Getting hacked today and now, please help

  • Resolved idahofallzcom

    (@idahofallzcom)


    16 years, 2 months ago

    Well life sucks 8^(

    IdahoFallz.com, I’ve been getting hacked the past few hours. I suspect SQL injection but I’ve no idea where or how to plug it. ANY help or advice really would be appreciated!

    The attacker is so far only starting draft posts under various user names, each one taunts me that I’ve been hacked or places ads. I have the “Notify on draft post” plugin so some of the attacker’s posts are being submitted to me for approval, some are not. None have been posted so I’m not suer if the person has admin access (yet). I changed my WP password and my FTP password. My files so far seem ordinary, nothing replaced or added so far.

    The attacker came back a couple hours later and posted a couple more drafts. One is titled “We got owned by Evo – Voide.org/” and the content is:

    It seems that you got owned by Evo, no harm has been done. I have simply found an error within your site and posted a news article to let you know. So this is just a let you know post.
Peace.
Evo

    and every single category is checked.

    I changed the passwords to uber-difficult for the users he had created posts under, to compensate if those users had weak passwords.

    A couple hours later he came back, used mostly different users but one user which I had changed the password for, so I don’t think that’s the avenue.

    I had Pierre’s shoutbox running, and this was one messsage posted:

    -998877/**/UNION /**/SELECT/**/0, 1,concat(0x7c,us er_login,0x7c,us er_pass,0x7c),co ncat(0x7c,user_l ogin,0x7c,user_p ass,0x7c),4,5/** /FROM/**/wp_user s

    I disabled that plugin but a couple hours later I get more saved posts from the attacker.

    I’m looking at the error_log at my site root and see several database error warnings from this afternoon:

    ‘[02-Feb-2008 19:59:00] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘AND comment_approved = ‘1’ ORDER BY comment_date DESC LIMIT 1′ at line 1 for query SELECT comment_date FROM wp_comments WHERE comment_date > FROM_UNIXTIME(1200790740) AND comment_post_ID = AND comment_approved = ‘1’ ORDER BY comment_date DESC LIMIT 1′

    I know this is Saturday night but any help is really appreciated here.

    Thanks!

Viewing 15 replies - 1 through 15 (of 20 total)
1 2
  • whooami

    (@whooami)

    16 years, 2 months ago

    remove or rename your xmlrpc.php file

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    man and it continues

    I noticed my pages weren’t loading, and I was generating HUGE error_logs. I deleted the error_log and two seconds later it was up to 62 mb. I finally got it downloaded and found errors related to a script running in page.php

    This is what I found in my page.php:

