Hacked – advice requested

  • onlyconnect

    (@onlyconnect)


    18 years, 4 months ago

    My blog was hacked this weekend. I noticed suspicious activity in the logs. I found a directory called wp-content/uploads/2007/11/images which contained an index.php describing itself as:

    /*This file is part of Magic_Toolz for WordPress blogs*/

    I haven’t worked out the exact purpose of the hack but it was able to serve up a PHP script which included a hyperlink to a pharmacy site.

    So what I’m wondering is:

    1. How did the hacker get in? I recently installed wp-cache which requires making wp-content writeable by the web server. Is there a known issue that might exploit this, or should I look elsewhere?

    I’ve disabled wp-cache and taken off the write permissions as a precaution.

    2. Any suggestions concerning steps I should take after an event like this, to secure the site and prevent further damage?

    The web server is running debian etch.

    Tim

Viewing 5 replies - 1 through 5 (of 5 total)
  • Boniface

    (@boniface)

    18 years, 4 months ago

    use post – get technique in your php

    Thread Starter onlyconnect

    (@onlyconnect)

    18 years, 4 months ago

    Sorry your answer makes no sense to me.

    Tim

    Thread Starter onlyconnect

    (@onlyconnect)

    18 years, 4 months ago

    Update – the script’s primary purpose seems to be sending trackback spam.

    Tim

    Thread Starter onlyconnect

    (@onlyconnect)

    18 years, 4 months ago

    Just a bit more info – it appears the attack exploited a problem with another php application in order to upload or edit a file with a php extension in wp-content.

    So this is not a WordPress bug, but illustrates the risks of having the web server able to both write and execute php files in the same location.

    Tim

    fredericfolleymarie

    (@fredericfolleymarie)

    18 years, 2 months ago

    Hi
    I discovered a similar (identical?) problem over the weekend:
    the file wp-cache.php had been reworked with lines like:

    Find all .htpasswd in / (nst) find / -type f -name .htpasswd
    Find all .htpasswd in . (nst) find . -type f -name .htpasswd
    Find all writable dirs/files in / (nst) find / -perm -2 -ls

    A directory under wp-content had been created with name
    “includes”
    (and porn stuff had been installed there!)

    I had to re-install the wp-content directory
    and change the name of the old ones and ask
    my sys admin to remove this one.

    I have un-activated the plugin wp-cache.

    From my sys-admin:

    “It would appear that someone (a hacker) has found a way to exploit code in WordPress/WP-Cache to implement a PHP code injection attack – see:

    http://en.wikipedia.org/wiki/Code_injection

    The objective of such attacks is usually to hijack the web application to deploy illicit material such as that which you have found. PHP applications such as WordPress are common targets for this kind of attack. You should always make sure you are using the latest version of any PHP application (particularly popular ones like WordPress) to ensure that all known vulnerabilities have been fixed.”

    It appears the wp-cache plugin is not safe to use with the latest
    wp (2.3.2).

    Frederic

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Hacked – advice requested’ is closed to new replies.