Support » Fixing WordPress » security hole in wp-login.php and/or wp-atom.php??

  • I’m observing someone in Moldova using my box as a spam relay via WP.

    I host multiple installations of WP online, and for the past week have been seeing large HTTP POST entries in the logs with a file attached. I then see an outgoing email from sendmail as “” going to some email address with a SPAM message attached.

    A quick iptables rule to block the offending IP address has stopped it, for now, but I am running the latest version of WP with few plugins (or none, one some sites) and appear to be seeing an exploit of the core WP install itself? I need a more permanent solution.

    I’ve seen a few other posts here similar to this, but with no apparent resolution. I’m fairly confident I don’t have a tainted install.

    Here’s an example of the logs: (Logs truncated and code modified for safety) – – [15/Jun/2012:20:54:34 -0400] “POST /blog/ HTTP/1.1” 404 297 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Geck$ – – [15/Jun/2012:20:54:34 -0400] “POST /blog/?s=google HTTP/1.1” 404 297 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.$ – – [15/Jun/2012:20:54:34 -0400] “POST /blog/wp-atom.php HTTP/1.1” 404 308 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.$ – – [15/Jun/2012:20:54:35 -0400] “POST /blog/wp-login.php HTTP/1.1” 404 309 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1$ – – [15/Jun/2012:20:54:35 -0400] “POST /blog/wp-login.php HTTP/1.1” 100 0 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8$ – – [15/Jun/2012:20:54:36 -0400] “file=QGV2YWwoZGVjcnlwdCgiMXFPbG5OcFpXc0dCdExTR2kxdWRtczJhV1pTUGJGYUdwTm5DbVpWeFdhVEdtS0dseWxOeGJEdUp4Nl$ – – [15/Jun/2012:20:55:24 -0400] “POST / HTTP/1.1” 200 32 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 $ – – [15/Jun/2012:20:55:24 -0400] “POST / HTTP/1.1” 100 0 “” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 F$ – – [15/Jun/2012:20:55:24 -0400] “file=QGV2YWwoZGVjcnlwdCgicmFHc25xZGZWTUcyZ0xXSGxGeWV6cVNZWUpaY2NsQ0cyYVhEbXA1eVd0aWRscWlubDFscmJIQlZ5S1$ – – [-] “” ESMTP 0 “” “” – – [15/Jun/2012:20:55:26 -0400] “EHLO” – 0 “” “” – – [15/Jun/2012:20:55:26 -0400] “MAIL From:<>” 2.1.0 0 “” “” – – [15/Jun/2012:20:55:26 -0400] “RCPT To:<>” 2.1.5 0 “” “” – – [15/Jun/2012:20:55:26 -0400] “DATA” End 0 “” “” – – [15/Jun/2012:20:55:26 -0400] “Received: from (localhost.localdomain [])” 2.0.0 0 “” “” – – [15/Jun/2012:20:55:26 -0400] “QUIT” 2.0.0 0 “” “”

Viewing 15 replies - 1 through 15 (of 21 total)
  • I’m fairly confident I don’t have a tainted install.

    Have you checked?

    Yes, checked and reinstalled from backup. The code is not tainted.

    I’ve been seeing this on clean WP sites too. Have yet to find a solution. I’m installing mod_dumpIO for apache to try to get more data from the POST requests, but just POST /blog/ is all that’s in the domain logs for now, and it’s definitely putting spam into the servers e-mail queue at the same time as the POST requets. I’ve checked every single use of eval( in the site code, nothing looks injected or tampered with at all. Default theme.

    Stolen password?

    Far as I can tell, this has nothing to do with using a password. I’ve worked in an abuse team for a major webhost for several years, and I deal with multiple hacked sites a day; a good section of those being wordpress. This isn’t the normal outdated theme/plugin/etc. issue, or code injection issues that I see on a daily basis. Site is using 3.4.2

    The normal Apache domlog only shows:

    (offending IP address) - - [15/Nov/2012:08:03:56 -0500] "POST /blog/ HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/"

    over and over and over. At the same time as these “POST /blog/” entries, the exim queue receives an outgoing e-mail message from a fake account

    If there’s a code injection, it’s hidden extremely well. Hoping they hit it again now that I have mod_dumpio and debug logging on.



    Forum Moderator

    It might be worth checking to see if there is a specific plugin or theme involved in all cases.

    This site was using the really old WordPress Default Version 1.6 theme from like 2007. Betting there’s an issue with that. I updated it to the version from 2010 (1.7.2, last release of that theme). We’ll see if that stops it. Does anyone know of any remote code exec vulns with that old default theme?

    It might not even be WordPress, have you checked your apache version? Older remote apache vulnerabilities are a dime a dozen. Earlier this year there was a remote PHP exploit running wild also. HTH!

    Appreciate the advice everyone. Apache is the newest 2.2.x (2.2.23) build supported by cPanel, and PHP is at the last 5.2.x version available, 5.2.17 I believe. I’m still hoping the site gets hit again so I get some debug info.

    This actually looks just like the PHP fastcgi exploit!

    Its executing command line arguments via PHP and using the normal wordpress php scripts to do it since it requires a file to be present on the server.

    That exploit doesn’t work on cPanel servers, cPanel wraps the requests for CGI handlers and strips any command line options.

    Server is using SuPHP for PHP handling.

    (edit for reference)

    Heres a lot more information on it: php-cgi-advisory-cve-2012-1823

    Interesting vulnerability. Let me know what you find.

    Ahh.. Ok, well hope you figure it out. 😐

    Sincerely appreciate the input. Like I said, I work for a web host, and we’re pretty on top of PHP/Apache vulns since 90% of our customers are using LAMP stack servers.

    I’m betting it was the 2007 theme files. I’ve seen some other threads with similar issues, but most people found code injections that eval() a post variable. Not the case here. Some of the other threads I’ve found never did find code injections, and never seem to have solved it. If I get to the bottom of this, I’ll post what I find.

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘security hole in wp-login.php and/or wp-atom.php??’ is closed to new replies.