WordPress.org

Ready to get started?Download WordPress

Forums

Notification of Hacking Attempts (4 posts)

  1. jiHymas
    Member
    Posted 6 years ago #

    Recent hacks on my blog have prompted me to upgrade to 2.6.1 and install a $_Post logging facility.

    Within 12 hours of installation, I captured a hacking attempt! The first entry with the suspect IP was:

    file = ZWNobyAnYmxpYV9ibGlhX2pvb3AnOyBleGl0Ow==
    194.110.162.23
    /wp-login.php

    The second was:

    file = [an impossibly long string of characters]
    194.110.162.23
    /wp-login.php

    There were two other attempts immediately following the one I looked at, with the same IP; I did not investigate, or even compare the character strings.

    I will divulge the [impossibly long string of characters] to anybody who can prove they are full member of the WordPress development team, but if I could capture it within 12 hours, I suspect that those who need to know about it are way ahead of me!

    Putting the string through an on-line base64_decode() utility resulted in the unveiling of an "outer hack" and an "inner hack".

    The "inner hack" simply sets the variable $fake to a base64 encoded version of what appears (to my untrained eye) to be an innocuous RSS feed. The "outer hack":

    • defines some nasty looking constants
    • Sets "$txt=get_option('rss_f541b3abd05e7962fcab37737f40fad8');"
    • Performs other operations
    • Incorporates (or replaces?) $txt with $fake
    • Calls "update_option('rss_f541b3abd05e7962fcab37737f40fad8',base64_decode($txt));"
    • Runs "$wpdb->query("UPDATE $wpdb->users SET user_pass='".md5($PP[1])."' WHERE user_login='WordPress'");"

    I have 14 of these funny 'rss_XXX' options in my wp_options table, but I do not have any 'user_login' = 'WordPress' in my wp_users table, so I'm not sure what's going on with that one.

    Anyway ... I'm deleting all the "rss_XXX" entries from my 'wp_options' table, in accordance with this post. But I would like to be assured that

    • filenames of such extreme length are rejected by an editor prior to doing anything
    • I will be notified by the WordPress software of such attempts in future versions of the software
  2. whooami
    Member
    Posted 6 years ago #

    Within 12 hours of installation, I captured a hacking attempt!

    lol! and its so exceiting when that happens too, isnt it?? :)

    thats my script you caught that with, btw, and I would love a copy of the undecoded base64, if youre willing to send it to me, please.

    In fact, the entire content of all 6 of the above lines would be awesome.

    you can always send via email to whoo@domain where you got the script :)

    thanks!!

  3. jiHymas
    Member
    Posted 6 years ago #

    I have sent the extracts from the logfile to the indicated eMail.

    Please let me know if you'd like anything more.

  4. whooami
    Member
    Posted 6 years ago #

    Nope, thats fine, and thank you VERY much :)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.