Support » Fixing WordPress » Site Hacked tonight – Info and questions

  • Resolved ticogrande

    (@ticogrande)


    This may come bouncing back to me that the whole thing was my fault, and certainly it might be… but I really want to understand this better. Also, this might help others avoid a problem. I also think there MAY be a security issue here, but I have not enough tech savvy to know, so opinions are welcome. Using WP 2.3.1

    Site: http://blog.therealcostarica.com

    Things I know I did wrong:

    First, the subdirectory “blog” was open (777) as also was the wp-content directory (more on THAT later). I have since changed both to 755

    A hacker came in tonight and added TWO files that I know of.

    The first was in the (blog) root directory and named index.html The code for this file is at the end of this post.

    They also added a second file, wp-cache-config.php was added to the wp-content directory. The code for that file is identical to the HTML only the name being different.

    I WAS using a plug-in, wp-cache, in the plugins folder, but it was NOT activated. That plug-in may have installed another PHP file, “advanced-cache.php” – or maybe the haker did that too, but I think the plugin created that file. I know it was not there when I upgraded to 2.3.1.

    In any case, the result was a throughly corrupted dashboard and the hacker’s message appeared above the normal blog pages. The blog content was not disturbed.

    Removing the HTML code did nothing to fix the hack. Removing the PHP file DID fix it… so far.

    Entering the server as root, I noticed that BOTH the HTML and the PHP files were owned by NOBODY. They were NOT owned by me. Now THIS indicates to me that the hacker has found a way into WordPress in order to upload these files.

    So here are my questions!

    1. How did they get in? I use enormously complex 11-12 digit passwords to the server and to blog itself and even if the blog directory and the wp-content directory were 777, is that enough to let them in? Here is the kind of password I use: j75N88QbHJ9 so it seems unlikely they guessed it.

    2. If the wp-content directory is changed to 755 or 775, then the WordPress Database Backup plugin does not work and cannot store the backed up db to that directory. That makes NO sense to me.

    3. Am I wrong about that NOBODY ownership thing? How can someone upload files using nobody?

    4 Will changing the permissions for blog and wp-content to 755 be enough? Should failure to do so leave this software that vulnerable?

    I appreciate any responses on this. I am trying to learn and to understand this stuff better, so please, no flames… just your thoughts and suggestions.

    Thanks – TG

    Here is the code for the two files above:

    <html>
    <title>Hacked By  Boz_wolf </title>
    
    <script language="JavaScript1.2">
    function ClearError() {return true;}
    window.onerror = ClearError;
    </script>
    
    <title>Hacked By Boz_wolf  </title>
    
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=5></FONT></SPAN></P>
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=5>Hacked By Boz_Wolf | cybermafia | Leonard | webpolice | By_3GE | THEsnowFLAKE | By-YaRaMaZ</FONT></SPAN></P>
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=4> </FONT>Simdi susma zamani!!!</SPAN></P>
    <p align="center">
    <img border="0" src="http://img201.imageshack.us/img201/4396/10le9.png" width="207" height="208"></p>
    <P align=center><SPAN><FONT face=Haettenschweiler color=#808080 size=5></FONT></SPAN></P>
    <P align=center><SPAN><font color="#808080" size="5" face="Haettenschweiler">Etikete gerek yok piyasa iyi tanir beni:)</font></SPAN></P>
    <P align=center><font color="#808080" size="5" face="Haettenschweiler">hacked_by_bozwolf@hotmail.com</font></P>
    <P align=center><SPAN><FONT face=Haettenschweiler color=red size=5>www.megasecurity.us</FONT></SPAN></P>
    <EMBED
    src=http://www.forumcusun.com/yeah.mp3 
    
    LOOP="TRUE" width="1" height="1"> <NOEMBED><BGSOUND src="http://www.bebelerebalon.org/societa.mp3" 
    
    loop=infinite></NOEMBED></EMBED>
    </body>
    </body></p></blockquote>
    </html>
Viewing 15 replies - 1 through 15 (of 22 total)
  • Here is the kind of password I use: j75N88QbHJ9 so it seems unlikely they guessed it.

