Support » Fixing WordPress » /wp-admin/WP-UPDATE – a virus?

  • I have Ubuntu 16.04 and DA updated to last version. We also have Installatron.

    We see a strange file, that keeps servers CPU loaded to 176 percents for over 2 weeks now:

    I go to to DA Admin -> Process Monitor I see this:

    
    30217    <THE_USER>    20    0    2938476    2.289g    3832    S    176.5    23.4    1173:14    /home/<THE_USER>/domains/test.<THE_DOMAIN>.com/private_html/wp-admin/wp-update -B -l /dev/null
    

    That file is ~2 MiB, and created on 6:30AM on June 15th. Nobody works for us so early.

    And if I open that file, it is a binary file, does not look like WordPress update.

    Also if I go to http://checkfiletype.com/upload-and-check , and upload that file, I get:

    
    File Type: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x8d292bfaf2b7358c244b6a11ae8bc9b42bb11607, stripped
    
    MIME Type: application/x-executable
    Suggested file extension(s): so
    
    File Meta Data
    File Size	2.6 MB
    File Type	ELF executable
    File Type Extension	
    MIME Type	application/octet-stream
    CPU Architecture	64 bit
    CPU Byte Order	Little endian
    Object File Type	Executable file
    CPU Type	AMD x86-64
    

    So is that a virus?

    • This topic was modified 1 month, 1 week ago by KestutisIT.
    • This topic was modified 1 month, 1 week ago by KestutisIT.
    • This topic was modified 1 month, 1 week ago by KestutisIT.
Viewing 12 replies - 16 through 27 (of 27 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    Reopened, in case OP will need community help for specific questions.

    Please keep this thread healthy.

    PS: If you suspect some code is vulnerable –
    Make sure you have updated everything. Right now your site is compromised and there are traces of malicious code in WP core files.
    You have to revert some backup / replace core files / make serious audit.
    Hiring good specialists can make this task faster, easier and with better result.

    • This reply was modified 1 month ago by Yui.
    KestutisIT

    (@kestutisit)

    Things we discovered:
    1. wp-admin/wp-update.php calls are tracked in apache access log on June 30th, and July 1st. The hacker’s IP is from India, Victoria Country.
    2. In hacked script hacker uses _SERVER, on stackoverflow ( https://stackoverflow.com/questions/62693441/can-a-hacker-pass-in-parameters-to-server ), it says, that hacker probably ran
    curl -H "4CD44849DA572F7C: code goes here" http://example.com/your-hacked.php
    or similar query from Command line interface tool, instead of running browser query, but still, it should then appear in apache logs always, right? There is no way to void apache access log by using _SERVER? Am I correct?
    2. The original attack on June 15th, 2020 06:50:52 AM does not have corresponding log, while server says wp-admin/wp-update LINUX executable file (bitcoin miner) were create on that moment. How this is possible. Does this means that hacker got somehow Filezilla/WinSCP password of one of site admins? If so, why they did not got also the access to whole server, why other website on whole server is not infected then (at least by primary look). As that admin also has access to server as well. Is there is any other way to bypass apache logs?

    KestutisIT

    (@kestutisit)

    Additional question – if we would add .htaccess / .htapasswd security to /wp-admin/ folder, is the hacker via command line (but without FTP password) can bypass that limitation and create a file in that folder? How exactly .htpasswd stops accessing wp-admin folder? Only browser-based? Or even from command line login is required if HTTP or _SERVER request is sent to wp-admin folder then?

    Moderator Yui

    (@fierevere)

    ゆい

    .htaccess/.htpasswd pair prevent accessing specified folder via HTTP(s)
    without authorization. It does do nothing for other access methods (SSH,FTP,SFTP etc)

    Art Project Group

    (@artprojectgroup)

    @kestutisit check your /xmlrpc.php file. I detected the same virus in a client installation and that file was hacked.

    Kind regards.

    KestutisIT

    (@kestutisit)

    @artprojectgroup , we removed the whole website probably until hacker was done, so XMLRPC were not affected, only the /wp-admin folder files: /wp-update%2E/ sub-folder, wp-update executable, wp-update.log and wp-update.php.
    So we had a first hack on June 15th, 2020 06:50:52 EEST. But there is no Apache log for that moment, which is very strange, meaning either a date was somehow faked, or some hack was done already before and hacker somehow grabbed FTP password or so, while our admin, that manages the website claims he did not used his laptop in unsecured Wifi coffee, plus other websites were not impacted, just this one. While we discovered IP address (it changes by date, and hacker uses proxy servers in India, Poland and other countries).

    So we have listed all plugins below, that were active before June 15th, as well as we compared it’s list to other websites plugins list, and that website had only 5-6 unique plugins, and only *AdNing advertisements system* plugin had a security update on June 26th, from version 1.5.2 to version 1.5.6, that patched, from what is seems from code changes, a missing permission check for unauthorized front-end uploads. But still this gives no prove that this is because of that plugin, or why that plugin would allow to upload linux executibles at all, and how it was done without being seen in logs. But this is the only scenario we discovered that may theoretically be possible. Another scenario is that wp-update is compromised, and hackers were able to intercept the update, i.e. W.org servers update package did got intercepted, as signature was not validated, as WordPress has been also auto-updated since then by 1 patch, different to localhost copy. Also AdNing got banner clicks (_dning) just before hacker access by ahrefs multi-bot (it’s kind of strange crawler, and I’m not sure if hacker could nor be crawler-runners as well at ahrefs). As well adning got cronjobs.
    Some of hacker IP’s 185.10.68.183, 95.49.134.75, 178.148.239.252.
    We also probably try to have deeper loggin mechanisms, and see maybe AdNing update did prevented that, but we still did not contacted the author and we are not sure if that is the case (while that plugin has tens of thousands active installations – maybe you have one as well?)

    
    # Tools used:
    1. WP CRONTROL
    2. WordFence
    3. https://virustotal.com/
    4. http://checkfiletype.com/upload-and-check
    5. NetData
    
    # Plugins installed before 06-15:
    ## 1. WooCommerce
    Current version: 4.2.0
    Available version: 4.2.2
    
    ## 2. Mailster
    Current version: 2.4.11
    Available version: 2.4.11
    
    ## 3. Mailster Cool Captcha
    Current version: 1.2
    Available version: 1.2
    
    ## 4. Free Downloads WooCommerce (NOT PREMIUM)
    Current version: 3.1.8
    Available version: 3.1.8
    
    ## 5. All-in-One WP Migration (NOT PREMIUM)
    Current version: 7.23
    Available version: 7.24
    
    ## 6. WooCommerce Stripe Gateway
    Current version: 4.4.0
    Available version: 4.5.0
    
    ## 7. EU VAT Compliance for WooCommerce (Free)
    Current version: 1.14.10
    Available version: 1.14.10
    
    ## 8. Helpie FAQ
    Current version: 0.8
    Available version: 0.8.4
    
    ## 9. Contact Form 7
    Current version: 5.1.9
    Available version: 5.1.9
    
    ## 10. ADning
    Current version: 1.5.2
    Available version: 1.5.6
    
    ## 11. Fusion Builder
    Current version: 2.2.3
    Available version: 2.2.3
    
    ## 12. Social Icons Widget & Block by WPZOOM
    Current version: 4.0.2
    Available version: 4.0.2
    
    ## 13. Checkout Field Editor for WooCommerce
    Current version: 1.4.2
    Available version: 1.4.2
    
    ## 14. ReCaptcha v2 for Contact Form 7
    Current version: 1.2.6
    Available version: 1.2.7
    
    ## 15. 	WooCommerce TM Extra Product Options
    Current version: 5.0.12.1
    Available version: 5.0.12.2
    
    ## 16. Slider Revolution
    Current version: 6.2.8
    Available version: 6.2.15
    
    ## 17. Ultimate GDPR
    Current version: 1.7.4
    Available version: 1.7.6
    
    ## 18.WP Migrate DB (was inactive)
    Current version: 1.0.13
    Available version: 1.0.13
    
    ## 19.Envato Market
    Current version: 2.0.3
    Available version: 2.0.3
    
    ## 20.WooDiscuz - WooCommerce Comments
    Current version: 2.2.4
    Available version: 2.2.4
    
    ## 21.Adning Woocommerce Buy and Sell Add-On (for woocommerce integration)
    Current version: 1.0.2
    Available version: no info
    
    ## 22.All-in-One WP Migration File Extension
    Current version: 1.6
    Available version: 1.6
    
    ## 23. Custom Product Tabs for WooCommerce
    Current version: 1.7.1
    Available version: 1.7.1
    
    ## 24. Fusion Core
    Current version: 4.2.3
    Available version: 4.2.3
    
    ---
    # Plugins installed after 06-15:
    
    ## 1. WordPress WooCommerce Multi-Vendor Marketplace
    Current version: 4.9.2
    Available version: 4.9.2
    
    ## 2. Mailster reCaptcha
    Current version: 1.6
    Available version: 1.6
    

    [SITE_URL] ACCESS LOG EXCERPTS:

    
    185.10.68.183 - - [30/Jun/2020:04:04:21 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 5495 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:24 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 3889 "-" "curl/7.64.0"
    185.10.68.183 - - [30/Jun/2020:04:04:24 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 5557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:27 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 7320 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:28 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4323 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:28 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4324 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:28 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4306 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"
    185.10.68.183 - - [30/Jun/2020:04:04:29 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4313 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:29 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4433 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
    185.10.68.183 - - [30/Jun/2020:04:04:29 +0300] "GET /wp-admin/wp-update.log HTTP/1.1" 200 3942 "-" "curl/7.64.0"
    <..>
    185.10.68.183 - - [01/Jul/2020:03:56:02 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 5495 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
    185.10.68.183 - - [01/Jul/2020:03:56:05 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 3889 "-" "curl/7.64.0"
    185.10.68.183 - - [01/Jul/2020:03:56:05 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 5557 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
    185.10.68.183 - - [01/Jul/2020:03:56:08 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 7319 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56"
    185.10.68.183 - - [01/Jul/2020:03:56:08 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4323 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56"
    185.10.68.183 - - [01/Jul/2020:03:56:09 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4324 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36"
    185.10.68.183 - - [01/Jul/2020:03:56:09 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4306 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56"
    185.10.68.183 - - [01/Jul/2020:03:56:09 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4313 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56"
    185.10.68.183 - - [01/Jul/2020:03:56:10 +0300] "GET /wp-admin/wp-update.php HTTP/1.1" 200 4433 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"
    185.10.68.183 - - [01/Jul/2020:03:56:10 +0300] "GET /wp-admin/wp-update.log HTTP/1.1" 200 3942 "-" "curl/7.64.0"
    <..>
    95.49.134.75 - - [02/Jul/2020:10:25:23 +0300] "HEAD /wp-admin/wp-update HTTP/1.1" 404 3828 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
    <..>
    178.148.239.252 - - [02/Jul/2020:18:06:37 +0300] "GET /wp-admin/ HTTP/1.1" 404 4354 "-" "aria2/1.35.0"
    178.148.239.252 - - [02/Jul/2020:18:06:37 +0300] "GET /wp-admin/wp-update HTTP/1.1" 404 491 "-" "aria2/1.35.0"
    178.148.239.252 - - [02/Jul/2020:18:06:37 +0300] "GET /wp-login.php?redirect_to=https://[SITE_URL]/wp-admin/&reauth=1 HTTP/1.1" 404 491 "-" "aria2/1.35.0"
    

    A SECOND BEFORE A HACKER ACCESS:

    
    54.36.148.102 - - [01/Jul/2020:03:54:38 +0300] "GET /?_dnlink=20242&aid=20186&t=1592626062 HTTP/1.1" 302 4112 "-" "Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)"
    (SERVER_IP) - - [01/Jul/2020:03:56:04 +0300] "POST /wp-cron.php?doing_wp_cron=1593564963.9673769474029541015625 HTTP/1.1" 200 4006 "https://[SITE_URL]/wp-cron.php?doing_wp_cron=1593564963.9673769474029541015625" "WordPress/5.4.2; https://[SITE_URL]"
    
    • This reply was modified 1 month ago by KestutisIT.
    • This reply was modified 1 month ago by Jan Dembowski. Reason: Formatting
    Moderator Yui

    (@fierevere)

    ゆい

    is it possible that website could be hacked via disabled plugin (inactive plugin).

    some plugins (or their components) may allow direct access to some of its scripts.
    Example: timthumb.php presented in many old themes and some plugins
    (Really old thing, modern themes should not use this, but its fine as example)

    KestutisIT

    (@kestutisit)

    @artprojectgroup – can you also please post full list of plugins on your website on the date it has been hacked.

    I also add here @tobifjellner response via Slack, about ability to hack via inactive plugins:

    “If you look at the code of many PHP files you’ll notice that they often start with a check if some environment variable is defined. If a PHP does not have that check, then the file might be run by an attacker simply by calling the URL that corresponds to the file. And it doesn’t matter at all if the plugin is activated or not. (“Activated plugins” is just a list (in the database) of files to be run. WordPress doesn’t block access to inactive plugins)”

    KestutisIT

    (@kestutisit)

    Notes of future security preventions:
    I’ve also created a new feature request ticket for WordPress, to boost it’s security asking WordPress core automatically create .htaccess file in plugin’s folder with “deny from all” content if plugin got deactivated, or show a red big warning all over admin, if WordPress was not able to do that automatically asking to do that manually.
    The ticket link here is as well:
    https://core.trac.wordpress.org/ticket/50590#ticket

    KestutisIT

    (@kestutisit)

