is easy for me to spot as my site is small and being only HTML, no .php file should exist. I find out with further research that SAM.php means Simple Asynchronous Messaging and it is used to send email. The sam.php file is small and it only contains one line:

echo date(“Y-m-d H:i:s”);

5) Looking at filestamps, I manage to locate another of my HTML sites infected in the same shared hosting account. Hackers are using the same method, a sam.php in the main directory and a hidden index.php placed inside a subdirectory where I keep HTML pages, this time the index.php is not encrypted.

I read it and see that the file contains code to inject PHP  in one of my HTML pages and use it to spam people or websites using my hosting account.

Using Notedpad ++ to open index.php this is the code injected above the <html> tag of my HTML page:

$db=@file_get_contents(‘../main-html-pages/Thumbs.db’) or exit(“Unable to read file ‘Thumbs.db’!”);
$keydb=@fopen(“../main-html-pages/Thumbsk.db”, “r”) or exit(“Unable to open file ‘Keys.db’!”);
while(!feof($keydb)) {
$keyitems[] = trim(fgets($keydb));
$script_url = ‘http://’.$_SERVER[‘HTTP_HOST’].$_SERVER[‘SCRIPT_NAME’];
$linkid = @$_GET[“id”];
header(‘Location: ‘.$script_url.’?id=1′);
header(‘Location: ‘.$script_url.’?id=1′);
header(‘Location: ‘.$script_url.’?id=1′);

6) I see that the code is using two files named Thumbs.db and Thumbsk.db, notice a small letter s differentiates those files. I locate both files in my server and they have the same filestamps as the infected index.php, I download the Thumbs.db and open it with Notepad++, ignoring a warning from Windows that these files are used by the operating system and I could damage my operating system if I open them.

The Thumbs.db files I open contain text with 500 paragraphs of Nike shoes advertising in Dutch, using the <p>, the Thumbsk.db I open contains 600 Nike shoes key words

7) Reading again the infected index.php file I found first, at the end of the page above the <body> tag I see javascript has been inserted:

<script type=”text/javascript”>//<![CDATA[

(function(){var d=encodeURIComponent,f=window,g=document,h=”documentElement”,k=”length”,l=”prototype”,m=”body”,p=”&”,s=”&ci=”,t=”,”,u=”?”,v=”Content-Type”,w=”Microsoft.XMLHTTP”,x=”Msxml2.XMLHTTP”,y=”POST”,z=”application/x-www-form-urlencoded”,A=”img”,B=”input”,C=”load”,D=”oh=”,E=”on”,F=”pagespeed_url_hash”,G=”url=”;f.pagespeed=f.pagespeed||{};var H=f.pagespeed,I=function(a,b,c){this.c=a;this.e=b;this.d=c;this.b=this.f();this.a={}};I[l].f=function(){return{height:f.innerHeight||g[h].clientHeight||g[m].clientHeight,width:f.innerWidth||g[h].clientWidth||g[m].clientWidth}};I[l].g=function(a){a=a.getBoundingClientRect();return{top:a.top+(void 0!==f.pageYOffset?f.pageYOffset:(g[h]||g[m].parentNode||g[m]).scrollTop),left:a.left+(void 0!==f.pageXOffset?f.pageXOffset:(g[h]||g[m].parentNode||g[m]).scrollLeft)}};I[l].h=function(a){if(0>=a.offsetWidth&&0>=a.offsetHeight)return!1;a=this.g(a);var b=a.top.toString()+t+a.left.toString();if(this.a.hasOwnProperty(b))return!1;this.a[b]=!0;return a.top<=this.b.height&&a.left<=this.b.width};I[l].i=function(a){var b;if(f.XMLHttpRequest)b=new XMLHttpRequest;else if(f.ActiveXObject)try{b=new ActiveXObject(x)}catch(c){try{b=new ActiveXObject(w)}catch(e){}}if(!b)return!1;b.open(y,this.c+(-1==this.c.indexOf(u)?u:p)+G+d(this.e));b.setRequestHeader(v,z);b.send(a);return!0};I[l].k=function(){for(var a=[A,B],b=[],c={},e=0;e<a[k];++e)for(var q=g.getElementsByTagName(a[e]),n=0;n<q[k];++n){var r=q[n].getAttribute(F);r&&(q[n].getBoundingClientRect&&this.h(q[n]))&&!(r in c)&&(b.push(r),c[r]=!0)}if(0!=b[k]){a=D+this.d;a+=s+d(b[0]);for(e=1;e<b[k];++e){c=t+d(b[e]);if(131072<a[k]+c[k])break;a+=c}H.criticalImagesBeaconData=a;this.i(a)}};H.j=function(a,b,c){if(a.addEventListener)a.addEventListener(b,c,!1);else if(a.attachEvent)a.attachEvent(E+b,c);else{var e=a[E+b];a[E+b]=function(){c.call(this);e&&e.call(this)}}};H.l=function(a,b,c){var e=new I(a,b,c);H.j(f,C,function(){f.setTimeout(function(){e.k()},0)})};H.criticalImagesBeaconInit=H.l;})();pagespeed.criticalImagesBeaconInit(‘/mod_pagespeed_beacon’,’http://www.wipingdata.com/main-html-pages/info-wiping.html’,’oB_Uu8iFmt’);

8) The code is infecting one of my wipingdata.com HTML pages, converting it to PHP and using it for spaming

9) Big surprise! I grab my back up from two months ago to restore the website, and I see the infected .php hacked files are there!

Conclusion of hacking incident

When the hackers broke into my site they waited over a month before doing anything with it. I know when they broke in by looking at the filestamps of the infected files.

hacking incident
hacking incident

I believe the hackers stood still on the hacked account doing nothing with it because they knew that the first thing a webmaster does after a hacking incident is to restore from back ups and few people keep back ups older than a month, the hackers plan is to be able to get again access to the server after the webbmaster has restored it with infected back ups, this is better than start sending spam the very same day they hack your server, the hackers guarantee that you will never be able to restore from a clean backup.

Top Advice against website hacking

I was lucky because I had a single WordPress blog hosted in this shared account, this made troubleshooting easy, if you have multiple WordPress blogs and you are hacked, it will be impossible for you to go through thousands of WordPress files and check that if they have been tampered with.

I have been in that situation before, I learned the hard way that having 20 blogs on a shared host it is madness, a single incident will ruin all of your work, there is no way you will be able to find out where the problem is, not to mention that updating everything is too time consuming to be able to do it on time.

I have been a webmaster for many years, this is not the first time my sites are hacked, if you trust experience, take my advice and never host a valuable website in a hosting account with multiple sites, if you have a valuable website, host it separately, you can do this buying second shared hosting account or buying a reseller hosting account where you can create many cPanels.

It is impossible to protect from hacking, no matter how good you are, all that is needed to break into your WordPress blog is a zero day vulnerability in one of the plugins you are using, they happen from time to time and thousands of websmasters get hacked through no fault of their own.

With every hacking incident I learn, these are my hard learned security measures right now:

  • Always keep old back ups for at least a year, one month old back ups are not good enough
  • Keep installed plugins and themes to the minimum, always download them from the official site
  • Never host multiple sites in a single shared host, get a reseller account and create multiple cPanels
  • Install Wordfence plugin in WordPress, use Keepass to store unique hard to remember passwords
  • Make sure WordPress is using salt for passwords, change the default table prefix, both things can be done in wp-config.php
  • Disable WordPress default admin user, post using a username with no administrator rights, this way the administrator username remains hidden
  • Learn about the .htaccess file and customize it to your needs



One Comment

Add a Comment

Your email address will not be published. Required fields are marked *