WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] Calling all site owners hacked by walangkaji/ Badi etc. – Need some help

[Resolved] Calling all site owners hacked by walangkaji/ Badi etc. – Need some help

  • rossagrant
    Member

    @rossagrant

    Hi guys!

    I think this has been spreading a fair bit over the last few weeks.

    Today 2 of my sites (on the same server) got hit by a ‘Hacked By Badi’ hack.

    Here’s a detailed look at what it does:

    1. It changes your site title to something like this:
    +ADw-/title+AD4-Hacked By Badi+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    2. It creates a non registered sidebar in your ‘Widgets’ area and inserts a text widget with some script in it which looks like this:

    <script>document.documentElement.innerHTML = unescape([ redacted ]);</script>

    ALL widgets are removed from the sidebar that are currently on your site, so you have no widgets displaying in the front end.

    3. It changes your charset from UTF-8 to UTF 7.

    Now I HAVE NO IDEA how this happens, as no users are created, it doesn’t look like wp-config is altered, no passwords are changed etc.

    Now I have Vaultpress and looking at my logs for the day (it’s been a pretty quiet day on my WP/ Buddypress site) I see that between 9:21am and 10:21am that 33 uploads to the uploads folder were made.

    I can’t be sure, but I don’t think these were uploaded by a user. They weren’t uploaded by me.

    None of the hack’s affects were felt at this time though, as I was online until midday, and a user submitted a Gravity form at about 4:30PM through a widget.

    They wouldn’t have been able to see the widget once the hack was in place.

    Vaultpress shows me that my site title and charset weren’t changed until about 8:30pm, so maybe the uploads and this hack were unrelated.

    I have deleted the text widget created, changed me charset back to UTF-8 through settings—> reading WHICH SHOULDN’T ACTUALLY SHOW THAT OPTION SINCE WP 3.5 (so the script must bring that option back too), and changed my site title back.

    I was just wondering if those who have experienced this would post a list of the plugins they use.

    We can then cross check and see if there is a plugin flaw causing this.

    It looks like an SQL injection, but I have no idea how they work.

    Seems a bit too widespread to be a host issue perhaps.

    I really don’t know, but if we put our heads together, we can hopefully get to the bottom of it.

    I have Securi on this too.

    Please pitch in!

Viewing 15 replies - 31 through 45 (of 86 total)
  • rossagrant
    Member

    @rossagrant

    Yep, it’s still there then.

    Get in touch with your hosts and see if they have an idea. Affecting Cpanel is not good.

    Klapgeest
    Member

    @klapgeest

    Done that – I’ll keep you all informed…..

    alfiotondelli
    Member

    @alfiotondelli

    Today I found 8 of my WordPress sites hacked with this same problem, thank you for help!
    Please let me know if there is a WordPress update to solve this problem in future!

    rossagrant
    Member

    @rossagrant

    Still trying to work out how this is happening Alf, but will keep people posted.

    No idea if it’s a WP script vulnerability that is being used to inject SQL or if it’s a host vulnerability.

    If it is a server issue then it’s a very common vulnerability that needs to be discovered.

    I wish the hackers would just come out and tell someone what it is.

    xeagle
    Member

    @xeagleliveca

    Hey guys i have been having this issue as well and, a few others, but i did a little research on “utf-7 injection” and got some interesting results.
    I changed the http just in case… so i will post contents so you do not have to click.
    this one shows very similar code to what we are seeing
    hxxp://openmya.hacker.jp/hasegawa/security/utf7cs.html

    I am far from an expert i thought this may help

    excerpt:

    #0 Countermeasures
    Countermeasures against XSS with UTF-7 are:

    Specify charset clearly (HTTP header is recommended)
    Don’t place the text attacker can control before <meta>
    Specify recognizable charset name by browser.

    For more information about UTF-7 trick, see “Cross-site scripthing with UTF-7”.
    #1 Most basic pattern

    +ADw-script+AD4-alert(document.location)+ADw-/script+AD4-

    <script>alert(document.location)</script>

    Most basic XSS pattern with UTF-7.
    #2 URL encoded most basic pattern

    %2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-

    <script>alert(document.location)</script>

    Expression which URL encoded the above.
    Example: http://example.com/search?q=%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
    #3 With quote

    +ACIAPgA8-script+AD4-alert(document.location)+ADw-/script+AD4APAAi-

    “><script>alert(document.location)</script><“

    #4 URL encoded, with quote

    %2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-

    “><script>alert(document.location)</script><“

    Expression which URL encoded the above.
    Example: http://example.com/search?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
    #5 Inject fake <meta>

    +ADw-/title+AD4APA-meta http-equiv+AD0-‘content-type’ content+AD0-‘text/html+ADs-charset+AD0-utf-7’+AD4-

    </title><meta http-equiv=’content-type’ content=’text/html;charset=utf-7′>

    Inject fake <meta> before original <meta> and force recognize as UTF-7.
    <title>
    +ADw-/title+AD4APA-meta http-equiv+AD0-‘content-type’ content+AD0-‘text/html+ADs-charset+AD0-utf-7’+AD4-
    </title>
    <meta http-equiv=”content-type” content=”text/html; charset=utf-8″>

    rossagrant
    Member

    @rossagrant

    That does look like the kind of thing we are seeing here.