    <?php
$tpl = "/home/.numnod/mwsmedia/mattselznick.com/gfx/t-m-p.html";
$repl = "<REPL>";
$w1 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w2 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w3 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w4 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w5 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w6 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w7 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w8 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w9 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w10 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w11 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w12 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w13 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$keys = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$wr1 = $w1[rand(0, count($w1)-1)];
$wr2 = $w2[rand(0, count($w2)-1)];
$wr3 = $w3[rand(0, count($w3)-1)];
$wr4 = $w4[rand(0, count($w4)-1)];
$wr5 = $w5[rand(0, count($w5)-1)];
$wr6 = $w6[rand(0, count($w6)-1)];
$wr7 = $w7[rand(0, count($w7)-1)];
$wr8 = $w8[rand(0, count($w8)-1)];
$wr9 = $w9[rand(0, count($w9)-1)];
$wr10 = $w10[rand(0, count($w10)-1)];
$wr11 = $w11[rand(0, count($w11)-1)];
$wr12 = $w12[rand(0, count($w12)-1)];
$wr13 = $w13[rand(0, count($w13)-1)];
$q = $_GET['go'];
$q = ereg_replace(".htm", "", $q);
$q = ereg_replace("-", " ", $q);
$fp = fopen($tpl, "r");
$fin = '';
while (!feof($fp))
     $fin .= fgets($fp, 1024);
fclose($fp);
$fin = ereg_replace($repl, $q, $fin);
$rd = rand(0,10000);
  $rd = $rd."";
 $rd2 = rand(0,10000);
  $rd2 = $rd2."";
 $rd3 = rand(0,10000);
  $rd3 = $rd3."";
 $rd4 = rand(0,10000);
  $rd4 = $rd4."";
 $rd5 = rand(0,10000);
  $rd5 = $rd5."";
$fin = ereg_replace("<SOME>", $rd , $fin);
$fin = ereg_replace("<SOME2>", $rd2 , $fin);
$fin = ereg_replace("<SOME3>", $rd3 , $fin);
$fin = ereg_replace("<SOME4>", $rd4 , $fin);
$fin = ereg_replace("<SOME5>", $rd5 , $fin);
$wr1l = ereg_replace(" ","-" , $wr1);
$fin = ereg_replace("<KEY1>", $wr1, $fin);
$fin = ereg_replace("<KEY1l>", $wr1l, $fin);
$wr2l = ereg_replace(" ","-" , $wr2);
$fin = ereg_replace("<KEY2>", $wr2, $fin);
$fin = ereg_replace("<KEY2l>", $wr2l, $fin);
$wr3l = ereg_replace(" ","-" , $wr3);
$fin = ereg_replace("<KEY3>", $wr3, $fin);
$fin = ereg_replace("<KEY3l>", $wr3l, $fin);
$wr4l = ereg_replace(" ","-" , $wr4);
$fin = ereg_replace("<KEY4>", $wr4, $fin);
$fin = ereg_replace("<KEY4l>", $wr4l, $fin);
$wr5l = ereg_replace(" ","-" , $wr5);
$fin = ereg_replace("<KEY5>", $wr5, $fin);
$fin = ereg_replace("<KEY5l>", $wr5l, $fin);
$wr6l = ereg_replace(" ","-" , $wr6);
$fin = ereg_replace("<KEY6>", $wr6, $fin);
$fin = ereg_replace("<KEY6l>", $wr6l, $fin);
$fin = ereg_replace("<KEY7>", $wr7, $fin);
$fin = ereg_replace("<KEY8>", $wr8, $fin);
$fin = ereg_replace("<KEY9>", $wr9, $fin);
$fin = ereg_replace("<KEY10>", $wr10, $fin);
$fin = ereg_replace("<KEY11>", $wr11, $fin);
$fin = ereg_replace("<KEY12>", $wr12, $fin);
$fin = ereg_replace("<KEY13>", $wr13, $fin);
$n = 10;
$links = "";
for ($i=0; $i<$n; $i++)
{
  $rankey = trim($keys[rand(0, count($keys)-1)]);
  $ranhref = ereg_replace(" ", "-", $rankey)."";
  $links = $links." <a href='./?go=$ranhref.htm'>$rankey</a><br>";
}
$fin = ereg_replace("<LINK>", $links, $fin);
echo $fin;
?>

    Man I’m getting hacked hard here, any advice to batten down the hatches?

    whooami

    (@whooami)

    16 years, 2 months ago

    remove or rename your xmlrpc.php file

    macsoft3

    (@macsoft3)

    16 years, 2 months ago

    You have a collection of affiliate spam links at the bottom. And, again, 711 here and there…

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    cool, i deleted the xmlrpc.php and the footer spam links, so far so good but it’s still early

    my host sent me the record showing i was attacked through wordspew chatbox. i was running a slightly older 3.01 version cuz the new one kept blocking users.

    i would like to ensure the latest does not have the same attack vector as 3.01, though

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    what’s 711 here and there?

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    I went to bed last night hoping the activity was over, but it’s not. This morning there where three more post drafts saved, each taunting me for being hacked by worldhackerz.net, each under different existing usernames. I saved a local copy of the xmlprc.php last night and completely deleted it, and I disabled the wordspew plugin. I’m running spybot and ad-aware on my system now.

    Any other advice? I’m also still wondering “what’s 711 here and there?”

    jonimueller

    (@jonimueller)

    16 years, 2 months ago

    http://www.textpattern.com

    That’s where I’m headed. I’m thoroughly disgusted. I’ve been a WP forum member for nearly four years. This latest round of crap is the last straw. I develop WP sites for a living and I can no longer countenance this crap. There have been no definitive solutions to my problem. I can’t peddle this program to any of my paying clients, it’s insanity.

