WordPress.org

Forums

Remote attack try login as admin and upload themes (4 posts)

  1. Alexander
    Member
    Posted 2 years ago #

    There was a hack on some WordPress site, that I needed to fix.
    My English is bad, but possible next will be from use for someone.
    First found result of hack was added script tag at end of head tag.
    Replaced </head> with some <script...></script></head> .
    Second fund result of hack was added iframe tag at end of body.
    Replaced </body> with some <iframe...></iframe></body> .
    Standard hacks use functions eval and base64_decode. Bad is that many plugins contain evals. As example in hacked WordPress that I clean, are used ~70 plugins and in 15 is used eval(). That is strange. I never used eval in PHP or other language, excluding Javascript. Plugins and themes are written from very different programmers.
    After found iframe and script tags on hacked site. I found that all index.php files, wp-config.php and wp-settings.php are changed - to top PHP open tag line is attach after spaces/tabs eval(base64_decode('base64 code')); . All with bad write permissions - standard by use SuExec used by most hostings - standard by use CPanel with SuPHP handler. I think is better to change to DSO and outer user (call from web) to be nobody, not the site user.
    If you have SSH access, to clean hacks, you can use something like:

    $str_found=trim(<code>find /site_document_root_path -type f -name '*.php' -exec grep -l -i 'eval\s*(' '{}' \;</code>);
    if(!empty($str_found)){
    	$arr_files=explode("\n",$str_found);
    	foreach($arr_files as $file){
    		//Do some checks and replaces
    	}
    }

    Next I found part of this eval(base64_decode('base64 code')); in some theme, and some .php files in uploads dir.
    I search from where are this .php files in upload dir. As result I found for them posts (type attachments) in DB, with post meta '_wp_attached_file' with 'somepath/file.php'.
    The posts was with post_author 1 - the admin.
    The admin password was set very easy. Latter after fix, I found they try passwords to user admin on wp-login.php. All call to uploaded .php files war from different IPs, but login calls was from IP 94.242.237.115 . That I found in web is known. In some sites offered to change admin username and ID. I set as denied the IP in .htaccess.
    The real attack was found the admin password and use upload themes form in wp-admin. From there you can upload .php file direct - only will return error. I was set a blocking upload .php files, but it was not enough. From there you can upload .zip files too, that are automatic unziped in wp-content/upgrade folder. I found there a hack admin - some comments there was written on russish. They really upload a whole theme - possible some real correct, but with hacked content.
    I imitate whole process upload .php and .zip files by set on own script the upload form with the _wpnonce until I am logged in.
    To protect I changed password. Codes in wp-config.php used as example for _wpnonce - to be different. I blocked uploading by set php.ini auto_prepend_file file(for my test auto_append_file too). Can be set in .htaccess as: php_value auto_prepend_file /path/prepend_file.php . Will give Server Error if used SuPHP. Use in this case if you don't have access to php.ini: SuPHP_ConfigPath /path/php.ini and set in auto_prepend_file. All opened .php file will be like have included before set prepend .php file.
    Example auto_prepend_file file:

    <?php
    function check_hack_file_upload($name,$tmp_name){
    	if(preg_match('#\.(php|phtml|pm|pl|cgi)#s',$name)){//type application/x-httpd-php
    		@ini_set('file_uploads','Off');
    		@unlink($tmp_name);
    		return false;
    	}
    	return true;
    }
    $is_hack=false;
    //By 'install-plugin' is not used $_FILES, but an url.
    if(isset($_REQUEST['action'])&&in_array($_REQUEST['action'],array('pluginzip','themezip','install-plugin'))){
    	$is_hack=true;
    }elseif(isset($_FILES)&&!empty($_FILES)){
    	foreach($_FILES as $file_field_name=>$file_data){
    		if(!empty($file_data['name'])){
    			if(is_array($file_data['name'])){
    				foreach($file_data['name'] as $key_file=>$file_name){
    					if(!check_hack_file_upload($file_name,$file_data['tmp_name'][$key_file])){
    						$is_hack=true;
    					}
    				}
    			}else{
    				if(!check_hack_file_upload($file_data['name'],$file_data['tmp_name'])){
    					$is_hack=true;
    				}
    			}
    		}
    	}
    }
    if($is_hack){
    	die('Nice message to hacker (server)');
    }
    ?>

    This will block wp-admin search and install plugin too. Upload as file and unzip to plugins direct. CPanel offer imitation SSH unzip too.

  2. The only problem is that you've cleaned out the compromise but unless you identify how they got into your installation then they will be back.

    Also I am pretty sure that auto_prepend may be overkill. ;)

    This is the often quoted reply but it's really good advice.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  3. Alexander
    Member
    Posted 2 years ago #

    They try login calling wp-login.php with username admin and different passwords. I write all calls to wp-login.php to analyse them. All without password (only count password chars): $_SERVER,$_GET,$_POST,$_COOKIE,$_SESSION,$_FILES (not needed here).
    These tries are possible 50 on a day. I thing from some server and is not only to this site, but to many. Search "wordpress 94.242.237.115" and you will find results for mass WordPress attacks. Calls uploaded before .php files was from different IPs.
    Analyse hack is best way to prevent future hacks. I fixed sites after hacks some times. Most hacks use set somewhere eval(s) + base64_decode (to be short and not easy to find).

  4. esmi
    Forum Moderator
    Posted 2 years ago #

    They try login calling wp-login.php with username admin and different passwords

    That's called a brute force attack and recently it was happening all over the place. Have you reviewed Brute Force Attacks?

Topic Closed

This topic has been closed to new replies.

About this Topic