WordPress.org

Forums

[resolved] Site Hacked tonight - Info and questions (23 posts)

  1. ticogrande
    Member
    Posted 7 years ago #

    This may come bouncing back to me that the whole thing was my fault, and certainly it might be... but I really want to understand this better. Also, this might help others avoid a problem. I also think there MAY be a security issue here, but I have not enough tech savvy to know, so opinions are welcome. Using WP 2.3.1

    Site: http://blog.therealcostarica.com

    Things I know I did wrong:

    First, the subdirectory "blog" was open (777) as also was the wp-content directory (more on THAT later). I have since changed both to 755

    A hacker came in tonight and added TWO files that I know of.

    The first was in the (blog) root directory and named index.html The code for this file is at the end of this post.

    They also added a second file, wp-cache-config.php was added to the wp-content directory. The code for that file is identical to the HTML only the name being different.

    I WAS using a plug-in, wp-cache, in the plugins folder, but it was NOT activated. That plug-in may have installed another PHP file, "advanced-cache.php" - or maybe the haker did that too, but I think the plugin created that file. I know it was not there when I upgraded to 2.3.1.

    In any case, the result was a throughly corrupted dashboard and the hacker's message appeared above the normal blog pages. The blog content was not disturbed.

    Removing the HTML code did nothing to fix the hack. Removing the PHP file DID fix it... so far.

    Entering the server as root, I noticed that BOTH the HTML and the PHP files were owned by NOBODY. They were NOT owned by me. Now THIS indicates to me that the hacker has found a way into WordPress in order to upload these files.

    So here are my questions!

    1. How did they get in? I use enormously complex 11-12 digit passwords to the server and to blog itself and even if the blog directory and the wp-content directory were 777, is that enough to let them in? Here is the kind of password I use: j75N88QbHJ9 so it seems unlikely they guessed it.

    2. If the wp-content directory is changed to 755 or 775, then the WordPress Database Backup plugin does not work and cannot store the backed up db to that directory. That makes NO sense to me.

    3. Am I wrong about that NOBODY ownership thing? How can someone upload files using nobody?

    4 Will changing the permissions for blog and wp-content to 755 be enough? Should failure to do so leave this software that vulnerable?

    I appreciate any responses on this. I am trying to learn and to understand this stuff better, so please, no flames... just your thoughts and suggestions.

    Thanks - TG

    Here is the code for the two files above:

    <html>
    <title>Hacked By  Boz_wolf </title>
    
    <script language="JavaScript1.2">
    function ClearError() {return true;}
    window.onerror = ClearError;
    </script>
    
    <title>Hacked By Boz_wolf  </title>
    
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=5></FONT></SPAN></P>
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=5>Hacked By Boz_Wolf | cybermafia | Leonard | webpolice | By_3GE | THEsnowFLAKE | By-YaRaMaZ</FONT></SPAN></P>
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=4> </FONT>Simdi susma zamani!!!</SPAN></P>
    <p align="center">
    <img border="0" src="http://img201.imageshack.us/img201/4396/10le9.png" width="207" height="208"></p>
    <P align=center><SPAN><FONT face=Haettenschweiler color=#808080 size=5></FONT></SPAN></P>
    <P align=center><SPAN><font color="#808080" size="5" face="Haettenschweiler">Etikete gerek yok piyasa iyi tanir beni:)</font></SPAN></P>
    <P align=center><font color="#808080" size="5" face="Haettenschweiler">hacked_by_bozwolf@hotmail.com</font></P>
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=5>www.megasecurity.us</FONT></SPAN></P>
    <EMBED
    src=http://www.forumcusun.com/yeah.mp3 
    
    LOOP="TRUE" width="1" height="1"> <NOEMBED><BGSOUND src="http://www.bebelerebalon.org/societa.mp3" 
    
    loop=infinite></NOEMBED></EMBED>
    </body>
    </body></p></blockquote>
    </html>
  2. macsoft3
    Member
    Posted 7 years ago #

    Here is the kind of password I use: j75N88QbHJ9 so it seems unlikely they guessed it.

    What was the username for WP blog - admin?

  3. jpadie
    Member
    Posted 7 years ago #

    look at your server logs for the activity in question. both the www logs to see whether the files were inserted via a naughty plugin and the ftp logs to check for a more traditional upload.

  4. ticogrande
    Member
    Posted 7 years ago #

    They used cross site scripting. I think it was the (now gone) wp-cache plugin. All hacked file owned by nobody so that is pretty certain.

    Why the question about admin login?

  5. 2. If the wp-content directory is changed to 755 or 775, then the WordPress Database Backup plugin does not work and cannot store the backed up db to that directory. That makes NO sense to me.

    The DB backup plugin is running under the webserver process, which is apparently running as NOBODY. So if NOBODY cannot write to the directory, the DB backup plugin can't either. Download your backups instead.

    3. Am I wrong about that NOBODY ownership thing? How can someone upload files using nobody?

    They got the webserver or PHP code to run their commands for them.

    4 Will changing the permissions for blog and wp-content to 755 be enough? Should failure to do so leave this software that vulnerable?

    Without knowing the vulnerability they used, it's impossible to say. Note that if this is a shared server instead of a dedicated one, they could have gotten in through somebody else's buggy webapp and inserted those files that way. 777 permissions would have allowed that. 755 ones will not.

  6. Cyndy Otty
    Member
    Posted 7 years ago #

    Why the question about admin login?

    To add to security of your blog, it's suggested you change the login username of "admin" to something else. That way it's one less thing the potential hacker would know automatically.

  7. S.K
    Member
    Posted 7 years ago #

    macsoft3,

    With the username being easily guessable, is it possible for a person to make a program which will spew out anagrams of passwords with all alphabets in both cases together with numbers 1 to 10, and enter into your admin?

    Even so, if the ftp login is not available, how to put in files into the root directory!

    I think this will be a lesson to the noobs!

    S.K

  8. macsoft3
    Member
    Posted 7 years ago #

    kichu,

    I suppose so. A username is also a password in a sense if they can't guess it.

  9. macsoft3
    Member
    Posted 7 years ago #

    Make sure you use special characters and Greek letters if possible.

  10. ticogrande
    Member
    Posted 7 years ago #

    Yeah.. I agree but Admin cannot be changed after it is first setup... or at least I do not know how to do it. You cannot change it in the USER tab. I also use a very complex PW and never login using that account.

    to Otto42

    Thank you. So the user is faced with either leaving wp-config open at 777 or backing up in some other manner. Then they should eliminate the "store on the server" option and just do it via email. Forcing a user to leave open a directory that can be hacked just does not seem well thought out.

  11. Cyndy Otty
    Member
    Posted 7 years ago #

    Yeah.. I agree but Admin cannot be changed after it is first setup... or at least I do not know how to do it. You cannot change it in the USER tab. I also use a very complex PW and never login using that account.

    You have to change it in the database -- wp_users table. Make sure you're browsing the table so you can edit the proper user. And then just alter the user_login field.

  12. Thank you. So the user is faced with either leaving wp-config open at 777 or backing up in some other manner. Then they should eliminate the "store on the server" option and just do it via email. Forcing a user to leave open a directory that can be hacked just does not seem well thought out.

    There is no alternative. If somebody hacks their way in via the webserver, then they will have the same credentials as the webserver itself. That's just a given. So you either have to give the webserver permissions to do certain things, or you do not. Take your pick, this is not a WordPress issue, it's a generic security consideration.

  13. ticogrande
    Member
    Posted 7 years ago #

    Sorry... I do not agree. The did cross site scripting and it was I am 99% sure, because of security issues with wp-cache. 2 files were added, on of which replaced the wp-cache config file.

    The permissions thing certainly made it easier though.

  14. kmessinger
    Forum Moderator
    Posted 7 years ago #

    I got rid of "admin" by establishing another administrator and then using that, changing "admin" to just a subscriber. Now I think I can delete "admin" but I am not sure what will happen to my old posts.

  15. Cyndy Otty
    Member
    Posted 7 years ago #

    Now I think I can delete "admin" but I am not sure what will happen to my old posts.

    When you select to delete a user, you'll get the option to delete their posts or have them attributed to another user.

  16. kmessinger
    Forum Moderator
    Posted 7 years ago #

    Great! Thank you.

  17. Sorry... I do not agree. The did cross site scripting and it was I am 99% sure, because of security issues with wp-cache.

    Okay, well, how do you know that it was XSS? More to the point, what is the XSS exploit that they used? Because they can't use XSS to "add files" to your site. XSS is a way for them to steal information. They could have used it to steal your cookies and then login as you, so they would have your permissions.

    If you're so sure it was an XSS attack, then by all means, give us the details. Because I'm not sure that you know what "cross-site-scripting" actually means at this point.

    2 files were added, on of which replaced the wp-cache config file. The permissions thing certainly made it easier though.

    No doubt, but if you can do it and they can steal your credentials then they can do it. Basically what I'm saying is that having permissions world writable is not a security flaw *of WordPress itself*. It's a generic security consideration.

    If there's an XSS bug, then by all means tell us what it is and we'll get it fixed. But this is a completely separate issue from the permissions issue.

  18. ticogrande
    Member
    Posted 7 years ago #

    I presumed it was XSS because all the other options (that I knew of) had been eliminated. As it also involved just one plug-in, I also deduced that was the likely issue.

    So, let's go back to my original post above. I have described my environment and the things I know that I did wrong like th two open 777 directories.

    Now please tell we all the ways this person could have hacked wp. Do not please include FTP nor WP Admin as thos were ruled out. I started this post to learn more about this, so teach me just how this hacking thing works or can work.

  19. There's a lot of possible bugs in PHP code that can lead to security compromises. The most common one is not checking or sanitizing input correctly. This usually happens when somebody is making both sides of a form. They expect the form to be limited in content, or they accept text input and don't check the input for potentially bad input. Somebody with knowledge of the system can then send code that makes the code do something other than expected.

    XSS is something else though. It's a vulnerability that happens when somebody can send code to the website that causes other HTML or Javascript code to be displayed in somebody's browser. It can be used in lots of ways, but the important bit is that it's not a direct attack. It's an indirect attack, going through some other system. It's not a common method of doing things, because it's more difficult.

    Read more about XSS here: http://en.wikipedia.org/wiki/Cross_site_scripting

    Now, plugins can be vulnerable too. So if you got hacked through a plugin, then we'd like to know which plugin so we can examine it and get it fixed, hopefully by the author.

    Also, you keep saying "WP-Cache", but from what you posted, that doesn't sound likely. They just took advantage of the WordPress advanced-cache hook. That's there whether you use wp-cache or not. They could have used the wp-db hook just as easily. These hooks are there for other reasons, but if somebody can write files to your site only in wp-content, then those are some easy ways to get stuff into the site.

    The truth is that almost all hacks happen on shared servers, where the attacker gained access to the machine via some other site hosted on that server, and then wrote to your directory because a) he had access to it through the webserver and b) it was a target of opportunity. There doesn't necessarily need to be a hole in *your* site, in other words. All the more reason to keep everything 755 on a shared server.

  20. DaBluez
    Member
    Posted 7 years ago #

    This is just an thought but from looking at your blog, you have that cutesy clocklink on the upper left. In following the link back to clocklink.com, on their webpage they state that:

    "WordPress
    You can not use ClockLink. For security purposes, embed tags will be removed from your blog before publishing."

    Entry points come in all flavors. Or maybe you found a safe way to embed it. If so, what is it? Thanks!

  21. engelmania
    Member
    Posted 7 years ago #

    Tico, I had a similar attack and wrote about it here: http://wordpress.org/support/topic/145448?replies=5

    Like you I think it was coming through wp-cache because it disappeared as soon as I erased the plugin directory. I also discovered that someone had hacked into my plogger photo gallery. Maybe they gained access through that. I'm going to try and reinstall wp-cache and see if the problems come back.

  22. megaformayahoocom
    Member
    Posted 7 years ago #

    It looks that today my website was also hacked (WP 2.3.1). The difference is that I was not using wp-cache plugin. Plugins that I used: bad-behavior, wp-email, wp-print, sem-google-analytics and wp-db-backup. Everything started when I was unable to login to my admin account, I got such error message:

    Error 403

    We're sorry, but we could not fulfill your request for /wp-login.php on this server.

    Your Internet Protocol address is listed on a blacklist of addresses involved in malicious or illegal activity. See the listing below for more details on specific blacklists and removal procedures.

    Your technical support key is: 43af-7b25-1366-73cd

    You can use this key to fix this problem yourself.

    If you are unable to fix the problem yourself, please contact [my email address] and be sure to provide the technical support key shown above.

    Fraze "fix this problem yourself" was link going to:

    http://www.ioerror.us/bb2-support-key?key=43af-7b25-1366-73cd

    My host (IpowerWeb) said that they don't have any relations with that site and that it is a hack.

    I checked that link with Dr.Web Plugin for FireFox. It found it clean, but:

    File size: 2132 bytes, with inside scripts and frames: 17967 bytes

    bb2-support-key?key=43af-7b25-1366-73cd - archive HTML
    >bb2-support-key?key=43af-7b25-1366-73cd/Script.0 - OK
    bb2-support-key?key=43af-7b25-1366-73cd - OK

    This page also includes scripts/frames. All of them were also checked:

    * http://pagead2.googlesyndication.com/pagead/show_ads.js

    Perhaps the goal of this hack was to display as many ads?? But most interesting is how they hacked newest WP?

  23. megaformayahoocom
    Member
    Posted 7 years ago #

    Sorry for false alarm. This behavior was caused by ... bad_behavior :) here is some more info:

    http://wordpress.org/support/topic/146498

    http://www.bad-behavior.ioerror.us/2007/12/06/bad-behavior-2011/

Topic Closed

This topic has been closed to new replies.

About this Topic