Several sites hacked, including 3.4.2 (11 posts)

  1. sallymoos
    Posted 3 years ago #

    Hi, I manage about 12 wordpress sites and I had half of them hacked last night. The hacker replaced on the home page and inserted a backdoor trojan into the first (alphabetical) plugin file.

    I've got the sites up and running OK now but I'm trying to trace how he got in. The http access logs just show him logging in via wp-admin (which I've now changed) but there is no way he could have know 6 random strong passwords. It looks like this exploit http://wordpress.stackexchange.com/questions/60585/websites-defaced-by-uploading-script-using-theme-editor and I'm trying to track down how he was able to first delete all user accounts and set himself up with a new 'admin' account so he could login. All of the site are running 3.2+ and one is running 3.4.2. The sites run different plugins all up to date.

    Can anyone give me any pointers where I could look to track how he got in and where?



  2. esmi
    Forum Moderator
    Posted 3 years ago #

  3. sallymoos
    Posted 3 years ago #

    Thanks, esmi, I had seen these but these are more about prevention and clearing up after the hack. I'm looking info on how to track how he/she got in. Can you offer any suggestions?


  4. esmi
    Forum Moderator
    Posted 3 years ago #

    In your shoes, I'd be looking at the server and FTP access logs.

  5. sallymoos
    Posted 3 years ago #

    The FTP access logs are empty (other than my logins)

    The http logs just show the hacker logging in with his/her new login. THis happened AFTER he deleted the normal "admin" and user accounts. [The normal Admin accounts were all called different from "admin" and were very secure ]

    I've posted the excepty of logs below showing his track through wpa-dmin, ending on adding the backdoor to the adminimize plugin via Editor (he added the backdoor to the firest pluin in each site)

    How did he get access to delete all the admin/user accounts?

    [IP] - - [04/Oct/2012:12:43:16 +0100] "GET /wp-admin/ HTTP/1.1" 302 - "-"
    [IP] - - [04/Oct/2012:12:43:17 +0100] "GET /wp-login.php?redirect_to=http%3A%2F%2Fwww.SITEHERE.com%2Fwp-admin%2F&reauth=1 HTTP/1.1" 200 3799 "-"
    [IP] - - [04/Oct/2012:12:43:18 +0100] "GET /wp-admin/css/colors-fresh.css?ver=20111206 HTTP/1.1" 200 34571 "http://www.SITEHERE.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.SITEHERE.com%2Fwp-admin%2F&reauth=1"
    [IP] - - [04/Oct/2012:12:43:18 +0100] "GET /wp-admin/css/wp-admin.css?ver=20111208 HTTP/1.1" 200 104204 "http://www.SITEHERE.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.SITEHERE.com%2Fwp-admin%2F&reauth=1"
    [IP] - - [04/Oct/2012:12:43:32 +0100] "GET /wp-admin/images/logo-login.png HTTP/1.1" 200 8891 "http://www.SITEHERE.com/wp-admin/css/wp-admin.css?ver=20111208"
    [IP] - - [04/Oct/2012:12:43:32 +0100] "GET /wp-admin/images/button-grad.png HTTP/1.1" 200 243 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:43:39 +0100] "POST /wp-login.php HTTP/1.1" 302 - "http://www.SITEHERE.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.SITEHERE.com%2Fwp-admin%2F&reauth=1"
    [IP] - - [04/Oct/2012:12:43:43 +0100] "GET /wp-admin/ HTTP/1.1" 200 51722 "http://www.SITEHERE.com/wp-login.php?redirect_to=http%3A%2F%2Fwww.SITEHERE.com%2Fwp-admin%2F&reauth=1"
    [IP] - - [04/Oct/2012:12:43:46 +0100] "GET /wpth-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=7f0753feec257518ac1fec83d5bced6a HTTP/1.1" 200 27158 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:46 +0100] "GET /wp-includes/js/thickbox/thickbox.css?ver=20111117 HTTP/1.1" 200 3870 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:46 +0100] "GET /wp-admin/css/colors-fresh.css?ver=20111206 HTTP/1.1" 304 - "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:46 +0100] "GET /wp-includes/js/tw-sack.js?ver=1.6.1 HTTP/1.1" 200 3619 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:46 +0100] "GET /wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=edec3fab0cb6297ea474806db1895fa7 HTTP/1.1" 200 36959 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:48 +0100] "GET /wp-admin/images/wpspin_light.gif HTTP/1.1" 200 2193 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:49 +0100] "GET /wp-admin/images/media-button.png?ver=20111005 HTTP/1.1" 200 3117 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:50 +0100] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3e676db9ea65504c756e11cf9a70be9e HTTP/1.1" 200 1127 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:50 +0100] "GET /wp-admin/images/menu-shadow.png HTTP/1.1" 200 131 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:43:50 +0100] "GET /wp-admin/images/menu.png?ver=20111128 HTTP/1.1" 200 9680 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:43:50 +0100] "GET /wp-admin/images/arrows.png HTTP/1.1" 200 494 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:43:50 +0100] "GET /wp-admin/images/icons32.png?ver=20111206 HTTP/1.1" 200 13441 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:43:51 +0100] "GET /wp-admin/images/white-grad.png HTTP/1.1" 200 210 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:43:51 +0100] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,jquery-ui-core,thickbox,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,plugin-install,media-upload,word-count,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=5942849f845ec3cb08a0cd3337cdb69f HTTP/1.1" 200 57299 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:53 +0100] "GET /wp-includes/images/admin-bar-sprite.png?d=20111130 HTTP/1.1" 200 3999 "http://www.SITEHERE.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=7f0753feec257518ac1fec83d5bced6a"
    [IP] - - [04/Oct/2012:12:43:54 +0100] "GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1" 200 5886 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:54 +0100] "GET /wp-admin/index-extra.php?jax=dashboard_incoming_links HTTP/1.1" 200 253 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:55 +0100] "GET /wp-admin/index-extra.php?jax=dashboard_primary HTTP/1.1" 200 1937 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:55 +0100] "GET /wp-admin/index-extra.php?jax=dashboard_secondary HTTP/1.1" 200 1042 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:43:56 +0100] "GET /wp-admin/index-extra.php?jax=dashboard_plugins HTTP/1.1" 200 1337 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:44:02 +0100] "GET /wp-includes/js/thickbox/thickbox.css?ver=20111117 HTTP/1.1" 304 - "http://www.SITEHERE.com/wp-admin/plugin-editor.php"
    [IP] - - [04/Oct/2012:12:44:02 +0100] "GET /wp-admin/css/colors-fresh.css?ver=20111206 HTTP/1.1" 304 - "http://www.SITEHERE.com/wp-admin/plugin-editor.php"
    [IP] - - [04/Oct/2012:12:44:02 +0100] "GET /wp-includes/js/tw-sack.js?ver=1.6.1 HTTP/1.1" 304 - "http://www.SITEHERE.com/wp-admin/plugin-editor.php"
    [IP] - - [04/Oct/2012:12:44:00 +0100] "GET /wp-admin/plugin-editor.php HTTP/1.1" 200 102643 "http://www.SITEHERE.com/wp-admin/"
    [IP] - - [04/Oct/2012:12:44:16 +0100] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,jquery-ui-core,thickbox&ver=36bdd73350ea39f8abd5737571b9f4ea HTTP/1.1" 200 11139 "http://www.SITEHERE.com/wp-admin/plugin-editor.php"
    [IP] - - [04/Oct/2012:12:44:29 +0100] "GET /wp-admin/images/button-grad-active.png HTTP/1.1" 200 284 "http://www.SITEHERE.com/wp-admin/css/colors-fresh.css?ver=20111206"
    [IP] - - [04/Oct/2012:12:44:30 +0100] "POST /wp-admin/plugin-editor.php HTTP/1.1" 302 - "http://www.SITEHERE.com/wp-admin/plugin-editor.php"
    [IP] - - [04/Oct/2012:12:44:47 +0100] "GET /wp-admin/plugin-editor.php?file=adminimize%2Fadminimize.php&liveupdate=1&scrollto=35280&networkwide&_wpnonce=5cbc02be02 HTTP/1.1" 500 2947 "http://www.SITEHERE.com/wp-admin/plugin-editor.php"

