Alex Kay
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Whois Abdull Karem and why are they scanning?If it’s blocked carelessly, then certainly it can be an effective tactic. This is why you should have skilled people create your WAF rules to restrict strings only in certain contexts, or with extra conditions that must be met.
Forum: Fixing WordPress
In reply to: Whois Abdull Karem and why are they scanning?“So you all add his name to your mod_sec rules, no news about him can be served by your webservers.”
This is completely incorrect with the rule I suggested.
The rule I suggested only stops incoming requests that contain the string AFTER the question mark (?) in the request line.
So, outbound pages containing “abdullkarem” will serve fine. Requests for a page like site.com/abdullkarem.html would serve fine.
All that would be blocked is a request like:
site.com/something.php?abdullkarem
I do not feel like this is “helping” the hackers at all. However, if you want to be transparent, you could change the drop command to deny,status:404 and the requests would just be denied with a forced 404 response no matter what (even if the target file did exist).
Forum: Fixing WordPress
In reply to: Whois Abdull Karem and why are they scanning?I have noticed this scan hitting a lot of URIs on many sites on my network.
Some may have malware, others are just being scanned from what I can tell.
I am using a ModSecurity rule to drop this traffic with a TCP reset, which I created for a user on the cPanel forums;
SecRule QUERY_STRING "abdullkarem" "drop,id:28946"Forum: Fixing WordPress
In reply to: link-template.php.suspected?Sure enough Devin, that is finding stuff that my grep, and clamav, and maldet missed. Thanks 🙂
If anyone finds malware like this that maldet is not finding, please report it with maldet -c $filename, this will send it to them so it can be added to future definitions.
You should be able to do a combined egrep (yay regex):
egrep -Rl '\$GLOBALS.*\\x|function.*for.*strlen.*isset' /home/username/public_htmlOr if you’re bored and need to scan every .php file on a cPanel box,
find /home/*/public_html/ -type f -name "*php" -exec egrep -l '\$GLOBALS.*\\x|function.*for.*strlen.*isset' "{}" \;I have noticed a few false positives from the GLOBALS check, but I’d rather review some clean files than miss some nasty ones.
Forum: Fixing WordPress
In reply to: link-template.php.suspected?I’m glad other people are seeing what I was finding.
If you are reading this thread, you are probably working with a hacked site
Please keep in mind the egrep command that I provided above is only intended to find the malware that is actively being used to rename files to .php.suspected as seen from the logs that I have access to. It is not intended to fully diagnose or secure the infection, since these files are placed via other malware or vulnerabilities.
If you are affected by this issue, You should review and remove any malicious files found by the egrep command. After that, the standard advice applies to make sure WP and all plugins/themes are updated. You should also run a clamav and maldet scan and review the results. Always ensure that all admin passwords are updated, and that there are no extra admin users in the database.
Forum: Fixing WordPress
In reply to: link-template.php.suspected?No problem dylanbenq, glad to help. This one was really confusing and honestly malware was my last suspect until I remembered cleaning a hack for a customer who also happened to have this issue.
csasse, what I am trying to say is the renaming of link-template.php itself is not a hack/vulnerability, but rather it is a very odd thing being done by hackers who have left behind malware from past exploits.
Forum: Fixing WordPress
In reply to: link-template.php.suspected?From what I am seeing, this is fallout on sites already affected by hacks such as the gravityforms or revslider issues.
Forum: Fixing WordPress
In reply to: link-template.php.suspected?Alright, maybe not a plugin. I cannot figure out why a hacker would do this (other than maybe an easy google dork?), but every site I’ve investigated has malware on it.
I found 3 files all ending in .suspected on one particular site. 2/3 were new enough for me to have domlogs… all of them had a post request about 4 seconds before they were renamed, and the POST went to a malicious file.
I’ve decoded the malware code, but it’s just one of those shells that decrypts and evals any code POST’ed to it. Without capturing the POST payload, I cannot be 100% sure.
Another edit (I love edits!)
Finding malware on affected sites, as are my co-workers (I work in a pretty busy help desk).
This grep command is turning up the malware. Lots of it is dynamic so I had to resort to a grep that uses the PHP functions, since the custom functions used in the code are dynamically named.
Affected users please try this (assuming you have linux CLI foo:)
egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/It should turn up a list of bad files if my hypothesis is correct. So far multiple techs working on this same issue have all come back with malware from that search. I cannot guarantee a total lack of false positives, but it did not return anything on my clean WP sites.
Forum: Fixing WordPress
In reply to: link-template.php.suspected?I’ve dealt with tons of revslider exploits but never anything that would rename the file like that.
I’m willing to bet it’s a security plugin doing this. ClamAV doesn’t do this.
I saw a customer with this file renamed, I checked the md5sum against my own current WP site on a current CP install with ClamAV and mine was not renamed. I do not run any security related plugins on that site that I checked.
So far I’m trying to hunt further but I’m seeing wordfence and bulletproof security on the affected sites, though I have no concrete evidence to pin it down to one of those.
edit: unable to recreate the issue with wordfence or bulletproof security on my own site. Perhaps the princess is in another castle.
Forum: Fixing WordPress
In reply to: security hole in wp-login.php and/or wp-atom.php??Just found this exploit working on another server. Same deal, really old “default” theme present. Replacing the 2007 or 2008 version of “default” with this http://wordpress.org/extend/themes/default stops the payload from executing. I can confirm the payload matches the strings in the OP’s logs.
Forum: Fixing WordPress
In reply to: security hole in wp-login.php and/or wp-atom.php??I’d be happy to share it with you; I could only decrypt it about half way. E-mail me at [removed] and I’ll send you what I found.
Forum: Fixing WordPress
In reply to: security hole in wp-login.php and/or wp-atom.php??You would think it wouldn’t work, but I saw it. It was indeed WP 3.4.2 running the 2007 default theme.
The POST Requests came back today, but they’re failing to generate any e-mail now that the theme was updated. The payload of the POST has two parts; one being a cookie used to help decrypt the other part, wich has file=(some long base64 string)
The request was definitely executing code using the $file variable before the theme was updated, and it’s definitiely failing to execute now. All’s well that ends well I suppose. Hopefully this helps someone in the future. I’ll refrain from posting the exploit code here as I think there are forum rules against it.
Forum: Fixing WordPress
In reply to: security hole in wp-login.php and/or wp-atom.php??Sincerely appreciate the input. Like I said, I work for a web host, and we’re pretty on top of PHP/Apache vulns since 90% of our customers are using LAMP stack servers.
I’m betting it was the 2007 theme files. I’ve seen some other threads with similar issues, but most people found code injections that eval() a post variable. Not the case here. Some of the other threads I’ve found never did find code injections, and never seem to have solved it. If I get to the bottom of this, I’ll post what I find.
Forum: Fixing WordPress
In reply to: security hole in wp-login.php and/or wp-atom.php??That exploit doesn’t work on cPanel servers, cPanel wraps the requests for CGI handlers and strips any command line options.
Server is using SuPHP for PHP handling.
(edit for reference) http://cpanel.net/cpanel-protects-against-php-vulnerability/
Forum: Fixing WordPress
In reply to: security hole in wp-login.php and/or wp-atom.php??Appreciate the advice everyone. Apache is the newest 2.2.x (2.2.23) build supported by cPanel, and PHP is at the last 5.2.x version available, 5.2.17 I believe. I’m still hoping the site gets hit again so I get some debug info.