WordPress.org

Forums

"Hacker" managed to change email and password of admin (11 posts)

  1. DomenLo
    Member
    Posted 2 years ago #

    Got quite of an interesting situation that happened yesterday when someone managed to receive a new password while also changing the admin email, then doing some cute defacing on the front post with music.

    The signup form was protected with login lockdown as well as limit login attempts, but he came in anyway.

    Does anyone have any idea how this happened?

    He/she/it changed the admin email to [ email redacted ] and even confirmed links through it, any easy way to get the account banned?

    37.59.150.203 - - [01/Jul/2012:22:10:24 +0200] "GET / HTTP/1.0" 302 - "http://www.DOMAINUSINGSYMLINK/logs/log/log/sym.php?sws=sym" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:10:26 +0200] "GET /wp-signup.php?new=MU-SUBSITE HTTP/1.0" 200 5452 "http://www.readybooker.com/logs/log/log/sym.php?sws=sym" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:10:37 +0200] "GET /crossdomain.xml HTTP/1.0" 404 120 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:10:53 +0200] "GET /wp-signup.php?new=www.google.com HTTP/1.0" 200 5452 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:08 +0200] "GET / HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:08 +0200] "GET /wp-signup.php?new=MU-SUBSITE HTTP/1.0" 200 5452 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:19 +0200] "GET / HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:20 +0200] "GET /wp-signup.php?new=MU-SUBSITE HTTP/1.0" 200 5452 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:52 +0200] "GET /wp-admin HTTP/1.0" 301 242 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:52 +0200] "GET /wp-admin/ HTTP/1.0" 302 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:11:53 +0200] "GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.MAINSITE%2Fwp-admin%2F&reauth=1 HTTP/1.0" 200 2409 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:44 +0200] "GET /wp-login.php?action=lostpassword HTTP/1.0" 200 1888 "http://www.MAINSITE/wp-login.php?redirect_to=http%3A%2F%2Fwww.MAINSITE%2Fwp-admin%2F&reauth=1" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:47 +0200] "GET /crossdomain.xml HTTP/1.0" 404 137 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:47 +0200] "POST /wp-login.php?action=lostpassword HTTP/1.0" 302 - "http://www.MAINSITE/wp-login.php?action=lostpassword" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:13:48 +0200] "GET /wp-login.php?checkemail=confirm HTTP/1.0" 200 2341 "http://www.MAINSITE/wp-login.php?action=lostpassword" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:02 +0200] "GET /wp-login.php?action=rp&key=tcNGhyGZotqOPmsz23hS&login=admin HTTP/1.0" 200 3007 "http://us.mg1.mail.yahoo.com/neo/launch?.rand=3a42fcb4kj60a" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:41 +0200] "POST /wp-login.php?action=resetpass&key=tcNGhyGZotqOPmsz23hS&login=admin HTTP/1.0" 200 1143 "http://www.MAINSITE/wp-login.php?action=rp&key=tcNGhyGZotqOPmsz23hS&login=admin" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:45 +0200] "GET /wp-login.php HTTP/1.0" 200 2409 "http://www.MAINSITE/wp-login.php?action=resetpass&key=tcNGhyGZotqOPmsz23hS&login=admin" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:53 +0200] "POST /wp-login.php HTTP/1.0" 302 - "http://www.MAINSITE/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
    37.59.150.203 - - [01/Jul/2012:22:16:55 +0200] "GET /wp-admin/ HTTP/1.0" 200 58066 "http://www.MAINSITE/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0"
  2. adpawl
    Member
    Posted 2 years ago #

  3. DomenLo
    Member
    Posted 2 years ago #

    Yeah, it was a cat and mouse game for an hour, will be adding some additional htaccess protection to the files, but I was wondering how he was able to get in.

    The site is checked often, it's clean on all scanners, it's even got two plugins protecting the login for bruteforce attacks.

  4. DomenLo
    Member
    Posted 2 years ago #

    And here's the cute code that was manually inserted via browser:

    [ Moderated, seriously never post code like that here. ]

  5. adpawl
    Member
    Posted 2 years ago #

    Check what has happened earlier in the server log.
    See also files modification time.

  6. DomenLo
    Member
    Posted 2 years ago #

    I pasted the log in first post.

  7. DomenLo? You really want to follow those links that adpawl posted.

    The code injected into your WordPress installation isn't the important part (and don't post it again). The important part is that your installation or server is vulnerable to being compromised.

    Those links can help you get a handle on your situation.

  8. DomenLo
    Member
    Posted 2 years ago #

    What's the problem with the code? It's just HTML that he/she/it manually inserted (via the browser, by going to the edit screen in the admin). Or would that enable them to search for it in google?

    Anyways, thanks for the help so far, will reread the documents again :)

  9. What's the problem with the code?

    Nothing per se in your case, but we don't want to give The Bad People™ any more free air time. ;)

    Sometimes people who get hacked post actual exploit code and that triggers other people's AV scanners. Just like your code the moderators delete that. Why risk it, and as I mentioned the real problem isn't the code but the fact that someone was able to write that to your installation.

  10. DomenLo
    Member
    Posted 2 years ago #

    But he didn't ... the logs show that he was browsing trough the site, first trying to "deface" a wp page, then finding out nothing happened (by visiting the main url), then "defacing" the first post long enough to do a screenshot and brag about it.

    The only thing I find perplexing is that he managed to (judging from logs) go to a login page, request a password and then get a new password to a new email.

    In 3.4.1...

    I'm putting obscene amounts of security to that location now, but I'm still really weirded out about how exactly he managed to reset a password to a new email.

  11. adpawl
    Member
    Posted 2 years ago #

    "but I'm still really weirded out about how exactly he managed to reset a password to a new email"

    ... because your server has already been compromised at that time.
    I repeat, check in logs what happened BEFORE 01/Jul/2012:22:10:24 +0200, - because there you will find the answer.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags