Herself's Webtools

Scripts, HowTos, Templates, Plugins, Widgets, Tips

Evil robot attack takes down and compromises websites

TimesToCome is my personal website. It has been online since 1997. Not once has it been hacked or compromised in over ten years. Not a single website of dozens I’ve put up has been compromised in ten years.

Today TimesToCome was totally taken down and compromised by the evil robot Cuill Twiceler Bot. A quick Google search will show you I’m not the only webmaster who’s had problems with Cuill.

It totally hammered TimesToCome, rapidly downloading over 1600 files before crashing the website. ( It’s a small website, I don’t know how they found that many combinations of pages to download. ) And when all was said and done four directories, two Coppermine and two WordPress were totally compromised with all *php files converted to 0777 permissions.

I strongly recommend you block this robot in your .htaccess file.

I was lucky and discovered the problem less than an hour after it was compromised. Cuill Twiceler answered my email stating they will not hit my website’s IP again. I don’t trust anyone who doesn’t know what his robot has been up to. So I will be blocking them anyhow using .htaccess files.

*** Follow up ***
More details emerge.
Some unknown ( except for ip number ) entity uploaded some php files hidden in a *.jpg file to the albums/userpics directories in Coppermine.

When Cuill-Twiceler stomped all over my site like Godzilla does to Toyko it tripped that file. Even though the exploit did not work as planned it converted the image file extension to a *zip file extension, then ran a function int that file that converted all the php, htm and html files to 777 permissions in all directories on the website. It failed to create an iframe in the Coppermine files directing it to some porn site because the wonderful people at my hosting company don’t let their servers run files with world permissions.

Since there were not links to the compromised file the robot never should have found them and triggered them. The robot is badly broken.

I strongly urge anyone using Coppermine to upgrade. The upgrade was painless.

As always keep an eye on any image directories you have on a website. Those seem to be where most exploits park themselves. Any program that allows the general public to upload an image or zip file to your server without verifying what’s in it makes you vulnerable. The person who uploaded the file or a crazy robot can then trigger the script that is inside the file.

See also:
I don’t like spiders and bots
What everyone ought to know about bots

More information:
Cuill banned from over 10,000 websites
Digital Point: Several webmasters banning Cuill for bad behavior
Twiceler banned across server farm
Twiceler sucking up bandwidth
Twiceler needs to be reined in
Guards out for Twiceler
Evil entity Twiceler
How to stop Twiceler