  6. MickeyRoush
    Posted 3 years ago #

    @ sallymoos

    You need to go through the links provided by esmi. More than likely they performed an SQL injection on a vulnerable plugin or theme. I've seen SQLi performed in this manner to reset an admin password and gain access.

  7. sallymoos
    Posted 3 years ago #

    Update: I have discovered the hacker was able to "login" to wp admin by using a backdoor he had left in a Joomla installation on the server (via an exploit in a joomla plugin) which allowed him to delete wp_users and add a new user admin account for himself. That's why it didn't matter what WP version installation was running.

    The links provided are useful in prevention, but, in a case like this, I don't think having all the WP updates in place wouldn't have made any difference? Can anyone advise if there's anything that could be done to prevent this?

  8. Shane Gowland
    Posted 3 years ago #

    Can anyone advise if there's anything that could be done to prevent this?

    As a general rule; every single piece of software on a server is a potential vulnerability. Once they get in through one hole; everything else on the server is compromised too. (it's why I refuse to use shared web hosting)

    The best defence is keeping everything up to date and secure - not just WordPress. Ideally; you would have all of your systems isolated, running on different servers with different access credentials.

  9. MickeyRoush
    Posted 3 years ago #

    One thing that might have helped, is if each of your installs had open_basedir set for it's directory only.


  10. d3t0n4t0r
    Posted 3 years ago #

    The valid admin login usually deleted and replaced with bad admin login by using backdoor script.

    I've several website reported with similar pattern. Try to look into your wp-content/plugins/ and search for bad scripts. I've managed to find the bad script inside wp-content/plugins/akismet/akismet.php. In your case, it might be in on different file.

  11. extremulus
    Posted 3 years ago #

    I had the same attack and the altered akismet.php as well, but the reason is still a mystery. Would love to have help to figure it out. No FTP access, no unauthorized SCP/SSH access, not a shared host and no modification of the wp_users table. Driving me crazy. The only thing that looks to have been accessed is the meteor-slides plugin, but I don't see any reports of a vuln. This system was also 3.4.1, but again I don't see any RCE or anything fixed in 3.4.2 that would account for this.

Topic Closed

This topic has been closed to new replies.

About this Topic