WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] helo.php security vulnerability (10 posts)

  1. raychaser42
    Member
    Posted 2 years ago #

    Hi All,

    I wasn't sure where to post this but I didn't see any info when I googled it and I think it's really important to get the word out.

    I just found a file called wp-content/plugins/helo/helo.php
    on a number of my sites.

    The file is designed to look like the "Hello Dolly" plugin but it contains all kinds of malicious code designed to compromise my system, rewrite my php.ini file and inject its own content onto my site.

    Everything I know is here:
    http://lifeoutthewindow.com/2012/05/wordpress-users-beware/
    I'll update it as I continue to investigate.

    Anyone have any advice on the best way to clean this? If they have my php.ini then they likely have my db password which sucks big time.

    Two problems:

    A:) How do I clean this?
    B:) How do I make sure it doesn't happen again?

  2. esmi
    Forum Moderator
    Posted 2 years ago #

  3. esmi
    Forum Moderator
    Posted 2 years ago #

    And it's not often that you get an answer in stereo. ;-)

  4. raychaser42
    Member
    Posted 2 years ago #

    Thanks. Most of this I'm already doing. I'm in touch with my host too to see if they can trace it. Likely it's something to do with the way the permissions are set up.

    Unfortunately we've got multiple infections across a bunch of sites so it's going to take time to de-louse this whole mess but luckily I've got the whole thhing in source control so it's a quick revert for the files.

    Am I correct in assuming that if they were able to install a rogue plugin they had access to one of the WP account usernames and passwords?

  5. esmi
    Forum Moderator
    Posted 2 years ago #

    Unfortunately we've got multiple infections across a bunch of sites

    That sounds like you might have had an ftp leak and that the hackers gained entrance initially via ftp. Try scanning all local machines with up-to-date AV software.

  6. raychaser42
    Member
    Posted 2 years ago #

    worth a shot but....

    A). We're on OSX here and
    B). We keep our passwords locked up really tight (i.e. always encrypted and never typed).

    I know that OSX viruses aren't unheard of but I'm more inclined to lean towards the file permissions thing.

    Anyway I'll post back here if I learn anything more so that people can learn from my ways. :)

    BTW. Does anyone know if there are security problems with the BackWPup plugin? It's a common element on all the sites.

  7. MickeyRoush
    Member
    Posted 2 years ago #

    raychaser42 wrote:

    I know that OSX viruses aren't unheard of but I'm more inclined to lean towards the file permissions thing.

    Many malicious scripts like the Black Hole Exploit are equal opportunity exploiters. Doesn't matter which OS the victim is using.

    Even though there are some very ingenious malicious scripts out there, have you checked the time stamps on your files? Use that information combined with server logs (http and FTP/SFTP access) to help determine how the infection was achieved.

  8. raychaser42
    Member
    Posted 2 years ago #

    Ok, so to follow up what likely happened was a site we'd forgotten was on our VPS had a wootheme with a timthumb vulnerability.

    Through this vulnerability the malicious script was able to gain access to our other accounts and place the evil plugin on a number of our other WordPress sites.

    What a pain! Still, could've been worse

    Thanks to everyone's help and for the links to those bullet-proofing WordPress articles.

  9. Seth Carstens
    Member
    Posted 1 year ago #

    I've had this on 2 sites now. After looking at the error logs it looks like some sort of injection attack:

    [01-Sep-2012 14:15:38] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0
    [01-Sep-2012 18:15:38] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'wposts.post_content LIKE '%adminmaintSuperNet%' OR wposts.post_title LIKE '%wp%'' at line 5 for query
    SELECT DISTINCT wposts.ID
    FROM wp_sm_posts wposts, wp_sm_postmeta wpostmeta
    WHERE wposts.ID = wpostmeta.post_id
    AND wposts.post_status = 'publish'
    AND wposts.post_type = 'page' AND (wposts.post_content LIKE '%wp%' wposts.post_content LIKE '%adminmaintSuperNet%' OR wposts.post_title LIKE '%wp%' OR wposts.post_title LIKE '%adminmaintSuperNet%' )

Topic Closed

This topic has been closed to new replies.

About this Topic