Details on the Network Solutions / Wordpress mass hack - How it happened (opens in new tab)

(blog.sucuri.net)

13 pointsfseek16y ago6 comments

6 comments

6 comments · 4 top-level

jbm16y ago· 2 in thread

Out of curiosity, how could one program something to access the DB without storing the password somewhere on the server? That seems to be the main weakness they are discussing, but it doesn't seem to be easy to store the password on the server without a trivial way to exploit it.

russell16y ago

You could store an encrypted password with the key hard coded. This is a little better, because it makes it more difficult for a disgruntled employee to walk off with the database password. Saving the key in a text file is little better than saving the password in plaintext. Saving credentials on a server that can be accessed only on the internal net is better than saving them on a public facing server. The problem is that these solutions are not typically available from your cheap hosting service.

jbm16y ago

I had originally considered the encrypted / hardcoded password, but wouldn't one simply need to grab the decryption code with the same hack (files set to 0777) and have access?

Not trying to be flippant, it just doesn't strike me as easy to do.

A determined attacker with read-write access to the server is going to be able to do whatever they want, whether or not we encrypt the PW. The only thing that could reduce the damage level would be to avoid code monoculture; the only reason someone was determined enough to do so in this case was because there were thousands of blogs hosted on that shared host, all of which share the exact same vulnerabilities.

charliesome16y ago

Awesome, this never occurred to me. Even though it was a very simply hack, you've got to applaud the hackers for thinking outside the box in the first place and going "Hrmm... I wonder if anyone has left their wordpress config as 755? And how can I use that to my advantage?"

sucuri216y ago

The attack was very simple, basically scanned all sites hosted there for wp-config.php with the wrong permissions. If it found, got the db information and modified it.

dale-cooper16y ago

Why weren't their users chrooted to their own directory?

j / k navigate · click thread line to collapse