    What was the username for WP blog – admin?

    look at your server logs for the activity in question. both the www logs to see whether the files were inserted via a naughty plugin and the ftp logs to check for a more traditional upload.

    They used cross site scripting. I think it was the (now gone) wp-cache plugin. All hacked file owned by nobody so that is pretty certain.

    Why the question about admin login?

    2. If the wp-content directory is changed to 755 or 775, then the WordPress Database Backup plugin does not work and cannot store the backed up db to that directory. That makes NO sense to me.

    The DB backup plugin is running under the webserver process, which is apparently running as NOBODY. So if NOBODY cannot write to the directory, the DB backup plugin can’t either. Download your backups instead.

    3. Am I wrong about that NOBODY ownership thing? How can someone upload files using nobody?

    They got the webserver or PHP code to run their commands for them.

    4 Will changing the permissions for blog and wp-content to 755 be enough? Should failure to do so leave this software that vulnerable?

    Without knowing the vulnerability they used, it’s impossible to say. Note that if this is a shared server instead of a dedicated one, they could have gotten in through somebody else’s buggy webapp and inserted those files that way. 777 permissions would have allowed that. 755 ones will not.

    Why the question about admin login?

    To add to security of your blog, it’s suggested you change the login username of “admin” to something else. That way it’s one less thing the potential hacker would know automatically.

    macsoft3,

    With the username being easily guessable, is it possible for a person to make a program which will spew out anagrams of passwords with all alphabets in both cases together with numbers 1 to 10, and enter into your admin?

    Even so, if the ftp login is not available, how to put in files into the root directory!

    I think this will be a lesson to the noobs!

    S.K

    kichu,

    I suppose so. A username is also a password in a sense if they can’t guess it.

    Make sure you use special characters and Greek letters if possible.

    Yeah.. I agree but Admin cannot be changed after it is first setup… or at least I do not know how to do it. You cannot change it in the USER tab. I also use a very complex PW and never login using that account.

    to Otto42

    Thank you. So the user is faced with either leaving wp-config open at 777 or backing up in some other manner. Then they should eliminate the “store on the server” option and just do it via email. Forcing a user to leave open a directory that can be hacked just does not seem well thought out.

    Yeah.. I agree but Admin cannot be changed after it is first setup… or at least I do not know how to do it. You cannot change it in the USER tab. I also use a very complex PW and never login using that account.

    You have to change it in the database — wp_users table. Make sure you’re browsing the table so you can edit the proper user. And then just alter the user_login field.

    Thank you. So the user is faced with either leaving wp-config open at 777 or backing up in some other manner. Then they should eliminate the “store on the server” option and just do it via email. Forcing a user to leave open a directory that can be hacked just does not seem well thought out.

    There is no alternative. If somebody hacks their way in via the webserver, then they will have the same credentials as the webserver itself. That’s just a given. So you either have to give the webserver permissions to do certain things, or you do not. Take your pick, this is not a WordPress issue, it’s a generic security consideration.

    Sorry… I do not agree. The did cross site scripting and it was I am 99% sure, because of security issues with wp-cache. 2 files were added, on of which replaced the wp-cache config file.

    The permissions thing certainly made it easier though.

    Moderator kmessinger

    (@kmessinger)

    I got rid of “admin” by establishing another administrator and then using that, changing “admin” to just a subscriber. Now I think I can delete “admin” but I am not sure what will happen to my old posts.

    Now I think I can delete “admin” but I am not sure what will happen to my old posts.

    When you select to delete a user, you’ll get the option to delete their posts or have them attributed to another user.

    Moderator kmessinger

    (@kmessinger)

    Great! Thank you.

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Site Hacked tonight – Info and questions’ is closed to new replies.