So this week I decided it would be a good time to upgrade some of my sites that were running WordPress 2.92. I was still running this old version on some sites because of a plugin compatibility issue that was finally fixed by the plugin author. Since I run about 30+ sites on the server I wrote a script to automate the upgrade from one version of WordPress to another. The process is a little complex and perhaps I will share it one day but for now I will just get on with the problem I encountered.
Running a large number of sites comes with various challenges. The most difficult task I have when managing the dozen or so sites I run is making sure they are up and running.
I currently use a VPS server and luckily the VPS host I use has a very nice set of admin tools to help with monitoring server status. It has a watchdog to make sure the server is powered on. It also tracks CPU usage, disk I/O, and also incoming and outgoing traffic. The system will send alerts to my phone if any of these go over a certain threshold that I set in the control panel.
In the wee morning hours another malicious piece of code found its way into several of my websites’ index.php file. This comes after being hacked once before due to a vulnerability in the PHPMyAdmin Worpdress plugin.
As luck would have it most of these injected iframe hacks tend to cause errors when displayed in the browser and I usually check my sites at least once a day either manually or through automated processes. So when I went to visit one of the sites that had been hacked I got a malware alert (I use Chrome). Of course I investigated the issue and found some base64 encoded php in my root index.php file:
This is just a sample of what was in the file. I ran the code through a base64 decode and basically the code was an iframe to a malicious site which is why I got the malware alert.
If you are familiar with WordPress and WordPress “loop” then you know just how powerful it can be when it comes to controlling what posts you want to show or not show.
When I first started designing websites I ran across many WordPress sites that showed ad banners after every other blog post and I thought what a good way to maximize exposure to the ads you run on your site. Everyone is familiar with the normal ad positions; you’ve got the 300×250 top right sidebar, the 728×90 top of the page leaderboard, the 160×60 left sidebar,etc. No one ever really talks about what I feel is probably one of the best advertising spots you can have on a blog. It falls right in the reader’s field of vision when they read your blog posts.
I consider myself to be very knowledgeable when it comes to security. I have worked in the security field for about 10 years but being hacked happens to the best of us.
My ordeal started early last week when I got awakened out of my sleep to the sound of my phone texting me that my server was running out of memory. I usually get a text about 3 or 4 times a day but usually it means that the server’s traffic is spiking. But that night it went off about 45 times so I knew something was up.
For the past two years I have been developing a traffic trading script that I actually bought many years ago. At the time I needed something fast to setup a few sites where I would be trading traffic with other sites. The script needed a lot of new features so over time I have managed to integrate various changes to help with performance and also usability. The one thing I always had problems with was the script constantly logged traffic that was not human traffic.
One of the features that I added was tracking hits that had no referrer. The problem with that was this also allowed bot traffic to get logged as well. Bots usually don’t have a referring site so the script was picking these up as valid hits and throwing off my no referrer stats.