WordPress › Support » WordPress 2.7 hacked - could be related to wp-atom.php

qti
Member
Posted 2 years ago #

Today my blog and my wife's blog, both on wordpress 2.7 and on the same domain, got hacked.

I noticed this when I accessed our blogs on IE6 (yes sucks I know - but that's what we have at work) and Norton anti-virus popped up and alerted me with a message saying that bloodhound.exploit.213 was found and deleted.

Looking through the scripts I found that a script was inserted into ALL header.php of all our themes, which would direct the browser to download a PDF from a website (which I suppose is infected).

I alerted my webhost, which very helpfully looked at the logs, and discovered that the time the header.phps were changed matched exactly certain POST requests to wp-atom.php. We therefore suspect that the scripts were inserted through wp-atom.php

As temporary measures my webhost has temporary blocked any POST requests to the wp-atom.php and wp-load.php which he thinks is the solution to prevent this from happening again. I am not sure whether or how this would affect wordpress though.

He said he will then install some security modules on the server to prevent arbitrary code from passing to the web server (which I don't understand - sorry I am not a techie).

Thought I would share this with you all, as this worried me quite a bit, especially as I always regard myself as quite careful in keeping things up-to-date etc.. Also only our close friends and family members know the address of our blogs and I have disallowed search engines from crawling my sites. I have never encountered a virus before as I have been very careful with opening attachments etc. This hack really came as a bit of a shock to me and I would hate it if any of the visitors, which would invariably be our good friends and family, were to catch a virus because of visiting us.
Detect
Member
Posted 2 years ago #

Thanks for posting this. We're having a very similar issue on our blog and are currently investigating.
species5618
Member
Posted 2 years ago #

same here
http://theresahampton.com.
latest 2.7 drop
but with Apache able to write to themes folder for convenience

files changed at 02:05:44 UK time

snippet two lines from http access log
87.118.120.36 - - [10/Feb/2009:02:05:43 +0000] “POST /wp-atom.php HTTP/1.1″ 200 32 “-”
87.118.120.36 - - [10/Feb/2009:02:05:43 +0000] “POST /wp-atom.php HTTP/1.1″ 200 - “-”

also reported here
http://photocritic.org/wordpress-exploit-iframe-gen-c
qti
Member
Posted 2 years ago #

Same ip apparently

87.118.120.36 - - [10/Feb/2009:10:13:17 +0800] "POST /wp-atom.php HTTP/1.1" 200 44 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

87.118.120.36 - - [10/Feb/2009:10:13:19 +0800] "POST /wp-atom.php HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

An update: they also changed the permissions of my main directory - that I can't upload/delete/rename anything! I am checking with my webhost how they did that.

The thing I find astonishing is that only a few friends and family members know about my site. I tried and Google couldn't find it. How did the hackers manage to find it??
rhbee1
Member
Posted 2 years ago #

I lost 8 posts today. They are still on my manage page as published posts but no longer appear on the blog.
Len
Member
Posted 2 years ago #

If you still have the server logs available send all pertinent info to security (at) wordpress (dot) org

@qti - They weren't gunning for you specifically. They use scripts that scan the web looking for vulnerabilities. The entire process is automated.
qti
Member
Posted 2 years ago #

Thanks for your reply LenK. I don't have access to the server logs. If they are not gunning for me, I am surprised that I didn't see that many other reports of similar incidents from my search on Google. Since I am using the most up-to-date version of WordPress available, I would have thought this would have been much more widespread, given that mine is really a tiny site with a hundred or so visitors.

Further info - basically ALL the files on my site have been changed to a time stamp of 5 September 2007 12:00am

Is there anyway I can report this IP address to anyone with authority that can take some action??
Roy
Member
Posted 2 years ago #

QTI, I have no ideas how these hack-bots work, but on the other hand, I have no idea how search engine bots work. It seems that all my WP installations and that of my girlfriend (on another server) escaped the dance so far. Perhaps you want to have a look at file permissions, "hardening" in general. Perhaps Bad Behavior prevents such bots from doing anything, maybe you want to have a look at the Ask Apache Password Protect login, or the new WP Security which seems to combine Bad Behavior and Ask Apache.
qti
Member
Posted 2 years ago #

Ok having dug a bit deeper I think its 99.9% WordPress's security problem.

The MySQL database has been hacked with a new user WordPress with a user registration time of 00-00-0000, as described in one of the websites on WordPress security mentioned else on this forum.

To be honest I am terribly shocked by the security of WordPress, and would seriously look at whether there are safer alternatives, and whether I should just shut the blogs until I find something I am happy with. If a small site like mine with such a small Internet footprint managed to be found and get hacked, god bless the WordPress community and especially visitors of WP sites. This is such a serious risk to the whole of the Internet.

Sorry if I am sounding too negative, but I never thought its so unsafe.
qti
Member
Posted 2 years ago #

Many thanks Gangleri for your suggestions. I will look at the references which I am sure would be useful. On the other hand, knowing that there are millions of users out there, I had expected WordPress to be more secure out of the box as I didn't do any hacking, and have only installed one fairly popular plugin (kimili - for embedding flash movies (for my photo slideshows)) which I have kept up to date.
sankari
Member
Posted 2 years ago #
Qti, one of my client's blog was hacked in the same way. The blog uses an earlier version of WP.

The attacker's IP is the same as above. Apparently the attacker used the wp-atom.php file to post a script into the header.php file of the active WP theme. That php file had write permissions by mistake.

According to the web server's log this very IP address is not a first time visitor to the site and the only file it ever called was wp-atom.php.

I discovered the same WordPress user in the database.

By visiting the blog, the code attempted to download malicious code from a server in another country, probably a trojan. Some users reported unusual behaviours of their browsers such as a freeze or a browser question asking for permission to run an browser add-on. One user's local network in his company even broke down.

I suggest to take the following measures which should enable you to run your WP blog again:
- Remove the malicious script from the theme file (PHP and Javascript code located in the head section)
- Delete the WordPress user.
- Correct file permissions for the theme files, where necessary.
- Ban above IP address from accessing your server.
- Delete the wp-atom.php file which is in the root directory. I am not sure if the file is still needed as some comments in the file say: * This file is no longer used in WordPress and while it is not deprecated now. - and - * This file will most likely be deprecated or removed in a later version.
Any other hints and measures from WP experts are appreciated. If you don't have access to complete them ask your provider for help.

I agree with you that WP experts should look into the issue as to me it looks like a vulnerability of WP.
xundre
Member
Posted 2 years ago #

I got hacked too. see:
http://www.olu85.com/blog/?p=15

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

WordPress 2.7 hacked - could be related to wp-atom.php (12 posts)

Topic Closed

About this Topic

Tags

Code is Poetry