    So does this point to WP or the server?

    xeagle
    Member

    @xeagleliveca

    well not being an expert i am not sure but reading thru the post it may be a flaw in the header of your theme. but like I said i am not an expert.

    esmi
    Forum Moderator

    @esmi

    Previous posts – including those by rossagrant – suggest that this is not a WordPress issue. Looks like a fairly standard server defacement hack to me.

    rossagrant
    Member

    @rossagrant

    Right now esmi, we’re still not 100% and I think right now it would be irresponsible to say 100% either way.

    There was the UTF-7 hole in WP going back to vers 2.5. I’m not sure if this may have somehow been re-opened.

    Could really do with a core developer being made aware so that they could give us the likelihood.

    I think it’s lim that it’s WP, but because I can’t give steps to replicate, we just don’t know right now what has gone on.

    We need raw access logs from someone’s host the day they see this happening.

    Unfortunately my host only keeps 24 hours worth and the day this happened now has no logs which is a mare as I can pinpoint the exact minute the xploit took place.

    If a core dev could tell us that in their opinion it is 100% NOT a WP issue then that’s great.

    esmi
    Forum Moderator

    @esmi

    At this point you do not have enough information for any core dev to say whether this is a WP issue. On balance, the answer would have to be “No” as there are too many variables & too few sites are affected. Right now, best guess would be poor server security or an FTP leak.

    rossagrant
    Member

    @rossagrant

    Yeah it’s not an FTP leak as I have full FTP access logs but it doesn’t rule out security at the server level.

    My hosts have always been overly cautious with security, so I was surprised when this happened.

    It has been spreading the last few weeks and yesterday there were over 40 sites reportedly hacked on here.

    Today a few folks have also had multiple sites hacked.

    It’s something that is being triggered in certain environments, but must be a common exploit as it has affected a fair amount of sites.

    Until we get an access log for the day someone notices (or the hacker explains what he has done) we’ll struggle to get a definitive answer I think.

    esmi
    Forum Moderator

    @esmi

    it’s not an FTP leak as I have full FTP access logs

    And? An FTP leak (in my book) means that someone has gotten hold of your FTP access details. Possibly via an infected machine. Was there any FTP access around the time that the relevant files were changed. What other sites are on the same server? Have their FTP logs been checked?.

    rossagrant
    Member

    @rossagrant

    The FTP access log that I mentioned in my post shows all FTP connections on the day it happened. They are all from known IP addresses, so it’s not happened through FTP.

    My site is on a VPS with security in place that should stop code injection from other sites sharing the same space.

    I’m not blaming WP here, you sound like you think I am. There is no need to be so defensive of it. I’m just trying to explore options for the good of the entire community. I make my living through WP, it’s VERY important to me.

    Jan Dembowski
    Volunteer Mod. & Brute Squad

    @jdembowski

    I don’t think anyone’s being defensive. I do think that this

    Right now esmi, we’re still not 100% and I think right now it would be irresponsible to say 100% either way.

    is flat out incorrect. I mean, how do you prove a negative, i.e. it’s not WordPress? 😉

    Here’s the thing: WordPress is used by oh, many many MANY web sites. As it was indicated by the Timthumb exploit when an exploit is available on the Internet it spreads like wildfire.

    If it were a WordPress exploit then based on the download count there would be lots of people howling for a fix. That’s not happening and servers do get exploited all the time.

    Just as you haven’t proven/demonstrated/convinced anyone that it’s a WordPress exploit we can’t prove it’s a server compromise.

    But based on the lack of OMGWTFBBQ!!!1! I can reasonably make the statement that it’s very likely either a server exploit or some other insecure code causing this problem.

    Now if it IS a WordPress problem (I personally don’t think it is) and you or anyone has reproducible proof of concept code then please share it with security [at] wordpress.org.

    http://codex.wordpress.org/FAQ_Security

    rossagrant
    Member

    @rossagrant

    This is becoming a bit childish now.

    We didn’t come here to argue the toss, just to get some impartial advice.

    Thanks for the collaboration from those other posters in the same boat.

    If I discover any more, I’ll be in touch.

Viewing 15 replies - 31 through 45 (of 86 total)
  • The topic ‘[Resolved] Calling all site owners hacked by walangkaji/ Badi etc. – Need some help’ is closed to new replies.