Sites keep getting hacked–executable upload

mikejulian
(@forkvoid)

13 years, 11 months ago

Hi folks,

I’m somewhat responsible for a multitude of WP installs on many different servers (some of which I don’t directly administer).

Each of these installs range from 100% up-to-date to slightly out-of-date (no more than a couple point releases behind). Some have lots of plugins, others have only the two default. In one case, a bone-stock, unused install was even involved.

On June 2nd, a rash of compromises hit a server I directly manage. I’ve got it all cleaned up, but I need to figure out how to prevent this.

As far as I can tell, a zip file is getting uploaded either to the plugin folder or the upload folder. Somehow, this zip file is getting unpacked, resulting in a PHP file. This file is an uploader script, so from there, they have total control over the account.

What I don’t get is how in the world they are able to upload this file to begin with?

Server is cPanel-run, with up-to-date LAMP stack. SuPHP is active on all accounts, and they are all jailshelled. Permissions are set according to the WP hardening guide (755 directories, 644 files). I can verify all of this was already set prior to the attack.

Viewing 6 replies - 1 through 6 (of 6 total)

The Hack Repair Guy
(@tvcnet)

13 years, 11 months ago

Any coincidences, like the same plugin installed in each?

Same theme installed in each?

It seems unlikely it’s a WP core file issue, and more likely something you’ve similarly installed in all of your sites being compromised.

MickeyRoush
(@mickeyroush)

13 years, 11 months ago

This is how the timthumb hack is sometimes done. Do you use any theme or plugin that uses the timthumb script?

Thread Starter mikejulian
(@forkvoid)

13 years, 11 months ago

Thanks for the responses, guys.

The Hack Repair Guy: All of them have the twentyten theme installed, but none have it active. All of them have akismet and Hello Dolly. They diverge from there as to what they’re using. Those are the only common things.

MickeyRoush: I’ve been doing a ton of research into the timthumb problem. Not all of the sites hacked had any form of timthumb anywhere (I searched via command line, grep’ing for the string inside files that identifies a timthumb script).
MickeyRoush
(@mickeyroush)

13 years, 11 months ago
@ forkvoid

The timthumb script may have been renamed. You’ll have to verify per theme/plugin. I’ve seen the timthumb script go by the following:

timthumb.php
thumb.php
resizer.php
crop.php
cropper.php

And there are probably more.

To protect your uploads directory, you really need to use something at the server level. Like only allowing image files via .htaccess.

Something like this:
```
Order Allow,Deny
<FilesMatch "^[^.]+\.([Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff])$">
Allow from all
</FilesMatch>
```
Note that is only partially what you can do, you need to disable the php engine within directories that do not need any php execution. But the above is a start.

I create an .htaccess file for every plugin or theme that I use.

Here is an example for Akismet:
```
Order Allow,Deny
<FilesMatch "^akismet\.(css|gif|js)$">
Allow from all
</FilesMatch>
```
I believe every plugin should come with some form of .htaccess within like the one above that I use for Akismet. There are a small few that do.
The Hack Repair Guy
(@tvcnet)

13 years, 11 months ago

Try the “Timthumb vulnerability scanner” plugin next.
It’s the poor mans malware scanner, and may help ID some back door scripts or old timthumb installations as well.

MickeyRoush
(@mickeyroush)

13 years, 11 months ago

The new WordFence plugin has a built in scanner. And the author is very experienced with the timthumb script. He was one of the first to actually provide security updates on his own.

http://wordpress.org/extend/plugins/wordfence/

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Sites keep getting hacked–executable upload’ is closed to new replies.

Sites keep getting hacked–executable upload

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics