Title: WordPress got hacked today
Last modified: August 31, 2016

---

# WordPress got hacked today

 *  [jaschaio](https://wordpress.org/support/users/jaschaio/)
 * (@jaschaio)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/wordpress-got-hacked-today/)
 * Hey there,
    my wordpress site got hacked today and used the servers postfix setup
   to send out massive spam emails. I noticed after receiving a error from google
   that my daily sending limit was reached.
 * I was able to stop the script by deleting my `/uploads/` folder where the compromised
   files where located. I noticed as well that they used a plugin called “libravatar-
   replace” and a theme called “sketch”. Maybe these wordpress.org files are compromised
   as well?
 * I am trying to understand what happened and how they got in to prevent this in
   the future. Checking my log files this is what stands out:
 * I have found hundreds of calls to my `xmlrpc.php` (one in the /blog/ directory
   and one in the root directory, I have two domains and two installs).
 *     ```
       92.60.114.159 - - [28/Feb/2016:19:10:25 -0500] "POST /blog/xmlrpc.php HTTP/1.1" 200 403 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
       ```
   
 * Its always the same IP `92.60.114.159` making a POST request to the `xmlrpc.php`
   file.
 * Then I have found some POST request to the `wp-cron.php`, not sure if these were
   used as well.
 *     ```
       104.131.178.226 - - [21/Mar/2016:07:58:09 -0400] "POST /wp-cron.php?doing_wp_cron=1458561489.7695810794830322265625 HTTP/1.0" 200 0 "-" "WordPress/4.4.2; http://demo.growtheme.com"
       ```
   
 * Than, somehow they managed to login, and went directly to upload a new plugin
   and theme
 *     ```
       91.200.12.22 - - [09/Mar/2016:11:05:02 -0500] "POST /wp-login.php HTTP/1.0" 302 0 "-" "Opera/9.80 (Windows NT 6.1; DepositFiles/FileManager 0.9.9.206 YB/5.0.3) Presto/2.12.388 Version/12.14"
       91.200.12.22 - - [09/Mar/2016:11:05:03 -0500] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 28998 "-" "Opera/9.80 (Windows NT 6.1; DepositFiles/FileManager 0.9.9.206 YB/5.0.3) Presto/2.12.388 Version/12.14"
       91.200.12.22 - - [09/Mar/2016:11:05:10 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 23992 "-" "Opera/9.80 (Windows NT 6.1; DepositFiles/FileManager 0.9.9.206 YB/5.0.3) Presto/2.12.388 Version/12.14"
       91.200.12.22 - - [09/Mar/2016:11:05:10 -0500] "GET /wp-content/plugins/libravatar-replace/libravatar-replace.php HTTP/1.0" 200 120 "-" "Opera/9.80 (Windows NT 6.1; DepositFiles/FileManager 0.9.9.206 YB/5.0.3) Presto/2.12.388 Version/12.14"
       91.200.12.22 - - [09/Mar/2016:11:06:20 -0500] "HEAD /wp-login.php HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       91.200.12.22 - - [09/Mar/2016:11:06:21 -0500] "GET /wp-login.php HTTP/1.1" 200 2672 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       91.200.12.22 - - [09/Mar/2016:11:06:22 -0500] "POST /wp-login.php HTTP/1.0" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       91.200.12.22 - - [09/Mar/2016:11:06:23 -0500] "POST /wp-admin/ HTTP/1.0" 200 40452 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       91.200.12.22 - - [09/Mar/2016:11:06:24 -0500] "GET /wp-admin/theme-install.php HTTP/1.1" 200 40095 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       91.200.12.22 - - [09/Mar/2016:11:06:34 -0500] "POST /wp-admin/update.php?action=upload-theme HTTP/1.0" 200 25207 "http://demo.growtheme.com/wp-admin/theme-install.php?upload" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       91.200.12.22 - - [09/Mar/2016:11:06:34 -0500] "GET /wp-content/themes/sketch/404.php HTTP/1.1" 200 131 "http://demo.growtheme.com/wp-admin/theme-install.php?upload" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36 OPR/32.0.1948.45"
       ```
   
 * Afterwards I see a lot of request to these plugin and theme directories.
 *     ```
       91.200.12.22 - - [09/Mar/2016:12:57:17 -0500] "POST /wp-content/plugins/libravatar-replace/libravatar-replace.php;1234-5 HTTP/1.1" 404 4957 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
       91.200.12.22 - - [09/Mar/2016:12:57:18 -0500] "POST /wp-content/themes/sketch/404.php;ryfgddjs1 HTTP/1.1" 404 4946 "-" "Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0"
       ```
   
 * And thats probably how they managed to upload a lot of .php and .html files into
   the /wp-content/uploads/ directory. They later made a lot of request to these
   files, like one named `session57.php` that was the actual base-64 encoded script
   that sended the spam emails.
 *     ```
       92.53.113.216 - - [21/Mar/2016:23:52:58 -0400] "POST /wp-content/uploads/2015/07/session57.php HTTP/1.0" 200 69 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36"
       74.220.219.69 - - [21/Mar/2016:23:53:06 -0400] "POST /wp-content/uploads/2015/07/session57.php HTTP/1.0" 200 69 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US) U2/1.0.0 UCBrowser/9.3.1.344"
       ```
   
 * What I am really surprised by is, that it looks like they got access by a brute
   force attack. But both my username and password are really strong (Kind of these:!
   =ywLS}j3E]\W-y$&*)KW*/\) I thought these were not possible to hack via bruteforce.
 * I have seen [here](https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html)
   that I should probably disable access to the xmlrcp.php file. Is the same true
   for the wp-cron.php file?
 * Thanks and best regards

Viewing 4 replies - 1 through 4 (of 4 total)

 *  [jejani](https://wordpress.org/support/users/jejani/)
 * (@jejani)
 * [10 years, 3 months ago](https://wordpress.org/support/topic/wordpress-got-hacked-today/#post-7195711)
 * [@jascha](https://wordpress.org/support/users/jascha/),
 * If bots are still accessing your `xmlrpc.php` file then you haven’t properly 
   disabled and blocked access to it yet. Make sure that you literally “deny all”
   in your Nginx (etc) server rules, besides also installing a plugin like Disable
   XML-RPC:
 * [https://wordpress.org/plugins/disable-xml-rpc/](https://wordpress.org/plugins/disable-xml-rpc/)
 * And yes, there are some case studies that XML-RPC can be brute forced. However,
   the `wp-cron.php` does not have any public login/access capability.
 * [https://www.google.com/search?newwindow=1&q=xml+rpc+brute+force](https://www.google.com/search?newwindow=1&q=xml+rpc+brute+force)
 * Anyway your details are interesting and maybe you can report this also to WordFence
   and Sucuri teams. Make sure you update your passwords to be very strong, and 
   consider using i.e. CloudFlare as well.
 *  [perezbox](https://wordpress.org/support/users/perezbox/)
 * (@perezbox)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/wordpress-got-hacked-today/#post-7195802)
 * Hi [@jaschaio](https://wordpress.org/support/users/jaschaio/)
 * Bravo on going to your logs for answers!! Love it!!
 * Is this a VPS?
 * Too bad you deleted the /uploads folder, all you had to do was disable PHP execution
   in the directory. They were executing a mailer script, pretty common these days.
 * As for what happened, seems they were able to brute force as you described, but
   it is odd being your user / pass combination.
 * It’s no surprise they installed their own tools, that’s very common. They will
   install and configure the things they are most comfortable with to accomplish
   their goals. Speculating beyond this will be very tough though with direct access
   to see exactly what happened.
 * Nice catch though.
 * Tony
 *  Thread Starter [jaschaio](https://wordpress.org/support/users/jaschaio/)
 * (@jaschaio)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/wordpress-got-hacked-today/#post-7195879)
 * Hey [@perezbox](https://wordpress.org/support/users/perezbox/), thanks for chiming
   in!
 * I actually checked the log files because of a post I’ve found about them from
   sucuri.net
 * So yes this is a VPS.
 * There weren’t much files in the uploads folder anyway, but I’ve installed the
   iSecurity Plugin now anyway to block .php files in the upload folders and block
   access to the xmlrpc.php file.
 * Do I have to worry that they got access to anything one a higher level like SSH
   users, the mySQL database, server configuration or something like that? The wordpress
   install is using it’s own SSH user that only has rights in the install directory
   and can only connect via SSH keys from localhost.
 *  [perezbox](https://wordpress.org/support/users/perezbox/)
 * (@perezbox)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/wordpress-got-hacked-today/#post-7195880)
 * hey [@jaschaio](https://wordpress.org/support/users/jaschaio/)
 * My general rule of thumb is assume once they are in, they are in. I’d be watching
   things very carefully.
 * As it’s a VPS, trying using this to help investigate further: [https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-rootcheck.html](https://blog.sucuri.net/2016/02/investigating-a-compromised-server-with-rootcheck.html)
 * I’d also setup OSSEC in general to monitor the servers activity, see if anything
   changes that might not present itself externally:
 * A few years old, but still very applicable: [http://perezbox.com/2013/03/ossec-for-website-security-part-i/](http://perezbox.com/2013/03/ossec-for-website-security-part-i/)
 * Good job on the user isolation.
 * Here is another oldie but goldie that might help from a server level configuration
   perspective: [https://blog.sucuri.net/2012/07/wordpress-and-server-hardening-taking-security-to-another-level.html](https://blog.sucuri.net/2012/07/wordpress-and-server-hardening-taking-security-to-another-level.html)
 * Cheers

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘WordPress got hacked today’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 4 replies
 * 3 participants
 * Last reply from: [perezbox](https://wordpress.org/support/users/perezbox/)
 * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/wordpress-got-hacked-today/#post-7195880)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics