You are viewing ijish

SwiftHack 1.0: how was realclimate.org breached?

Unrelated update: Argh! LiveJournal messes up the timestamps on my past posts when I try to update them with new information. I may need to seek out a saner blog host for the new year -- perhaps I'll move back to wordpress.com.

Recall that, regarding the cyber-attack on the RealClimate blog in Nov 2009, RealClimate's Gavin Schmidt said,

[... the attackers] must have hacked both [the WordPress backend mySQL database and the SSH account], though the actual entry point is obscure.

When I brought this up this Thursday (the 29th) at Deep Climate, commenter dhogaza opined,

There was an openssh exploit documented in 2009 which had been around awhile, it's possible the system was just cracked. Once entry was made there are all sorts of ways they might've gotten into mysql, none difficult.

That may be so, but there are many other potential ways to crack into the RealClimate blog and the WebFaction server hosting it -- and the real question is which particular entry point was actually used.

My current guess is that the SwiftHackers entered RealClimate via a bug in the WordPress blog engine used when the attack occurred (circa 16--17 Nov 2009). From the Wayback Archives, RealClimate was using WordPress 2.8.1 on 14 Nov 2009, while it had upgraded to 2.8.6 by 4 Dec 2009. If I'm correct, then most probably the SwiftHackers exploited a bug present in WordPress 2.8.1 but fixed in 2.8.6.

Meanwhile, I just saw that the server is running OpenSSH 4.3:

$ nc 174.133.50.216 ssh
SSH-2.0-OpenSSH_4.3

Now 4.3 is quite an old version of OpenSSH (2006). If an exploit of OpenSSH was used to gain entry into RealClimate, this won't exactly explain why the WebFaction webmaster didn't upgrade to a more recent version.

Ultimately though, without more concrete information, it's hard for someone in my position to really prove or disprove if any vulnerability was the actual entry point. So I guess it's time to seek out that concrete information...

Comments

Posted by: ((Anonymous))
Posted at: January 1st, 2012 10:07 pm (UTC)

Frank, your continuing analysis is interesting and informative.

Couple of things I've noticed wrt Realclimate.org-

There are 11 publicly identified Realclimate contributors with registered user-names (and presumably, each has a unique password). Also there is a somewhat ubiquitous user named "group". Who is "group"? Can we assume that group is a collective of all contributors with common permissions? I.E., all group members access group with the same password, can post articles, edit comments, upload files, and request a password change for group via their email address?

From what I understand the Wordpress roles and capabilities plug-in http://codex.wordpress.org/Roles_and_Capabilities had/has a serious bug related to users w/ group permissions. I high level user could edit a group post which would inadvertently raise permissions for ALL users.

Do you think the hacker could have gained access simply by having the password to "group"?

Posted by: Decoding SwiftHack (ijish)
Posted at: January 3rd, 2012 12:59 pm (UTC)

My guess is that the access won't be enough, unless the "group" account itself already has administrative privileges in the first place (and even then). But I think I need to learn more about the WordPress system -- especially the 2.8.1 version -- before I can say something more definitive.

-- frank

Posted by: Decoding SwiftHack (ijish)
Posted at: January 3rd, 2012 03:47 pm (UTC)

Also, thanks!   -- frank

3 Read Comments