Support » Fixing WordPress » Possible Security Vunerability: admin-bar.php

  • Resolved Another Guy

    (@another-guy)


    I am noticing a pile of traffic all of a sudden on different wordpress installs, attempting to directly post to admin-bar.php. It looks like an attempt to add malware onto the admin bar, which would potentially permit either a user privilege escalation or to try to obtain credentials or similar.

    Thankfully, I get errors like this:

    PHP Fatal error: Call to undefined function add_action() in /var/www/website/wp-includes/admin-bar.php on line 48

    Interestingly, I didn’t see these before installing 3.9.1, which means either the hack was on previous version, or they have found something new.

    I did find one cached page on Google (not the actual page anymore) that showed this being used to install a rootkit. Again, not sure of the mechanics, but I am seeing plenty of activity on this.

Viewing 15 replies - 1 through 15 (of 22 total)
  • esmi

    (@esmi)

    Forum Moderator

    Just because hackers are targeting your sites’ admin bars does not mean that the admin bar itself is the vector. Only that it’s a victim of the hack. You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    Thank you, but my sites were NOT hacked – I am seeing people make direct calls to that function, which is highly unusual.

    My sites are as secure as wordpress sites can be. So pointing me to a bunch of “your sites has been hacked” information isn’t helping.

    I am reporting an issue, not asking for help. Is it hard to tell the difference?

    esmi

    (@esmi)

    Forum Moderator

    I am noticing a pile of traffic all of a sudden on different wordpress installs, attempting to directly post to admin-bar.php
    […]
    PHP Fatal error: Call to undefined function add_action() in /var/www/website/wp-includes/admin-bar.php on line 48

    Hmm… That sounds like a hacked site to me.

    Nope. That is a direct call attempting to use that functions to do something. See, you can access that function without being logged in, which appears to be pretty silly.

    esmi

    (@esmi)

    Forum Moderator

    That is a direct call attempting to use that functions to do something.

    Then can we see the full error message?

    That is all that ends up in the error log at this point, I don’t have full verbose logs on (it would be a machine killer to do that). But looking at it, it appears to be a direct call (as it isn’t attributed to another page), with no referring page.

    Looking at the code, it appears to be trying to call a function that has not been loaded, as they are directly calling the admin-bar.php file.

    I have been noticing the same error coming through our logs. I am interested in any more information that you find about this attempted exploit.

    esmi

    (@esmi)

    Forum Moderator

    That is all that ends up in the error log at this point

    Then how do you know that this is a direct call? It still smacks of a hacked site.

    I was able to recreate the error in the error logs with our ip by visiting /wp-includes/admin-bar.php directly, I did not try posting any data to it
    I have to agree with another guy that the site is not hacked, it is just an attempt to exploit.

    esmi

    (@esmi)

    Forum Moderator

    So where is the issue?

    I don’t see any issue, as of now. Obviously these files are not supposed to be accessed directly, and accessing admin-bar.php directly doesn’t do much since the add_action() function is not defined within that file. (It is defined in wp-includes/plugin.php)

    But I’m going way out on a limb here and saying maybe there is a plugin or some other malware that makes an edit to that file so that when that file is accessed directly it leads to a backdoor into wordpress admin. Again just speculation and also worst case scenario.

    esmi

    (@esmi)

    Forum Moderator

    None of the plugins hosted at wordpress.org make edits to any core WordPress files.

    “I don’t see any issue”

    In simple terms, if someone is knocking on a particular file on more than one installation, then you have to ask why. You make the assumption of an already hacked wordpress install, my feeling is this is much more an attempt to create a hole, not to profit from it.

    I tend to go with Kyle T on this one, it looks like someone has figured out a potential hole, or that a different hack modifies this file to allow for a back door to create a recurring hack. It looks potentially like someone checking to see if an installation has been hacked or modified.

    It’s also the first file in that directory, alphabetically.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    In simple terms, if someone is knocking on a particular file on more than one installation, then you have to ask why.

    That parts easy: some installations get compromised, that file get’s hacked and BOOM! you’re done.

    You make the assumption of an already hacked wordpress install, my feeling is this is much more an attempt to create a hole, not to profit from it.

    That’s just not the case.

    I tend to go with Kyle T on this one, it looks like someone has figured out a potential hole, or that a different hack modifies this file to allow for a back door to create a recurring hack. It looks potentially like someone checking to see if an installation has been hacked or modified.

    There are a lot of insecure hosts and installations running insecure add-on code. The bad guys look for systems that have been compromised already. That is all that those probes mean.

    Now if someone does know of a means to exploit the stock WordPress files then please report it. But this part:

    I am noticing a pile of traffic all of a sudden on different wordpress installs, attempting to directly post to admin-bar.php

    Doesn’t mean that file is exploitable. It means someone is looking for a copy that has already been hacked.

    I understand your points Jan, but I think you are missing context here.

    Why this file, and not any others? It’s not generally a file people would access (unless they are logged in) but potentially code added here would be executed by someone with admin level privileges. If they are just testing to see if wordpress exists, there are easier ways. Moreover, as emsi pointed out, these are not files that generally can be modified by a plug in, so it wouldn’t be some simple thing.

    Moreover, I did find at least one cached example of this file turned into a rootkit install point. It basically Google caching the page, but there is no current version. So it suggests someone has found a way either to exploit that file directly or to use it as the “exploited file” for some other hack. Either way, it’s worth noting.

    I have to ask though: Why is there such a strong resistance to accepting a report of potential hacking activity?

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Possible Security Vunerability: admin-bar.php’ is closed to new replies.