WordPress.org

Ready to get started?Download WordPress

Forums

need forsensic help following unauthorized post (8 posts)

  1. flymike
    Member
    Posted 3 years ago #

    A registered user with Subscriber access recently published unwanted material on my site. I'm trying to figure out how he managed to get sufficient authority to publish the post without it being held for review.

    • I don't think my code base was hacked. All of my .php are checksum'd (core & plugins) and there's no sign of interference.
    • I do have a record of all logins. That shows the problem user logging in (twice) around the time of the posting.
    • I checked the problem user's authority after the fact. It is still Subscriber.
    • I do use Role Scoper to elevate users to Contributor when they post in just one category, but the problem post was uncategorized.
    • Revision history for the post shows the first revision by the problem user, immediately followed with a second revision by my own Administrator username. But there's no record of a login by that Administrator.

    So what else can I look for?
    Here's the relevant portion of the web access log:

    83.28.31.252 - - [14/Feb/2011:15:38:29 -0800] "POST /wp-login.php HTTP/1.1" 302 969 "http://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
    83.28.31.252 - - [14/Feb/2011:15:38:31 -0800] "GET /wp-admin/post-new.php HTTP/1.1" 200 68558 "http://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
    83.28.31.252 - - [14/Feb/2011:15:38:34 -0800] "POST /wp-admin/post.php? HTTP/1.1" 403 1639 "http://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
    83.28.31.252 - - [14/Feb/2011:15:38:35 -0800] "POST /wp-login.php HTTP/1.0" 302 1094 "-" "Snoopy v1.2.4"
    83.28.31.252 - - [14/Feb/2011:15:38:36 -0800] "POST //wp-admin/ HTTP/1.0" 200 32961 "-" "Snoopy v1.2.4"
    83.28.31.252 - - [14/Feb/2011:15:38:38 -0800] "GET //wp-admin/press-this.php HTTP/1.0" 200 22967 "-" "Snoopy v1.2.4"
    83.28.31.252 - - [14/Feb/2011:15:38:40 -0800] "POST //wp-admin/press-this.php?action=post HTTP/1.0" 200 23174 "-" "Snoopy v1.2.4"
  2. esmi
    Forum Moderator
    Posted 3 years ago #

    When did you upgrade to WP 3.0.5?

  3. flymike
    Member
    Posted 3 years ago #

    my mistake; 3.04 on Jan 4, not 3.05

  4. esmi
    Forum Moderator
    Posted 3 years ago #

    If this problem occurred when you were using 3.0.4, then that might be your answer. 3.0.5 addressed this security issue, if I remember correctly.

  5. Samuel B
    moderator
    Posted 3 years ago #

    yes - this is exactly what 3.0.5 addresses

  6. AngieP
    Member
    Posted 3 years ago #

    Hello dear friends,

    I'm having this issue since I use 3.0.5!

    Any suggestions? Thanks in advance.

    Angie

  7. flymike
    Member
    Posted 3 years ago #

    This intrusion has recurred - this time on the current version, 3.1.1.
    The hacker logs in (validly) as subscriber, creates a post - which should have gone into Pending Review state - then immediately updates the post as Administrator to Published state. The access log is below. Both of the logins were with the Subscriber username (my site records all logins with username and IP).
    I can't figure out how this hacker is getting Administrator privilege.

    83.28.5.21 - - [25/Apr/2011:09:26:57 -0700] "POST /wp-login.php HTTP/1.1" 302 969 "http://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
    83.28.5.21 - - [25/Apr/2011:09:26:59 -0700] "GET /wp-admin/post-new.php HTTP/1.1" 200 38080 "http://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
    83.28.5.21 - - [25/Apr/2011:09:27:03 -0700] "POST /wp-admin/post.php? HTTP/1.1" 403 1639 "http://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
    83.28.5.21 - - [25/Apr/2011:09:27:07 -0700] "POST /wp-login.php HTTP/1.0" 302 1094 "-" "Snoopy v1.2.4"
    83.28.5.21 - - [25/Apr/2011:09:27:09 -0700] "POST //wp-admin/ HTTP/1.0" 200 30707 "-" "Snoopy v1.2.4"
    83.28.5.21 - - [25/Apr/2011:09:27:12 -0700] "GET //wp-admin/press-this.php HTTP/1.0" 200 31442 "-" "Snoopy v1.2.4"
    83.28.5.21 - - [25/Apr/2011:09:27:14 -0700] "POST //wp-admin/press-this.php?action=post HTTP/1.0" 200 31671 "-" "Snoopy v1.2.4"
    83.28.5.21 - - [25/Apr/2011:09:27:23 -0700] "GET / HTTP/1.0" 200 69061 "-" "-"
  8. obscure
    Member
    Posted 3 years ago #

    Unfortunately in many cases updating after your site has been compromised wont stop further problems. Will use a poorly configured server or a WordPress exploit to gain initial access. However, once in they will usually install some form of backdoor entrance which will allow them to access your server/site, even if you upgrade.

Topic Closed

This topic has been closed to new replies.

About this Topic