    Backup your database, migrate to TextPattern, import your WP posts and have a nice life.

    It’s what I plan to do.

    Sorry I can’t be more help.

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    Dammit! I just checked my site about 30 minutes ago, no spam links. I check a moment ago again, and the spam links are back in my footer. I check footer.php and that same eval() link is there.

    HELP!?!? What is the hole here?

    whooami

    (@whooami)

    16 years, 2 months ago

    if you re-enabled wordspew, that might be part of your problem

    There is a version that is exploitable, so if youre opting to use that version for the sake of functionality, well, you can expect to reap what you sow.

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    I did not re-enable wordspew, I of course want to wait to make sure I’m not being attacked anymore. I of course also learned my lesson and when I do reenble wordspew will go with the latest version and will deal with the functionality issues at that time.

    i went to delete the wordspew folder from my plugins directly, and it is gone already. why would the hacker delete it? i looked in my other plugin folders and did not see it moved anywhere. it does not appear in my admin panel plugins activation page, either.

    spybot found not a single issue on my system. i reinstalled my pc a few weeks ago so it is fairly fresh.

    i had one other admin account, but i demoted that account to a writer and changed it’s password.

    i’ll try changing my passwords again, but i’ve got a feeling this is not over.

    What is the hole here?

    whooami

    (@whooami)

    16 years, 2 months ago

    What is the hole here?

    Considering that this is the second time youve asked that, and no-one has succinctly answered that question, you might consider your question answered with a “no-one knows”.

    You might want to consider some options related to logging the data thats actual sent to your blog. You CAN log all $_POST variables, you dont need to log $_GET requests as they show up in your Apache logs already, but you can, you CAN even log everything that is sent to xmlrpc.php, via the superglobal $_SERVER, but you shouldn’t need to do that since youve disabled it.

    In other words, at this point, I can only recommend taking a look at whats going on behind the scene, so to speak.

    perhaps someone else has other ideas.

    edit
    On second look, regarding xmlrpc.php, just to correct my previous statement, theres a logging option built in.

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    Okay, as I said I completely removed the xmlrpc.php file, how do I do this logging? I am reading that other thread and you said to email you for the instructions to do that? do i need to put xmlrpc.php back in there under a renamed filename or ?

    Thanks for the help!

    whooami

    (@whooami)

    16 years, 2 months ago

    I would NOT put back xmlrpc.php — that IS NOT a solution to your problem.

    I explain how to log ALL $_POST variables sent to a wordpress blog and why it might be useful on my own blog >

    http://www.village-idiot.org/archives/2008/02/02/wordpress-honeypot-project/

    Please read the following closely:

    You will want to edit that code, so that passwords of your writers are NOT written a to the logging file. Its done by putting in the IPs at the top.. My example only provides for 2 IPs, so if you have more than 2 you will need to change that line slightly.

    The file that is written to needs to be writable by the web server, that means, typically, that it needs to be chmod 666.

    Also, this will LOG ALL PASSWORDS used during logging in to the site. (thats why you want to make sure that you edit the $posty_ip so that YOUR info is NOT sent and that NO other administrator info is…

    You will also want to rename the file that is logged to, don’t use the default name in my example, as anyone can bring it up in a browser and read it, as long as they know what is named. (Unless you put in a non-web accessable directory, which is doable, as well.)

    This is not something that I recommend for the average user. IF, after reading that post, you are completely confused, dont try to forge ahead — contact me privately at whoo AT whoo.org and if you really want to do this, I will help you through setting it up via email or chat.

    I would also ONLY do this if you are still actively being exploited.

    Thread Starter idahofallzcom

    (@idahofallzcom)

    16 years, 2 months ago

    Cool, I had not replaced the xmlrpcs.php yet so we’re good. I think I can do what you’re describing, but as you suggested I’ll wait to see if I get hacked once more before trying.

    I’ll update later today if anything happens or not. The help is invaluable and much appreciated!

Viewing 15 replies - 1 through 15 (of 20 total)
1 2
  • The topic ‘Getting hacked today and now, please help’ is closed to new replies.