Investigation report about the hacking incident

Yesterday, we received the final investigation report from JPCERT/Coordination Center.

How unauthorized hacking was happened

From the various remained access logs, we could not identify the cause for the unauthorized hacking. We confirmed suspicious accesses (web and ftp) from 203.194.144.#, and we confirmed traces of attack attempts in early August. However, we couldn’t identify how the hacker entered our site just by these traces. There were no successful logins from these IP addresses.

About unauthorized redirects

From the remained access logs, the following 2 accesses were considered unauthorized accesses redirected by the .htaccess that was placed by a hacker.

#.#.#.# - - [18/Aug/2014:05:41:38 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 884 "-" "AdvancedInstaller"
#.#.#.# - - [18/Aug/2014:06:19:04 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 884 "-" "AdvancedInstaller"

These accesses match with the IP addresses written in the .htaccess, the time frame when the incident happened. Also, the number of bytes written in the access log (884) was different from the number of bytes written in the other accesses in the other time frame and other IP addresses.

Usually access logs look like:

#.#.#.# - - [10/Aug/2014:03:45:09 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 855 "-" "AdvancedInstaller"

the number of bytes is 855 for this file, but the above two accesses show the number of bytes as 884 bytes.

The clients who own the above IP addresses were contacted by JPCERT/CC, and found there were no malware infections. The access logs record all accesses including merely update checking without actual installation.

Future measures

In addition to routine updates of WordPress plug-ins and themes, we periodically scan our site for malware, monitor files on the server, access logs, and block suspicious IP addresses. On August 29th, we protected the entire site of with SSL encrypted connections. We are also planning to move our forums to another site or an electronic mailing list for improved security.

The next version of Advanced Installer that we used to make the Update Checker will be able to block update installers without the same digital signature as ours. The future EmEditor versions will restore the Update Checker with improved security.

We apologize for any inconveniences that this situation might have caused you

See also:

Possible malware attack by EmEditor Update Checker

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply