After last week’s malware outbreak at Irreal I’ve been thinking about ways to prevent another episode. For those who haven’t been following along, someone managed to add a line of obfuscated PHP to the index.php file that gets things going when someone visits the Irreal blog. For the technically inclined, the details are in my Anatomy of an Exploit post.
The number one thing I’ve resolved to do is keep WordPress up to date. Although I can’t be sure, I suspect that the attacker gained access to index.php through a WP vulnerability so it makes sense to keep up with the latest patches. I’d been lax about that because irrational paranoia requires me to back up the database whenever I do an upgrade and that’s a bit of a pain with my setup. It’s not, however, nearly as big a pain as trying to get the site clean and convincing Google that they should stop flagging it as a malware purveyor.
One of the difficulties I had when scrubbing the site was looking for infected files. As it turns out, only index.php had been affected but I couldn’t be sure of that until I’d done a thorough survey of the site looking for the injector signature. To make that easy if I have occasion to do it again, I have a backup of the entire irreal.org site. Most of the files will be static so it should suffice to look for changed files. Most of those will be log files so checking only changed files should simplify things considerably.
There used to be a Linux utility that went through the file system and took an MD5 signature of each file so that you could check for corruption on a regular basis. Following that idea, I can periodically pull a snapshot of the site back to my local network, generate MD5 signatures on it and the my original backup, and diff the results to find files that need examination.
I thought of writing some Elisp to do this but that’s really overkill. All I really need to do is
【Ctrl+u Meta+!】 find -P . -type f -exec md5 {} \;
to get a list of all the files and their MD5 signatures into an Emacs buffer. Then I can compare this against the saved list using Ediff right from Emacs.
I’d be interested in any other idea that readers have to help me keep things secure. Irreal runs on a hosting service so I don’t have much control over site security other than using strong passwords and keeping WordPress up to date. If you’ve got any other ideas, please leave a comment.