Conversation with a hacker – in the WordPress .htaccess file
Every once in a while Wordpress sites get hacked.
It can happen for a number of reasons but it’s usually due to either insecure themes or plugins which use code that was poorly written and/or code that has not been maintained or updated. The key point to this is to make sure that the themes and plugins you use are actually supported. I actually prefer plugins that are “for pay” and maintained.
I also make sure to maintain incremental backups every 6 hours, daily, weekly and monthly for up to 6 months.
Anyhow for the last several months we’ve been dealing on and off with a link hacker. At times he’s taken down a site and we’ve restored a backup. None of the scans showed the exploits he was using and the logs didn’t provide the information that we needed to identify him or the exploit. (This one was actually built into the theme a hosting client was using.)
Anyhow, yesterday during a routine check I noticed that some link pages were up on this site again. So I made some changes to the files and killed them. A few minutes later they were back and this continued for about 30-45 minutes where to my surprise the hacker started to engage me in conversation in the .htaccess file.
Curious and not sure if this was part of a more elaborate script I decided to respond back. And then the fun began.
I did this to bait him for two reasons: 1) I was trying to get him to open up and identify himself which I knew wasn’t likely, and 2) I was trying to get him to communicate enough so that we could monitor the log files and figure out which IP(s) were him. We were actually able to find 5 different IPs that he was cycling through trying to be stealth – of course, all using proxy’s.
#do not make me angry
#why?
#I do not want to harm your site,but if you do not calm down…
#I’m very calm and I like to play…
#I like you dude
#Then why are you fucking with my friends?
#you’re gay? lol
#tell my wife… my life might be easier.
#how old are you?.
#I don’t understand?
#I’m 43 – how old are you? – This is actually kind of fun…
#I’m 32 – This is actually kind of fun and for me…
#:) I used to do what you do – but long before the internet.
#No, but do it before the internet was impossible
#I started in 1981 with a Commodore 64 – right before you were born….
#I have to leave right now,I was very glad to talk with you…
#Do you have to go to work now? – Curious if the links pay well?
#this is my job – not bad
#cool – curious if I can hire you for some security work some time? I do this site for a friend so I don’t get paid to help them. But I have other paying clients.
#talk to you later,in an hour.
#OK
#I’m here
#I see…
#how much you earn per month?
#probably much less than you.
#my job is profitable but very nervous,not all such nice people like you…)
#Is it often that you engage people in the .htaccess file? Curious how often they write back…
#you are the only one who answered…)
#At first I was curious if it was part of a script – so when you answered back I figured why not? How long have you been in this line of work?
#4 years
#Cool… The proxy you are using has a reverse IP from Turkey. I’m in California. Figured you were in Turkey or France.
#if you have good websites they can earn good…
#so where do we go from here?
#in sense?
#I don’t know. For my friends I need to secure their site. At the same time you may have some knowledge that could be valuable to me and others so I’m wondering if I could hire you from time to time to try to hack sites and let me know if they are easily exploitable.
#I myself did not break anything, I buy from other compromised sites
#but if you have a server where the good sites that we could cooperate.
#I’d love to say yes and make more money but my friends would probably not want to do it. And the outbound links cost them SEO value as well.
#these actions do not harm the sites, and I have stamped links to these sites that affects good for seo.
#but they show up on site:[website].com and it makes them look like they are selling drugs
#it sees only those who need drugs – and site admin…)
#I can’t do it. Are you available to try to hack sites for a fee? Hey – are you Czech?
#I wrote that I did not hacked sites I buy from those who hacks – No.
#Oh, I see. What kind of CPMs do you usually get? I do have some other sites
#they pay me% of the purchases,if you have a good site, you can earn a month 500-1000 $
#OK you can email me at [email address] – but for this site I need to clean it up. I’m sorry man. I don’t own it and they don’t want the ads or spam emails sent. ;(
#do not do it.
#I have to… I’ve enjoyed chatting. Feel free to email me. I’m locking you out now. Goodbye.
After identifying his IP addresses we were able to crawl through the log files and see all of the files that he touched – even going back to March. We deleted and all non-critical material and then proceeded with fresh installs of everything.
Now it’s only been ½ a day since the event and we’ve seen him continue to attempt to infiltrate the site – but so far he’s been unsuccessful. Even better, because we are monitoring his IP’s we are watching to see everything that he’s trying so that we can test his methods against all of our client sites.