Hacked? (11 posts)

  1. corvy
    Posted 4 years ago #

    Hello y'all :)

    I do not know where to start to work this at this point so I try to post it here. Basically I am being exploited but a swbot or intentional spammer using my server to reach an open relay. During the course of my investigaitons I have found the perp to be at IP and what he is doing is posting a HTTP POST to my wordpress site like so: - - [15/May/2012:16:17:32 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/May/2012:16:17:32 +0200] "POST / HTTP/1.1" 200 11 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/May/2012:16:17:43 +0200] "POST / HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/"

    I have also enabled the mod_dumpio on apache to get the data collected but end up with stuff like in pastebin:


    This does not give me any good info and my efforts to decode the post-data has failed. Seems that it is posting to the root dir of the site though and at the end of the post there is a sendmail message confirming that this actually kicks off the email. I can also see from the sSMTP logs that this post correlates with the timing of the email.

    Currently I have pointed the sSMTP to a relay that fails due to SSL and user/pw requirements.

    I have upgraded apache to the latest version (2.2.22) and also upgraded everyting on my server to latest patch level (gentoo). Also I have upgraded all wordpress stuff to latest version, including plugins.

    What do I do next?

    Thanks for any pointers you could give!

    (also i have some trouble running tcpdump etc due to being in a virtual machine not having root access to the interface)

  2. michael.mariart
    Posted 4 years ago #

    It's not that hard to decode. The actual text that is in yor pastebin entries is encoded using base 64, so that's an easy one. The first line that i shas is:


    And then it goes on with some other encrypted text. This means that there's a decrypt() function set up somewhere, and that is producing some code that's being run on your server as the exploit.

    As a start (I've done a copy-and-paste from another members post) try these:


    Additional Resources:
    Hardening WordPress

  3. corvy
    Posted 4 years ago #

    So finding what exploit is actually triggered here is quite hard?

  4. Jerome
    Posted 4 years ago #

    Following this topic as I need answers regarding the solution to this problem. The only plugin we use is Feedwordpress... do you use it too?

    The blogs that are being affected are using the latest WordPress version.

  5. michael.mariart
    Posted 4 years ago #

    Yes, finding the actual cause can be hard. The main one that's been used lately is a vunerablility in a 3rd party script used in a lot of themes and lplugins called TimThumb. If you can find that anywhere in your site, you shoud upgrade that file immediately ot the latest version. There's a plugin that can do that for you called 'TimThumb Vunerability Scanner' I think, so look for that as a starting point anyway.

  6. mfidelman
    Posted 4 years ago #

    I've been hit by this too. Looks like about 5 days ago the machine at started hitting my site,

    first it tried to do a post to //rdbc9.php

    a couple of days later it did a get on counter.php (which somehow got inserted into the top level of our wordpress site

    at that point it started doing posts on /

    a couple of days later, those posts translated into mail getting dropped into our outgoing postfix queue

    somewhere in the middle, lots of files in wp-content/themes got changed to compromised code

    currently have the site offline, backup up and checking content, getting ready to wipe and rebuild the site from scratch

  7. If you're being hit by a specific IP address, get your server to block it.

    Contact your webhost and tell them this is happening, too.

    Remember, the security hole MAY be WordPress, but it's just as likely it's your webserver.

  8. Mark Ratledge
    Forum Moderator
    Posted 4 years ago #

    @mfidelman: a search for the IP shows several databases listing it as problematic: http://www.bizimbal.com/odb/details.html?id=1204089

    Block the IP, upgrade WP, talk to your host about better security.

  9. DirtyDazz
    Posted 4 years ago #

    so should all WP users mention this to their hosts, or wait until it becomes a problem?

  10. Jerome
    Posted 4 years ago #

    I personally believe that this is simply an "unsecure permissions" issue... take a minute to check your databases for rogue admin accounts... some may be named adminz, adminx, adminy, etc... if you are the only user or admin on your site, then you should have only one user row in your database.

    Next, check your theme permissions. Upgrade your timthumb.php installations, and lastly, search all of your template files for any malicious code that may start with base64_decode, str_rot13(sp?), etc, as those may be your offenders. These injected codes are actually decoding a string that is POSTed to the infected page, which is in essence sending out all of the spam emails.

  11. Blocking IPs is problematic (they change frequently) so not everyone will need to do this. A good server app (I use CSF) will catch them on the fly.

Topic Closed

This topic has been closed to new replies.

About this Topic