Support » Fixing WordPress » Remote attack try login as admin and upload themes

  • There was a hack on some WordPress site, that I needed to fix.
    My English is bad, but possible next will be from use for someone.
    First found result of hack was added script tag at end of head tag.
    Replaced </head> with some <script...></script></head> .
    Second fund result of hack was added iframe tag at end of body.
    Replaced </body> with some <iframe...></iframe></body> .
    Standard hacks use functions eval and base64_decode. Bad is that many plugins contain evals. As example in hacked WordPress that I clean, are used ~70 plugins and in 15 is used eval(). That is strange. I never used eval in PHP or other language, excluding Javascript. Plugins and themes are written from very different programmers.
    After found iframe and script tags on hacked site. I found that all index.php files, wp-config.php and wp-settings.php are changed – to top PHP open tag line is attach after spaces/tabs eval(base64_decode(‘base64 code’)); . All with bad write permissions – standard by use SuExec used by most hostings – standard by use CPanel with SuPHP handler. I think is better to change to DSO and outer user (call from web) to be nobody, not the site user.
    If you have SSH access, to clean hacks, you can use something like:

    $str_found=trim(<code>find /site_document_root_path -type f -name '*.php' -exec grep -l -i 'eval\s*(' '{}' \;</code>);
    	foreach($arr_files as $file){
    		//Do some checks and replaces

    Next I found part of this eval(base64_decode(‘base64 code’)); in some theme, and some .php files in uploads dir.
    I search from where are this .php files in upload dir. As result I found for them posts (type attachments) in DB, with post meta ‘_wp_attached_file’ with ‘somepath/file.php’.
    The posts was with post_author 1 – the admin.
    The admin password was set very easy. Latter after fix, I found they try passwords to user admin on wp-login.php. All call to uploaded .php files war from different IPs, but login calls was from IP . That I found in web is known. In some sites offered to change admin username and ID. I set as denied the IP in .htaccess.
    The real attack was found the admin password and use upload themes form in wp-admin. From there you can upload .php file direct – only will return error. I was set a blocking upload .php files, but it was not enough. From there you can upload .zip files too, that are automatic unziped in wp-content/upgrade folder. I found there a hack admin – some comments there was written on russish. They really upload a whole theme – possible some real correct, but with hacked content.
    I imitate whole process upload .php and .zip files by set on own script the upload form with the _wpnonce until I am logged in.
    To protect I changed password. Codes in wp-config.php used as example for _wpnonce – to be different. I blocked uploading by set php.ini auto_prepend_file file(for my test auto_append_file too). Can be set in .htaccess as: php_value auto_prepend_file /path/prepend_file.php . Will give Server Error if used SuPHP. Use in this case if you don’t have access to php.ini: SuPHP_ConfigPath /path/php.ini and set in auto_prepend_file. All opened .php file will be like have included before set prepend .php file.
    Example auto_prepend_file file:

    function check_hack_file_upload($name,$tmp_name){
    	if(preg_match('#\.(php|phtml|pm|pl|cgi)#s',$name)){//type application/x-httpd-php
    		return false;
    	return true;
    //By 'install-plugin' is not used $_FILES, but an url.
    	foreach($_FILES as $file_field_name=>$file_data){
    				foreach($file_data['name'] as $key_file=>$file_name){
    	die('Nice message to hacker (server)');

    This will block wp-admin search and install plugin too. Upload as file and unzip to plugins direct. CPanel offer imitation SSH unzip too.

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Remote attack try login as admin and upload themes’ is closed to new replies.