Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Got hacked.. (15 posts)

  1. arjunprabhu
    Member
    Posted 4 years ago #

    Hi folks,

    my wp 1.5.1 setup got hacked yesterday. I dont think its a problem with wp, but maybe my setup was bad. (its back to normal now)

    I was analyzing the log, and found that the hackers had used this...at the start of the hack. Any idea what it does..?

    [Moderated - string removed.]

    (it was in hex format, which i decoded).

    and then a POST call to /wp-admin/wp-users.php!
    and then the person is in..my admin panel!

    Here is the detail....

    ----------------
    GET /blog/ HTTP/1.0
    GET
    [Moderated - line removed]
    HTTP/1.1
    POST /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/wp-admin/users.php?action=promote&id=4&prom=up HTTP/1.1
    GET /blog/wp-admin/users.php HTTP/1.1
    GET /blog/admin.php HTTP/1.0
    GET /blog/ HTTP/1.0
    GET /blog/wp-login.php HTTP/1.0
    GET /blog/wp-admin/wp-admin.css HTTP/1.0
    GET /blog/wp-images/wp-small.png HTTP/1.0
    GET /blog/wp-images/fade-butt.png HTTP/1.0
    POST /blog/wp-login.php HTTP/1.0
    GET /blog/wp-admin/wp-admin.css?version=1.5.1.1 HTTP/1.0
    GET /blog/wp-images/header-shadow.png HTTP/1.0
    GET /blog/wp-admin/ HTTP/1.0
    ----------------
    after this, they enabled file upload, and loaded some files on the server........
    ----------------

    hope this is useful....in case its a security issue.

    btw, the only mistake (big mistake......yieeeeks) i had done was, given 777 on /blog folder so that the sitemap.xml file could be created by the sitemap plugin. (and then i forgot to remove the 777.

    the hackers luckly did not make any harm, but only left the following message..

    <--------------------->
    Hacked By Status X

    Admin, please change this blog, man...you don't want to get hacked again:))) Ok, nothing is destroyed, I just changed the index, all the database and blog is fine.... Greetz to soooo secure WordPress :)))))

    Specail Greetz to: 1dt.w0lf and RST team. and also to http://xtools.org team, and http://antichat.ru Russian Hack always rulez :))

    PS: to view the blog just go to /blog/index.php :)
    <--------------------->

  2. mdawaffe
    Member
    Posted 4 years ago #

    Upgrade to the most recent release: 1.5.1.2
    http://wordpress.org/download/

  3. arjunprabhu
    Member
    Posted 4 years ago #

    can anyone explained how the managed to get in?

    I did further ananlysis and found they they were somehow able to loginto the system. ie, get pass the wordpress security, and only then upload the file.

    ie, my upload file feature was disabled.

    They managed to login, create users, promote the user to level 10, and enable file upload.

    and then ..uploaded the files...

  4. mdawaffe
    Member
    Posted 4 years ago #

    This was a security issue that was fixed in 1.5.1.2
    http://wordpress.org/development/2005/05/security-update/

    EDIT: Oh, and you might change your admin user's password. I imagine someone else will see this thread and tell you if there's something else you need to do.

  5. arjunprabhu
    Member
    Posted 4 years ago #

    Thanks for the info mdawaffe. I have changed my admin password now.

    I also deleted the additional users created by the hackers.

    BTW, i am NOT running the default theme. (so 1.5.1.2 wont make major difference right?)

  6. davidhouse
    Member
    Posted 4 years ago #

    The admin has nothing to do with what theme you're using. 1.5.1.2 was a security fix that will make sure this doesn't happen again.

  7. arjunprabhu
    Member
    Posted 4 years ago #

    Thx David.

    But are you sure about 1.5.1.2 will fix it for sure?
    I did a manual fix. (as mentioned, added a line of code to the file mentioned). Is that fine?

    Are you sure that the hackers were able to add more users and gain admin access because of the security problem in 1.5.1.1 ? sure..? Or is it some new security issue ???

    I just need confirmation....

    Thanks in advance.

  8. davidhouse
    Member
    Posted 4 years ago #

    I'm 90% sure 1.5.1.2 will fix your blog. The problem with 1.5.1.1 was that it just accepted anything at all for the 'cat' parameter. This was then passed into a SQL query, and so by including some SQL in the 'cat' parameter, the hackers were able to display your username and password. Although the development blog said 'if you're running the default theme' and you've stated you weren't, I guess you're running some derivative on the default theme that was still vunerable.

    Anyway, in the future a good idea to protect yourself against a lot of hacks is to change your table prefix. This involved renaming your tables to something like arj_users, arj_posts, arj_comments and so on (instead of wp_users, wp_posts, wp_comments), then change the 'tableprefix' bit in your wp-config.php file.

  9. arjunprabhu
    Member
    Posted 4 years ago #

    Thanks for the info David. I have already added that extra line of code to wp-includes/template-functions-category.php file. Hope that should be fine enough.

    Thanks again. Now some relief!

  10. IanD
    Member
    Posted 4 years ago #

    You might want to look at the bad behavior plugin too - it seems to block all GET requests, so might dissuade people from testing your security again.

  11. Beer
    Member
    Posted 4 years ago #

    If possible, use .htaccess to prevent anyone except you from accessing your wp-admin directory.

    Maybe a
    Deny from All
    Allow from 1.2.3.4

    where 1.2.3.4 is your ip#

    You might also get your host or whoever to install mod_security

  12. kickass
    Member
    Posted 4 years ago #

    Just a speculation--
    "This involved renaming your tables to something like arj_users, arj_posts, arj_comments and so on (instead of wp_users, wp_posts, wp_comments), then change the 'tableprefix' bit in your wp-config.php file."
    How hard would it be in a future version of wordpress to include an option for installer to set the tableprefix? Is this possible? Or would it involve too many changes? Might give a bit of added security to future installs. But I'm not a programmer by any means, so I don't know.

  13. arjunprabhu
    Member
    Posted 4 years ago #

    Thanks for the input IanD -> Installed bad-behaviour.

    Beer, ...... no static IP. So, might not able to do that.
    Would be a good idea to make wp-admin a secure area (password protected ?), using .htaccess

  14. arjunprabhu
    Member
    Posted 4 years ago #

    ok. Finally came to know how exactly they broke in!... , and how wp 1.5.1.2 prevents it!

    Mostly some one executed a handy readymade script to break in.

  15. presto
    Member
    Posted 4 years ago #

    Beer:

    Thanks for your post to this thread. I went through my log files and someone outside of my IP range has been trying to get into my blog via the login pages.

    I do not have the capability to allow/deny by IP address because of not having a static IP address like arjunprabhu stated nor do I have SSH, but you did mention .htaccess which made me remember .htpasswd and I was able to password protect the entire wp-admin directory to block access to my login screen.

    Plus to be even more secure, it recommended to protect the file "wp-login.php" in the root directory your blog is located at because WordPress allows you to login to the admin station of the blog from that file. Therefore, I went into my .htaccess file and added :

    [code]
    AuthUserFile /full/path/to/username/.htpasswd
    AuthName "Message to go on user's login screen"
    AuthType Basic
    Allow from all
    <Files wp-login.php>
    Allow from all
    Require user username1
    </Files>
    [/code]

    and uploaded .htaccess and .htpasswd and that helps

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags