Forums

WordPress › Support » How-To and Troubleshooting

xa7m3d hacker, advice? (7 posts)

  1. drpacker
    Member
    Posted 1 year ago #

    My website has been hacked and defaced by the above noted hacker, who I gather has been rather busy of late.

    I've got godaddy working on figuring out what happened, and the website is still live in the hacked state if anyone feels brave enough to go and check out what is happening. I'm leaving it in the hacked state until all the forensics have been done... boxwrestlefence.com

    The google cache is still serving up the clean version, so I can scrape and rebuild from that (sigh) but does anyone have any idea how this attack was pulled off, and if it's anything more than just a defacement? Is there a payload associated with it?

    Love some advice...

    Thanks!

    David.

  2. esmi
    Theme Diva & Mod
    Posted 1 year ago #

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/

  3. drpacker
    Member
    Posted 1 year ago #

    Uhm, yeah, thanks I already did a search and read those before I posted.

    Did I mention this is a wordpress 3.0 site? And everything, as far as I know, was updated.

    I've since cleaned the site, but here's the log of the attack Godaddy provided. I should note that we, as far as I know, only have 5 users on the site, and everyone uses good password methods.

    -----------------------------
    Our support staff has responded to your request, details of which are described below:

    Discussion Notes
    Support Staff Response
    Dear Sir/Madam,

    Thank you for contacting Hosting Support.

    We did review your site and found that your was compromised on 11JUL2010 via wordpress. It appears that the attacker may have logged into their wp-admin and modified the hello.php. The hello.php that was modified was not within the snapshots, so we could not verify the content. Here are a copy of the logs we found for the attack:

    HTTP Logs showing malicious user posting to hello.php:

    41.230.192.28 - - [11/Jul/2010:11:37:06 -0700] "POST boxwrestlefence.com/wp-login.php HTTP/1.1" 302 5 "http://boxwrestlefence.com/wp-login.php?redirect_to=http%3A%2F%2Fboxwrestlefence.com%2F%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:43:18 -0700] "POST boxwrestlefence.com/wp-login.php HTTP/1.1" 302 5 "http://boxwrestlefence.com/wp-login.php?redirect_to=http%3A%2F%2Fboxwrestlefence.com%2Fwp-admin%2Fplugin-editor.php%3Ffile%3Dakismet%2Fakismet.php&reauth=1" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9)Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:45:56 -0700] "POST boxwrestlefence.com/wp-admin/plugin-editor.php HTTP/1.1" 302 5 "http://boxwrestlefence.com/wp-admin/plugin-editor.php?file=akismet/akismet.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:50:45 -0700] "POST boxwrestlefence.com/wp-login.php HTTP/1.1" 302 5 "http://boxwrestlefence.com/wp-login.php?redirect_to=http%3A%2F%2Fboxwrestlefence.com%2Fwp-admin%2Fplugin-editor.php%3Ffile%3Dakismet%2Fakismet.php&reauth=1" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9)Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:51:54 -0700] "POST boxwrestlefence.com/wp-admin/plugin-editor.php HTTP/1.1" 302 5 "http://boxwrestlefence.com/wp-admin/plugin-editor.php?file=hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:52:06 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 5902 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:52:13 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 4977 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:52:29 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 5902 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:52:37 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 3515 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:52:56 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 6411 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:53:47 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 5900 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:53:54 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 38075 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    41.230.192.28 - - [11/Jul/2010:11:54:07 -0700] "POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1" 200 4378 "http://boxwrestlefence.com/wp-content/plugins/hello.php" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9"

    ----------

    So, again, not panicking, but wanting to know if anyone has a reasonable idea of how this was pulled off. I am a former unix network admin, but a little behind the times. I'm looking for technical answers and discussion on a security issue, and possible new habits to apply in future. I would like to know where I went wrong, and what to do in future. My setup was more secure than average, but not perfect, and we had policies in place to prevent this...but it still happened.

    Help?

  4. drpacker
    Member
    Posted 1 year ago #

    I did restore the site, BTW. The hacked version is no longer up, so sorry, no example of what it looks like.

  5. James
    Happiness Engineer
    Posted 1 year ago #

    Make sure that the permissions on your files are set to 644 and directories are set to 755. This is typically the first line of defense, but it unfortunately won't protect you from a compromised account on the same server, which is how these things are usually carried out.

    Since you've restored everything, you may want to implement some (if not all) of the recommended security measures.

  6. drpacker
    Member
    Posted 1 year ago #

    Did I mention I was a Unix admin? And security specialist for a number of stock brokerage firms? :) All the basics were in place, which is why I'm a little flummoxed.

    All I can think off is that the nexGengallery plugin was reported somewhere to have a sql injection flaw. but...i'm not sure that would have led to what shows in the log above.

    But I've also been out of the loop for about 5 years, so...enlighten me?

  7. James
    Happiness Engineer
    Posted 1 year ago #

    Did I mention this is a wordpress 3.0 site? And everything, as far as I know, was updated.

    That's a good first step. Most of the current hacks use backdoors or compromised accounts to affect all accounts on the same server, rending most user-level security measures useless. In this case, it's up to the hosting provider to provide a secure environment.

    Did I mention I was a Unix admin? And security specialist for a number of stock brokerage firms?

    That's fine, but it doesn't mean that I know that you've thought of everything. Support is free, psychic services cost extra.

    All I can think off is that the nexGengallery plugin was reported somewhere to have a sql injection flaw. but...i'm not sure that would have led to what shows in the log above.

    If any plugin has an SQL injection flaw, your only option is to stop using it until an update is available. I'm not sure on the status of nexGengallery, but there are quite a few people using it these days.

    But I've also been out of the loop for about 5 years, so...enlighten me?

    It's hard to comment on plugin security, because there's thousands of them. WordPress 3.0 currently has no known security holes, and security fixes are released almost immediately if necessary.

    Basically, keep everything up to date, implement some (if not all) of the recommended security measures, and backup your files and database regularly.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags