Hacks keep appearing.

Resolved adamprato
(@adamprato)

9 years, 3 months ago

A ways our hosting provider said we had spam script installed and threatened to remove our account if we didn’t eliminate the vulnerability. After some research (I manually cleaned up 70+ backdoors….) a friend told me about Wordfence. After installing that it found a backdoor I had overlooked.

Since running it, it caught two vulnerabilities recently. In both cases the scripts were newly added.

For the most recent one, I have a log of what seems to be the attack:

178.162.205.3 – – [04/Jan/2015:14:09:50 +0000] “GET /images/jquery.php HTTP/1.1” 404 665 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0”
75.127.224.10 – – [04/Jan/2015:14:09:52 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 776 “http://site/wp-admin/admin.php?page=WordfenceSecOpt” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”
75.127.224.10 – – [04/Jan/2015:14:09:54 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 776 “http://site/wp-admin/admin.php?page=WordfenceSecOpt” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”
75.127.224.10 – – [04/Jan/2015:14:09:56 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 776 “http://site/wp-admin/admin.php?page=WordfenceSecOpt” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”
178.162.205.3 – – [04/Jan/2015:14:09:55 +0000] “GET /images/jquery.php?q=Pass12$ HTTP/1.1” 404 664 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0”
178.162.205.3 – – [04/Jan/2015:14:09:58 +0000] “GET /jquery.php?q=Pass12$ HTTP/1.1” 200 86301 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0”

The first entry is a 404 of the attacker trying to access a backdoor. Then my IP apparently keeps refreshing the Wordfence page, Then there’s the attacker’s IP with two consective hits; a 404 and a success once the hack is installed.

Any ideas how that could have possibly been installed when the only two results were a 404 and a 200? Those consecutive log entries were not altered, and nothing occurred in between (unless the attacker scoured the logs…)

I can provide an example of the backdoor if anyone is curious. It appears to be preg(‘/.*/e,$code); where $code has the eval(gzinflate(uudecode())) crap in it.

Viewing 8 replies - 1 through 8 (of 8 total)

Tim Nash
(@tnash)

Spam hunter

9 years, 3 months ago
Just some general advice that is given to all who post regarding hacked sites:

You need to start working your way through these resources:
Additional Resources:
Dan Russell
(@danrussell)

9 years, 3 months ago

Hi :),

As per the logs given by you, there are POST requests at the file: /wp-admin/admin-ajax.php

You can control this behaviour using the plugin called Heartbeat Control. You can find more details at:

http://www.inmotionhosting.com/support/website/wordpress/heartbeat-ajax-php-usage

Kimmo Suominen
(@ruckus)

9 years, 3 months ago

The 404s are for /images/jquery.php and the 200 is for /jquery.php. Most likely /jquery.php was already there (as opposed to getting installed during those log entries).

You should remove /jquery.php and any other files in the document root that are not part of WordPress and not installed by you.

Thread Starter adamprato
(@adamprato)

9 years, 3 months ago

Okay, thanks for pointing that out Kimmo.

Dan, I’ll look into changing that as well. No sense in spamming the access logs unnecesarily.

Tim, I removed 70+ backdoors by hand. Then I installed Wordfence and found one last backdoor I hadn’t known about (I didn’t know about the preg() obfuscation until then).I’ve run the sucuri scanner and wpscan, and we have the pro version of wordfence that does external checks as well.

Kimmo, I’ll look through the logs again and try to piece together when these things appeared.

Thread Starter adamprato
(@adamprato)

9 years, 3 months ago

Okay, so there’s a TON of stuff wordfence isn’t finding. The public_html is littered with junk, relatively new. People seem to be uploading stuff via this thing: dl-nagano-vodki-naidu-skachat-320-kbit

That wasn’t there in a previous version of the site but, whatever. I have more things to clean up for now. At this point I can’t ask why this is happening because the entire site is littered with crap.

Just a small sample of the directory listing showing the new problem (not related to the original topic):

sftp> cd public_html
sftp> ls
-_IqRMleiPw.jpg
00074.MTS
00075.MTS
03c3b473d21abf2552da82e5faea60bd
07.jpg
1291360193_E5EBEAE020EDE020EAF0E0F1EDEEEC20F4EEEDE5.jpg
131_Ardinvest– (1).m3u
139
1419884578486.jpg
2014-12-13 12.56.44.jpg
20141226_152525.jpg
224895558398_01432f433c05e0cae01b2ab08b37a9ba.jpg
228.php
23.docx

All I know is that there’s something wordfence isn’t finding that put that download script in place.

If anyone is interested, I’m backing up the site before I go on a mass cleanse.

Thread Starter adamprato
(@adamprato)

9 years, 3 months ago

Kimmo and I found the root cause of the problem. The problem was a bogus 404.php in the child theme. The 404 handler was providing people with a means to upload arbitrary files.

<?php
… [code moderated]...';
}
;?>

I'll submit this and all of the new backdoors wordfence didn't find to wordfence support.

Mark Ratledge
(@songdogtech)

9 years, 3 months ago

@adamprato: Don’t post hacking code in these forums; email it to wordfence.

Thread Starter adamprato
(@adamprato)

9 years, 3 months ago

I see how dumb a move that is now 🙂