    So we have listed all plugins below, that were active before June 15th, as well as we compared it’s list to other websites plugins list, and that website had only 5-6 unique plugins, and only *AdNing advertisements system* plugin had a security update on June 26th, from version 1.5.2 to version 1.5.6, that patched, from what is seems from code changes, a missing permission check for unauthorized front-end uploads. But still this gives no prove that this is because of that plugin, or why that plugin would allow to upload linux executibles at all, and how it was done without being seen in logs. But this is the only scenario we discovered that may theoretically be possible. Another scenario is that wp-update is compromised, and hackers were able to intercept the update, i.e. W.org servers update package did got intercepted, as signature was not validated, as WordPress has been also auto-updated since then by 1 patch, different to localhost copy. Also AdNing got banner clicks (_dning) just before hacker access by ahrefs multi-bot (it’s kind of strange crawler, and I’m not sure if hacker could nor be crawler-runners as well at ahrefs). As well adning got cronjobs.

    # Tools used:
    1. WP CRONTROL
    2. WordFence
    3. https://virustotal.com/
    4. http://checkfiletype.com/upload-and-check
    5. NetData

    # Plugins installed before 06-15:
    ## 1. WooCommerce
    Current version: 4.2.0
    Available version: 4.2.2

    ## 2. Mailster
    Current version: 2.4.11
    Available version: 2.4.11

    ## 3. Mailster Cool Captcha
    Current version: 1.2
    Available version: 1.2

    ## 4. Free Downloads WooCommerce (NOT PREMIUM)
    Current version: 3.1.8
    Available version: 3.1.8

    ## 5. All-in-One WP Migration (NOT PREMIUM)
    Current version: 7.23
    Available version: 7.24

    ## 6. WooCommerce Stripe Gateway
    Current version: 4.4.0
    Available version: 4.5.0

    ## 7. EU VAT Compliance for WooCommerce (Free)
    Current version: 1.14.10
    Available version: 1.14.10

    ## 8. Helpie FAQ
    Current version: 0.8
    Available version: 0.8.4

    ## 9. Contact Form 7
    Current version: 5.1.9
    Available version: 5.1.9

    ## 10. ADning
    Current version: 1.5.2
    Available version: 1.5.6

    ## 11. Fusion Builder
    Current version: 2.2.3
    Available version: 2.2.3

    ## 12. Social Icons Widget & Block by WPZOOM
    Current version: 4.0.2
    Available version: 4.0.2

    ## 13. Checkout Field Editor for WooCommerce
    Current version: 1.4.2
    Available version: 1.4.2

    ## 14. ReCaptcha v2 for Contact Form 7
    Current version: 1.2.6
    Available version: 1.2.7

    ## 15. WooCommerce TM Extra Product Options
    Current version: 5.0.12.1
    Available version: 5.0.12.2

    ## 16. Slider Revolution
    Current version: 6.2.8
    Available version: 6.2.15

    ## 17. Ultimate GDPR
    Current version: 1.7.4
    Available version: 1.7.6

    ## 18.WP Migrate DB (was inactive)
    Current version: 1.0.13
    Available version: 1.0.13

    ## 19.Envato Market
    Current version: 2.0.3
    Available version: 2.0.3

    ## 20.WooDiscuz – WooCommerce Comments
    Current version: 2.2.4
    Available version: 2.2.4

    ## 21.Adning Woocommerce Buy and Sell Add-On (for woocommerce integration)
    Current version: 1.0.2
    Available version: no info

    ## 22.All-in-One WP Migration File Extension
    Current version: 1.6
    Available version: 1.6

    ## 23. Custom Product Tabs for WooCommerce
    Current version: 1.7.1
    Available version: 1.7.1

    ## 24. Fusion Core
    Current version: 4.2.3
    Available version: 4.2.3


    # Plugins installed after 06-15:

    ## 1. WordPress WooCommerce Multi-Vendor Marketplace
    Current version: 4.9.2
    Available version: 4.9.2

    ## 2. Mailster reCaptcha
    Current version: 1.6
    Available version: 1.6

    • This reply was modified 1 month ago by KestutisIT.
    KestutisIT

    (@kestutisit)

    Appears this Adning vulnerability gets viral already. The vulnerability found in the way it handles admin-ajax for all versions up to 1.5.5. Internet is now full of reports. The attacks persists on many websites all over the internet now, so either it was not fully patched (likely unexpected), or majority users did not upgraded their website plugins yet.

    • This reply was modified 1 month ago by Yui.
    • This reply was modified 1 month ago by KestutisIT.
    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

Viewing 12 replies - 16 through 27 (of 27 total)
  • The topic ‘/wp-admin/WP-UPDATE – a virus?’ is closed to new replies.