Less than 24 hours from the last web site defacement, TechCrunch has been defaced again early this morning by the same cracker(s) responsible for yesterday’s attack. Whatever preventative measures were taken yesterday (WordPress upgrade, HTTP authentication for wp-admin) have not blocked the attacker’s access to modify TechCrunch’s content, as this morning the attacker left a profane message on top of the homepage for Michael Arrington as well as a few media outlets like Yahoo and the BBC. At this point TechCrunch should perhaps be ensuring that there is no uploaded shell on the server the site is hosted on.
The message on the homepage above the content reads as follows:
“So Arrington, how much did all the media coverage yesterday brought you in trough the welcome.html ad you forced people to? What a fucking retarded move was that you twat. You should be thanking me and sucking on my fucking ballsack for not deleting everyone on the box and publishing the mysql, if that’s what you want O.K, I can do that. Also, you fucking dickwads from sites like Yahoo!, BBC and plenty more, where the FUCK do you see adult content on http://dupedb.com/ ???????? I mean honestly, are you fucktards also in just for the money?!?!?!”
The message is an apparent protest of TechCrunch’s decision to have the site lead in with a web advertisement before showing the homepage and an objection to the characterization of the DupeDB.com web site as being an adult content web site. The second objection is not totally without merit, the site is clearly a warez site with software, music, movies, and pornography, not a pornographic web site which brings up other connotations. That’s not to suggest one is any better or worse than the other, just that “warez site” (underground distribution of pirated content) is a more apt description.
Links to DupeDB.com(18.104.22.168) are referenced again, which is hosted in Roubaix, France by ISP Ovh Systems.
The Same Attackers?
Its just a reasonable guess, but the fact that the defacement now clearly references the first attack and also questions why the coverage of the attack references DupeDB.com as an adult content web site, would indicate now that the purveyor of this site hosted in France is taking responsibility for the defacements.
There is a rumor based on details of an attack on another site around the same time as TechCrunch, shoemoney.com, where HTML was injected (a meta redirect tag) that caused the site to redirect visitors to “a torrent web site” which has not been specified. In that case a problem occurred with the xmlrpc.php on the WordPress installation (a function allowing for remote publishing). This file has been the subject of other security issues (unauthorized access, SQL injection) in the past.
But there is a key difference. Back in September, a privilege escalation bug was found using the xmlrpc.php file, but it required that a user register with the WordPress installation first. This is possible on shoemoney.com, but TechCrunch has user registrations in WordPress disabled. It could still be a totally new defect with xmlrpc.php, but the most recent defect we saw that’s out there (September time frame) would likely not have worked on TechCrunch.
A mechanism some attackers use when they have gained access to a web site’s administrative console, or access to a server, is to drop a web shell or backdoor so that they can gain access at a future date. Its a somewhat common method to deface a web site by uploading a shell, for example a php shell (although there are many types), that then allows you to modify files, execute commands on the server, grab the database, and so forth.
While it is not a perfect example (and you probably want to kill the sound if you don’t speak Spanish), the video below from YouTube demonstrates an attacker having gained access to the WordPress administrative console (an older version, but the point holds), proceeding to the Appearance-Editor screen, and replacing an existing page in the site with the N3tShell (a larger screenshot of the shell is shown after the video). Once this php shell is installed, the attacker can browse the file system on the server, execute commands, and so forth through the shell depending on the file permissions.
Credit darkfuneral89, this is not a Praetorian video
It is important to note here that we are not saying that this is what happened, only that taking into account the attacker’s repeat access, that this is a favored method for defacement, and that the attacker states he has access to the MySQL database, that this or something similar is a possibility. Other possibilities include the attacker having only WordPress access and lying about any further access, that he has access to the server at RackSpace, and so forth. We won’t know much more until TechCrunch is more forthcoming with details about the two attacks.
Obviously updating the WordPress version of TechCrunch.com and implementing web server authentication on the wp-admin page did not do the trick of keeping this cracker out. Actually, while its providing a HTTP authentication login dialog, login attempts to the TechCrunch WordPress login screen are still possible after canceling through the web server authentication dialogue (login box).
At this point if TechCrunch did the responsible thing yesterday and changed all the passwords of the user accounts on the box hosted by RackSpace as well as the WordPress application login credentials, they should potentially be looking for some sort of uploaded shell, because clearly the attacker is able to gain access at will. If they haven’t changed the access credentials, that might be a good first step. Another good first step would be looking for an admin account that doesn’t quite belong in WordPress.
Of note is that the attacker threatens to “delete everyone on the box” and publish the backend MySQL database, perhaps giving us a clue into his level of access into TechCrunch. Yesterday we speculated that it was the WordPress platform that was somehow compromised because of the application’s history of security problems and the quick WordPress upgrade TechCrunch appeared to perform (visible by viewing the version numbers shown on the Readme.html file that TechCrunch should be deleting after the install). This may still be the case but the attacker seems to be stating he has gained access beyond the WordPress application by talking about the database. This access could still have gone through WordPress of course, via uploading a shell of some sort. If true, and its reasonably plausible given his continued access to TechCrunch, this rules out his having simply accessed the WordPress administrative portal and only modifying content.
We look forward to reading TechCrunch’s full analysis of what’s happening to their blog.
Other Coverage Worth Reading
Filed Under: Web Site Defacement