Security firm Blue Coat recently discovered that the storm.ca site, which belongs to a Canadian internet services company, was being used to host links to more than ten thousand pages of scam sites. After reporting the issue to the storm.ca team, the company quickly addressed the hack and shared some of the details behind it as an object lesson for others.
The sheer scale of the issue is notable: Blue Coat Malware Lab architect Chris Larsen determined that the number of pages that the site was hosting in the background was somewhere between ten thousand and ten billion. “Dozens of pages I tested between 1 and 10001 resolved, but page 9999999999 did not,” he explained in a blog.
The issue is that these kinds of hacks are all too common, given the penetration of WordPress as a content management system. “Even a well-run site can fall victim to hacks focusing on WordPress, which seems to have a lot of weak links -- at least, judging by the amount of compromised sites we see in our logs each day,” Larsen said.
In this case, the intrusion took place when someone uploaded a PHP file manager script via a hole in the "wp_mailinglist" plugin. From there, the attackers could upload anywhere the "nobody" user was allowed to write.
“This way, the attackers didn't need to literally load 10,000 or more junk pages onto the server -- that's the sort of thing that gets noticed! “ Larsen said. “They could simply generate the pages as needed.”
The pages redirected visitors to pages for presumably bogus online pharmacies, which typically offer drugs like Viagra without a prescription.
Pharmacy scams – which, ironically, often feature “discount” prescriptions from Canadian online drug stores – typically attempt to separate desperate consumers from their money on a number of different fronts. Most offers selling medicines or drugs are designed to steal credit card details or to download damaging files (like spyware and key-loggers) onto a computer. Some just take the money and don’t deliver the goods. And in some cases, product is delivered but isn’t the real thing. In some cases, the medicines or other products may even damage the victim’s health.
As a guide for other sites, the storm.ca team shared its remediation (and on-going maintenance) steps: it removed or disabled unused plugins, and modified its Apache configuration to not allow the PHP engine to run on any files within the wp-content/uploads tree, so even if someone can upload arbitrary files in there, they won't be easily executable.
The team also disallowed write permissions on the wp-contenttree as well as the allow_url_fopen and allow_url_includein php.ini. “It's convenient to allow WordPress to be able to self-update plugins, but not at the cost of having the whole directory tree forced to be writable by the server,” Larsen noted.
And, the team recommended the common-sense step of upgrading WordPress and all plugins to their latest versions.
Site operators should take note. Pharmacy scams are tried and true, Larsen pointed out: BlueCoat’s first internal blog post more than five years ago dealt with a hacked website (belonging to the government of Ghana) which was hosting links to, among other things, pharmaceutical sites. “However, the good old Viagra-SEP networks haven't gone away,” Larsen said.