WordPress.org

Ready to get started?Download WordPress

Forums

security hole in wp-login.php and/or wp-atom.php?? (22 posts)

  1. catman66
    Member
    Posted 1 year ago #

    I'm observing someone in Moldova using my box as a spam relay via WP.

    I host multiple installations of WP online, and for the past week have been seeing large HTTP POST entries in the logs with a file attached. I then see an outgoing email from sendmail as "support@mydomain.com" going to some email address with a SPAM message attached.

    A quick iptables rule to block the offending IP address has stopped it, for now, but I am running the latest version of WP with few plugins (or none, one some sites) and appear to be seeing an exploit of the core WP install itself? I need a more permanent solution.

    I've seen a few other posts here similar to this, but with no apparent resolution. I'm fairly confident I don't have a tainted install.

    Here's an example of the logs: (Logs truncated and code modified for safety)

    95.65.31.32 - - [15/Jun/2012:20:54:34 -0400] "POST /blog/ HTTP/1.1" 404 297 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Geck$
    95.65.31.32 - - [15/Jun/2012:20:54:34 -0400] "POST /blog/?s=google HTTP/1.1" 404 297 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.$
    95.65.31.32 - - [15/Jun/2012:20:54:34 -0400] "POST /blog/wp-atom.php HTTP/1.1" 404 308 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.$
    95.65.31.32 - - [15/Jun/2012:20:54:35 -0400] "POST /blog/wp-login.php HTTP/1.1" 404 309 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1$
    95.65.31.32 - - [15/Jun/2012:20:54:35 -0400] "POST /blog/wp-login.php HTTP/1.1" 100 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8$
    95.65.31.32 - - [15/Jun/2012:20:54:36 -0400] "file=QGV2YWwoZGVjcnlwdCgiMXFPbG5OcFpXc0dCdExTR2kxdWRtczJhV1pTUGJGYUdwTm5DbVpWeFdhVEdtS0dseWxOeGJEdUp4Nl$
    95.65.31.32 - - [15/Jun/2012:20:55:24 -0400] "POST / HTTP/1.1" 200 32 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 $
    95.65.31.32 - - [15/Jun/2012:20:55:24 -0400] "POST / HTTP/1.1" 100 0 "" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 F$
    95.65.31.32 - - [15/Jun/2012:20:55:24 -0400] "file=QGV2YWwoZGVjcnlwdCgicmFHc25xZGZWTUcyZ0xXSGxGeWV6cVNZWUpaY2NsQ0cyYVhEbXA1eVd0aWRscWlubDFscmJIQlZ5S1$
    74.68.115.211 - - [-] "" ESMTP 0 "" ""
    74.68.115.211 - - [15/Jun/2012:20:55:26 -0400] "EHLO myhost.myhost.com" - 0 "" ""
    74.68.115.211 - - [15/Jun/2012:20:55:26 -0400] "MAIL From:<support@myhost.com>" 2.1.0 0 "" ""
    74.68.115.211 - - [15/Jun/2012:20:55:26 -0400] "RCPT To:<g1dl1wl3flvr2@aol.com>" 2.1.5 0 "" ""
    74.68.115.211 - - [15/Jun/2012:20:55:26 -0400] "DATA" End 0 "" ""
    74.68.115.211 - - [15/Jun/2012:20:55:26 -0400] "Received: from myhost.myhost.com (localhost.localdomain [127.0.0.1])" 2.0.0 0 "" ""
    74.68.115.211 - - [15/Jun/2012:20:55:26 -0400] "QUIT" 2.0.0 0 "" ""

  2. s_ha_dum
    Member
    Posted 1 year ago #

    I'm fairly confident I don't have a tainted install.

    Have you checked?

    http://sitecheck.sucuri.net/scanner/

  3. catman66
    Member
    Posted 1 year ago #

    Yes, checked and reinstalled from backup. The code is not tainted.

  4. skate323k137
    Member
    Posted 1 year ago #

    I've been seeing this on clean WP sites too. Have yet to find a solution. I'm installing mod_dumpIO for apache to try to get more data from the POST requests, but just POST /blog/ is all that's in the domain logs for now, and it's definitely putting spam into the servers e-mail queue at the same time as the POST requets. I've checked every single use of eval( in the site code, nothing looks injected or tampered with at all. Default theme.

  5. angelacarmichael
    Member
    Posted 1 year ago #

    Stolen password?

