Hacking – How was my Twitter account hacked?

On Saturday 06.08 I received an email of Twitter saying that my account was maybe hacked by someone. The content of email starts as below

Twitter believes that your account may have been compromised by a website or service
not associated with Twitter. We’ve reset your password to prevent others from
accessing your account….

I think that is again a spam trying to get my Twitter password. As usual I’ll delete it immediately but fortunately I look at the sender of the email and I’m pretty nervous because it’s real Twitter

From:  	"Twitter" <resetpwnotice-ebatpunhn=ebatpunhn.arg-def3a@postmaster.twitter.com>;

That means someone has really stolen the password of my Twitter and accessed it from his IP address which is completely different from my usual IP. Therefore Twitter blocked my account at once and sent me an email to warn me for an attacking. After reading this email, I disconnect my internet connection right away and start to investigate this case: How did I lose my Twitter account?
Let’s think. The password will be surely hashed in database of Twitter. The login site is also encrypted with SSL which means password will never be sent in clear text over internet. Then where did he get my clear-text password? It’s really awesome and I must find out where on Internet I have saved my password in clear text or am I hacked locally?

1. Trojan scan
– Most of cases of losing password are because a silent Trojan was installed on our computers. He captures silently our keyboard and sends his report to hacker when we connect to internet. Therefore after I disconnected my computer, I use Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653) to see if a harmful process is running on my computer. After 30 minutes of running through each process, verify them, I found nothing. Ok, may be the Trojan is in silent mode when I am out of Internet.
– Next step, I turn off all of my online services like AntiVirus, DropBox, YahooMessenger,… run SmartSniff (http://www.nirsoft.net/utils/smsniff.html) to sniff all network activities and turn on my Internet again (You can use WireShark or anything else depending on your flavor). Turn off all online services will keep the report cleaner, shorter,and easier to investigate. After about one hour of sniffing continuously, I disconnect the Internet again and start to investigate the report. It’s really hard work, but I can see what were sent out from my computer. Another hour passed by and I can be sure that my computer is clean of a “normal” Trojan.
– Now, my computer is clean. I can’t lose the password from my computer. It must be somewhere on Internet where I have saved my password in clear text.

2. Password on internet
– I use a password service to store all of my passwords online so that I don’t have to remember too many passwords and keep me away from key logger because I never enter a password through keyboard. I must only remember a master password and enter it through screen keyboard. So I go to the homepage of my password service to see if there is any announcement of being hacked. But whether the password service is hacked or not, my passwords will be safe because they are all hashed. What the hacker got are all hashed strings which take hundred years to decrypt them into clear text. Therefore I can disclose this case.
– The websites I visited are all forums and the password will be stored in hash form. It can be that one of them stores password in clear text but the possibility is low.
– The last possibility is my website was got hacked because I am using WordPress which stores in his wp-config.php a password to database. This password I use for Twitter account too. But how can hackers get access to my wp-config.php file? Fortunately, I didn’t have to spend many hours to check my log files to find out what’s going wrong with my websites because I receive then a comment with a tip to security vulnerability at this post

http://hintdesk.com/html5-audio-tag-cross-domain/

<?php
// Set your return content type
header('Content-type: audio/ogg,mp3');

// Website url to open
$daurl = $_GET['url'];

// Get that website's content
$handle = fopen($daurl, &quot;r&quot;);

// If there is something, read and return
if ($handle) {
    while (!feof($handle)) {
        $buffer = fgets($handle, 4096);
        echo $buffer;
    }
    fclose($handle);
}
?>;

<?php
header('Content-type: application/xml');
// Website url to open
$daurl = $_GET['url'];
echo file_get_contents($daurl);
?>;

– At the beginning I don’t know why this code opens a back door to my local web files. I’m not a hacker (or the truth is I don’t want to be a hacker anymore) and I am at work. What I can do is
+ renaming this file to .txt (so that I can investigate later)
+ changing passwords
+ And then call help from HVA community http://www.hvaonline.net/hvaonline/posts/list/39745.hva#244811 for further researching and solution.
– After work, I take look again on the source code of this file basing on the hints of HVA guys. I discovered that I made a serious error that I don’t check input file type. The fopen and file_get_contents give the content of any file on my host back. That means a hacker with the help of this proxy.php can easily view wp-config.php like this (URL below is of course not working anymore)

http://hintdesk.com/Web/Tmp/proxy.php?url=/homeXXX/YYY/public_html/ZZZ/blog/wp-config.php
http://hintdesk.com/Web/Source/RSS%20Reader/proxy.php?url=/homeXXX/YYY/public_html/ZZZ/blog/wp-config.php

Using HttpFox (https://addons.mozilla.org/en-US/firefox/addon/httpfox/) you can see the content of wp-config as image below

HttpFox

– So now I know where did the hacker get my Twitter password and learn a lesson that I should be careful when I upload any php file to my host.

2 thoughts on “Hacking – How was my Twitter account hacked?”

  1. 6 of my twitter account were hacked 3 which I know for sure I had done Noting to be suspended for! Some one from the twitter camp picking on me? How can I find out what is going on?

  2. @Felicia: Follow my hints above to discover if your computer was attacked by a virus or the services you use are compromised.
    If you’ve used 6 different emails with 6 different passwords for your Twitter accounts and 3 of them were hacked. Then the possibility that your computers were infected by a trojan is really high.

Leave a Reply

Your email address will not be published. Required fields are marked *