That headline is lousy for Googlization, but it got your attention, didn’t it?
First, Russell Shaw unearthed an ugly little bug in WordPress that permits malware mechanics to hi-jack certain features of a weblog. If that sounds vague, you bet it is. I’m not going to tell you what happens, where, or how. It is sufficient to say that the exploit is possible in any currently-running hosted version of WordPress. Why did we get hit? Despite the scare stories in the newspapers, malware is almost-always devoted to some kind of quasi-legitimate commerce. Basically, the bug that bit us was trying to use our hosting and our traffic to conduct its business at our expense.
Not cool.
The exploit is recurrent. I can kill any particular instance of it, but since the trapdoor is in WordPress, the only way to keep this little mosquito from coming back is to keep slapping it dead — with the only alternative being to kill WordPress entirely.
Enter cron, the Unix utility that will run any Unix process on the schedule you set. With luck, this exploit will be fixed in WordPress 2.5, which is due to be released shortly. In the meantime, once a minute we’re swatting that mosquito, leaving not so much as a bloodstain. Most of the time, it’s not there, of course. When it is, it has 59 or fewer seconds to suck our blood before it dies again.
That much was easy, but I’ve had plenty of time to watch this little critter in action, and in consequence I’ve learned a ton about malware theory, as it were. So once every 15 minutes, cron is running a different job that combs our whole file server looking for suspicious files. And if anything else pops up, I already know how to kill it and keep on killing it.
All of which leads me to say: I love the Apache web-server technology. Where else can you drop a ton of Acme DDT onto one little mosquito once a minute — like Wile E. Coyote at his most frenzied — without even breaking a sweat?
Alright, that’s the first thing. Here’s Read more
