Protecting against brute force attacks and limiting uploads of malicious scripts

  • rossanthony

    (@rossanthony)


    13 years, 4 months ago

    One of our clients sites was recently compromised, we suspect via a brute force attack. The attacker proceeded to somehow delete the entire contents of the uploads dir (whilst leaving the media library records intact). Upon investigation it materialised that there were records in the media library of several files having been uploaded. One called db.php and another called shell (without an extension) see here for screengrab of media library. My question is does anyone know how they managed to upload these malicious files, when the WordPress core is supposed to prevent .php and any files without extensions from being uploaded?

    Incidentally the files that the attacker managed to upload were deleted, presumably it was programmed to self-destruct. So unfortunately I was unable to see the workings of the code inside them, otherwise this could have given some clues as to what needs to be tightened up to stop this in future.

    I have now managed to restore most of the files, upgraded to 3.5 (it was running 3.4.2 before) and have put some security measures in place, including the Limit Login Attempts plugin and also obfuscated the wp-admin location as described here so hopefully they won’t be getting in again but I’m just curious to know whether anyone else has come across a similar scenario and whether anyone knows how to close whatever the security hole is that allowed this hacker to upload these .php and a shell file?

Viewing 4 replies - 1 through 4 (of 4 total)
  • esmi

    (@esmi)

    13 years, 4 months ago

    My question is does anyone know how they managed to upload these malicious files, when the WordPress core is supposed to prevent .php and any files without extensions from being uploaded?

    Easily – the server was compromised. The fact that the site was hacked does not automatically imply that WordPress was the vehicle used to crack the server. It’s more likely that the entry was elsewhere – especially as WP does not allow access to the file system to upload the kinds of files you mentioned.

    Is this site on a shared server?

    Thread Starter rossanthony

    (@rossanthony)

    13 years, 4 months ago

    Thanks for your reply esmi,

    Is this site on a shared server?

    No, it’s on a VPS running ubuntu + apache.

    The fact that the site was hacked does not automatically imply that WordPress was the vehicle used to crack the server.

    Agreed, but if that was the case and someone gained access to the server via SSH/terminal for example, then they would have been able to do even more damage than just remove files from the upload folder. It seems to me like a php or shell script was uploaded via WordPress after they’d got in by brute force. As I said there were records of several curiously named files having been uploaded into the media library, see here. Any ideas how these could have got there?

    Doodlebee

    (@doodlebee)

    13 years, 4 months ago

    What about plugins? Do you have any installed that may have vulnerabilities/code that obtains access to the database but doesn’t sanitize properly?

    Thread Starter rossanthony

    (@rossanthony)

    13 years, 4 months ago

    What about plugins?

    Good point, but they’re all widely used and I’m fairly certain they’re all from trust worthy sources…

    • Advanced Custom Fields
    • WPML Multilingual CMS
    • W3 Total Cache
    • Simple Page Ordering
    • Custom Taxonomy Sort
    • Google Analytics Dashboard

    Do you have any installed that may have vulnerabilities/code that obtains access to the database but doesn’t sanitize properly?

    This doesn’t seem to me like it was a database exploit, as all the content in the database survived unscathed luckily. It was just the files inside /wp-content/uploads/ which were completely wiped clean!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Protecting against brute force attacks and limiting uploads of malicious scripts’ is closed to new replies.