  6. skate323k137
    Member
    Posted 1 year ago #

    Far as I can tell, this has nothing to do with using a password. I've worked in an abuse team for a major webhost for several years, and I deal with multiple hacked sites a day; a good section of those being wordpress. This isn't the normal outdated theme/plugin/etc. issue, or code injection issues that I see on a daily basis. Site is using 3.4.2

    The normal Apache domlog only shows:

    (offending IP address) - - [15/Nov/2012:08:03:56 -0500] "POST /blog/ HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

    over and over and over. At the same time as these "POST /blog/" entries, the exim queue receives an outgoing e-mail message from a fake account @affecteddomain.com

    If there's a code injection, it's hidden extremely well. Hoping they hit it again now that I have mod_dumpio and debug logging on.

  7. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    It might be worth checking to see if there is a specific plugin or theme involved in all cases.

  8. skate323k137
    Member
    Posted 1 year ago #

    This site was using the really old WordPress Default Version 1.6 theme from like 2007. Betting there's an issue with that. I updated it to the version from 2010 (1.7.2, last release of that theme). We'll see if that stops it. Does anyone know of any remote code exec vulns with that old default theme?

  9. angelacarmichael
    Member
    Posted 1 year ago #

    It might not even be WordPress, have you checked your apache version? Older remote apache vulnerabilities are a dime a dozen. Earlier this year there was a remote PHP exploit running wild also. HTH!

  10. skate323k137
    Member
    Posted 1 year ago #

    Appreciate the advice everyone. Apache is the newest 2.2.x (2.2.23) build supported by cPanel, and PHP is at the last 5.2.x version available, 5.2.17 I believe. I'm still hoping the site gets hit again so I get some debug info.

  11. angelacarmichael
    Member
    Posted 1 year ago #

    This actually looks just like the PHP fastcgi exploit!

    Its executing command line arguments via PHP and using the normal wordpress php scripts to do it since it requires a file to be present on the server.

  12. angelacarmichael
    Member
    Posted 1 year ago #

  13. skate323k137
    Member
    Posted 1 year ago #

    That exploit doesn't work on cPanel servers, cPanel wraps the requests for CGI handlers and strips any command line options.

    Server is using SuPHP for PHP handling.

    (edit for reference) http://cpanel.net/cpanel-protects-against-php-vulnerability/

  14. angelacarmichael
    Member
    Posted 1 year ago #

    Heres a lot more information on it: php-cgi-advisory-cve-2012-1823

    Interesting vulnerability. Let me know what you find.

  15. angelacarmichael
    Member
    Posted 1 year ago #

    Ahh.. Ok, well hope you figure it out. :|

  16. skate323k137
    Member
    Posted 1 year ago #

    Sincerely appreciate the input. Like I said, I work for a web host, and we're pretty on top of PHP/Apache vulns since 90% of our customers are using LAMP stack servers.

    I'm betting it was the 2007 theme files. I've seen some other threads with similar issues, but most people found code injections that eval() a post variable. Not the case here. Some of the other threads I've found never did find code injections, and never seem to have solved it. If I get to the bottom of this, I'll post what I find.

  17. esmi
    Theme Diva & Forum Moderator
    Posted 1 year ago #

    I'm a bit dubious about the theme being the source of the problem. From what I recall, there wasn't anything in the Kubrick theme that a hacker could have leveraged - unless it was modified. I'd be more interested in finding out that version of WordPress was being used to run the 2007 version of the theme. Pretty sure that newer versions of WP would have spit out all kinds of errors trying to run such an old theme.

  18. skate323k137
    Member
    Posted 1 year ago #

    You would think it wouldn't work, but I saw it. It was indeed WP 3.4.2 running the 2007 default theme.

    The POST Requests came back today, but they're failing to generate any e-mail now that the theme was updated. The payload of the POST has two parts; one being a cookie used to help decrypt the other part, wich has file=(some long base64 string)

    The request was definitely executing code using the $file variable before the theme was updated, and it's definitiely failing to execute now. All's well that ends well I suppose. Hopefully this helps someone in the future. I'll refrain from posting the exploit code here as I think there are forum rules against it.

  19. angelacarmichael
    Member
    Posted 1 year ago #

    skate: I would be interested in seeing the payload if you wouldn't mind sharing privately.

  20. skate323k137
    Member
    Posted 1 year ago #

    I'd be happy to share it with you; I could only decrypt it about half way. E-mail me at [removed] and I'll send you what I found.

  21. angelacarmichael
    Member
    Posted 1 year ago #

    sent. thanks again

  22. skate323k137
    Member
    Posted 1 year ago #

    Just found this exploit working on another server. Same deal, really old "default" theme present. Replacing the 2007 or 2008 version of "default" with this http://wordpress.org/extend/themes/default stops the payload from executing. I can confirm the payload matches the strings in the OP's logs.

Topic Closed

This topic has been closed to new replies.

About this Topic