

Details on the Network Solutions / Wordpress mass hack - How it happened - fseek
http://blog.sucuri.net/2010/04/details-on-network-solutions-wordpress.html

======
jbm
Out of curiosity, how could one program something to access the DB without
storing the password somewhere on the server? That seems to be the main
weakness they are discussing, but it doesn't seem to be easy to store the
password on the server without a trivial way to exploit it.

~~~
russell
You could store an encrypted password with the key hard coded. This is a
little better, because it makes it more difficult for a disgruntled employee
to walk off with the database password. Saving the key in a text file is
little better than saving the password in plaintext. Saving credentials on a
server that can be accessed only on the internal net is better than saving
them on a public facing server. The problem is that these solutions are not
typically available from your cheap hosting service.

~~~
jbm
I had originally considered the encrypted / hardcoded password, but wouldn't
one simply need to grab the decryption code with the same hack (files set to
0777) and have access?

Not trying to be flippant, it just doesn't strike me as easy to do.

A determined attacker with read-write access to the server is going to be able
to do whatever they want, whether or not we encrypt the PW. The only thing
that could reduce the damage level would be to avoid code monoculture; the
only reason someone was determined enough to do so in this case was because
there were thousands of blogs hosted on that shared host, all of which share
the exact same vulnerabilities.

------
charliesome
Awesome, this never occurred to me. Even though it was a very simply hack,
you've got to applaud the hackers for thinking outside the box in the first
place and going "Hrmm... I wonder if anyone has left their wordpress config as
755? And how can I use that to my advantage?"

------
sucuri2
The attack was very simple, basically scanned all sites hosted there for wp-
config.php with the wrong permissions. If it found, got the db information and
modified it.

------
dale-cooper
Why weren't their users chrooted to their own directory?

