loading...
Cover image for Bees? Viagra? Whaa?

Bees? Viagra? Whaa?

thatonejakeb profile image Jacob Baker ・2 min read

Peanut butter and jam, WordPress and hacks, some things just go together.

The Google entry was legit. The domain was correct, SEO matched, nothing suggested that it had been manipulated from that end. Problem was when you clicked the result expecting to see a friendly neighbourhood beekeeping website you were instead sent to a website that sold viagra.

So the investigation began.

First things first: check to see if the WordPress installation is up to date. As is the case with most WordPress installations… Was it?

Nope.

One of the things about WordPress being so popular is that hacks are actively sought after. Mix this with the platform being accessible to a wide range of technical ability levels, and plugins often causing issues when updating, you can understand why so many websites are left vulnerable.

In this case it was clear once looking at the directory listing the attacker had used an old vulnerability in the xmlrpc to upload/modify arbitrary files to the server.

Alt Text

The way this hack worked was by adding additional rules to the .htaccess, in the WordPress directory, capturing any traffic that came from a search engine. This traffic was filtered and redirected to a custom php file– rather than the typical index.php– the attacker had uploaded that then sent them off to the malicious site.

The modified .htaccess rules:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ fours-booby.php?$1 [L]

Removing these, cleaning out the dodgy php files, and updating WordPress has for the time being solved this issue.

It’s an interesting attack because the site owner is unlikely to follow the Google search result for their own website, meaning it may be around for a while before being detected. In this case a couple of months.

There are a number of variations on this particular attack that use more specific rules in the .htaccess to further reduce the possibility of detection, such as limiting the redirection to only happening when either an html or xml file is requested. Some versions of the attack even go as far as adding rules to skip the redirection based on the user’s IP address.

As this has shown, it is so important to keep WordPress up to date to make sure you’ve the latest security patches. Attackers will, and actively do, use bots to scan websites indiscriminately to look for common vulnerabilities.

Discussion

pic
Editor guide
Collapse
antogarand profile image
Antony Garand

Cleaning the hack itself is frequently not enough, as hackers will insert backdoors on the website to keep compromising it.

A full integrity check as well as file monitoring should be done to ensure it's fully clean and won't be reinfected later!