SwiftHack 1.0: how was realclimate.org breached?
Unrelated update: Argh! LiveJournal messes up the timestamps on my past posts when I try to update them with new information. I may need to seek out a saner blog host for the new year -- perhaps I'll move back to
Recall that, regarding the cyber-attack on the RealClimate blog in Nov 2009, RealClimate's Gavin Schmidt said,
[... the attackers] must have hacked both [the WordPress backend mySQL database and the SSH account], though the actual entry point is obscure.
When I brought this up this Thursday (the 29th) at Deep Climate, commenter dhogaza opined,
There was an openssh exploit documented in 2009 which had been around awhile, it's possible the system was just cracked. Once entry was made there are all sorts of ways they might've gotten into mysql, none difficult.
That may be so, but there are many other potential ways to crack into the RealClimate blog and the WebFaction server hosting it -- and the real question is which particular entry point was actually used.
My current guess is that the SwiftHackers entered RealClimate via a bug in the WordPress blog engine used when the attack occurred (circa 16--17 Nov 2009). From the Wayback Archives, RealClimate was using WordPress 2.8.1 on 14 Nov 2009, while it had upgraded to 2.8.6 by 4 Dec 2009. If I'm correct, then most probably the SwiftHackers exploited a bug present in WordPress 2.8.1 but fixed in 2.8.6.
Meanwhile, I just saw that the server is running OpenSSH 4.3:
$ nc 18.104.22.168 ssh
Now 4.3 is quite an old version of OpenSSH (2006). If an exploit of OpenSSH was used to gain entry into RealClimate, this won't exactly explain why the WebFaction webmaster didn't upgrade to a more recent version.
Ultimately though, without more concrete information, it's hard for someone in my position to really prove or disprove if any vulnerability was the actual entry point. So I guess it's time to seek out that concrete information...