Serious hacking threat to newest WordPress?

Hi there,

Recently, my site was hacked. I’ve found that what hit me, hit also
hundreds (and very likely many thousands) sites! The sites affected
are running mostly WordPress blogs, but I saw some forums and other
CMSes being hacked as well (although a WP installation may exist on
those servers and only the malicious code is embeded in other CMSes).
Examples:
– Moodle: http://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:elearning.emate.ucr.ac.cr+loan
– SMF forum: http://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:spinnershome.net+loan
I ask you to help me get to the bottom of this and find the bug.

Please note, that it is quite hard to notice the hack if you don’t
look for it. Check Google with the following phrase:
site:example.com loan
Where “example.com” is your domain (or some affected domain). You’ll
see a lot of crap that you didn’t even know existed.

First, a list of sites that link to my hacked site (so they’re also hacked):
http://pokazywarka.pl/wh96r1-2/
NOTE that you will not see the malicious text, it shows up only to
crawlers. BUT if you run the Google’s site: search, you’ll notice it.
About 10 of those hundreds of pages are viable links, rest is due to
this hacking going on. And that’s only the sites that link to mine
after a few days. My address is blogtimes.pl which occurs a few times
as I link to myself obviously.

I was/am running the latest WordPress installation (3.0.1) with some
daily updated plugins:
Akismet, All in one SEO Pack, Broken Link Checker, FD Feedburner
Plugin, Google Analyticator, Google XML Sitemaps, Move WordPress
Comments, No Self Pings, Popularity Contest, Raw HTML Capability, SEO
Friendly Images, SEO Smart links, Sociable, Sociable Poland, Subscribe
to comments, WordPress Database Backup, WP-PageNavi, WP BlipBot
(Polish equivalent of Twitter), WP No Category Base, WP Super Cache,
Yet Another Related Posts Plugin.

My hosting provider is DreamHost with shared hosting. My password for
WP was quite strong and it doesn’t seem like it is the weak link. My
username was however “admin”. My FTP details were randomly generated.
My CHMODs were as supposed to (safe). I did not run any other site on
this account, nor did I have shell access enabled. MySQL database
doesn’t seem to be affected at all. After the attack I run some
plugins to check for vulnerabilities and none found anything.
DreamHost states that my FTP account was not accessed, so the hack
occured through HTTP most likely (or the shared server, which is
unlikely judging on the number of sites affected). DreamHost doesn’t
have logs reaching over a week in the past (…) so I’m not able to
check which files were accessed during the hack. I can however do some
other sniffing.

This is how the attack progressed in time:
07th Nov. 2010
./wp-config.php was modified at 07:26 (no malicious code there, could
be that the attacker just looked at my MySQL DB credentials or changed
the unique keys that wp-config.php has)
./wp-admin/includes/version.php was modified at 07:27 (totally changed
with heavily encrypted PHP code. The decrypted version can be found at
http://pastebin.com/3JWb96z6 This file is basically an admin panel for
managing files and running shell commands. You need to provide a
variable using POST for the page to show up)

11th Nov. 2010
These files were uploaded: http://pokazywarka.pl/i3r0i6/
They are encrypted and I don’t yet know what is their purpose.
Also, the ./wp-includes/post-template.php was modified that day. It
had some heavily encrypted PHP code boundled inside. I’ve decoded it:
http://pastebin.com/kx7ahkrW
The first and second functions are basically wrappers for the content
below them. What you can see is that some pages from my blog are
changed to malicious ones (probably nested inside the files uploaded
the same day), but only if the crawler visits the page. As a result,
Google dropped my ranks for the whole domain at 15th Nov. and that
ringed my bell. You can also see that the script takes a “pw” variable
through GET. This way the attacker can run a CURL query (look up
another site) and open or write a local file.

19th Nov 2010
./wp-content/languages/mo/index.php was modified (or uploaded the
first time). It probably is a gateway to version.php (I can see there
are POST requests executed on it), or it is another way to manage the
hacked site. DreamHost reports that in the same dir there are other
files which are browsable through HTTP, like:
http://blogtimes.pl/wp-content/languages/mo/reducingdebtwith.html
I however do not see any files in this directory using LIST -al and
LIST -alh with many FTP clients. It may be that I have to turn on
shell on this account to look them up, which I am not willing to do.
Anyone knows if this is the case? Can you hide files from FTP access
without having power over the FTP server?

Finally, 19th and 20th Nov. (never logs are yet to come from DreamHost
I guess), there have been numerous attempts to further compromise my
server (and likely access my linux password). I do have access to the
HTTP logs for this timeframe, so I was able to review the malicious
requests. You can see them here:
http://pastebin.com/Rf3uXZsR
Note that 24.185.11.54 is the IP of the attacker. He is the only one
who knows that he should access index.php and does so using POST (so
he provides his passphrase). You can see that he uses an iPhone and
probably some kind of an automated application on a computer (hence
the 3 requests per second) to upload files (most likely). This IP
belongs to the ISP Optimum Online and is shared from the pool
24.185.x.x in Brooklyn, NYC.
Other IPs are most likely script kiddies and bots, not related to this hack.
I do not see any other malicious requests on the 19th, so eigther the
index.php modified itself (bacuse the modification date = 19th) or it
was modified by some other protocol.

This is very weired, as I can not seem to find how the initial upload
was able to take place and how the 19th modification of index.php took
place. We can be sure that the issue is large in scale. I still have
some files that I can decode (index.php) and if I do so, I’ll try to
put a trap on the attacker and get to know his passphrase.

Any comments will be appreciated!

Chris