WordPress Backdoor and How to Remove (Blank Page When Submitting Posts)

  • Hi,

    I wanted to share something that I discovered with the WordPress community. I’ve noticed several unresolved threads about getting a blank page when submitting a new post (i.e., post.php returns a blank page without an error).

    I went to upgrade a client’s installation of WordPress earlier today and ran into the same problem. Another blog is installed on the same server, and I upgraded it at the same time. It worked perfectly following the upgrade, so I was understandably confused when the first upgrade failed.

    I tried the usual remedies that are suggested around here to no avail. When those didn’t work, I stepped into the WordPress database and found a plugin called Magic Include Shell that wasn’t visible from the plugin list. From the database:

    | active_plugins |a:5:{i:0;s:71:”/../../../../../../../../../../../../../../../../../tmp/ro8kfbswmag.txt“;i:1;s:19:”akismet/akismet.php”;i:2;s:23:”all_in_one_seo_pack.php”;i:3;s:14:”breadcrumb.php”;i:4;s:24:”underscorepermalinks.php”;} |

    You can determine whether or not your installation is infected by running the following MySQL query:

    SELECT * FROM wp_options WHERE option_name = 'active_plugins';

    Look for entries like the one I’ve highlighted above in bold, or one that doesn’t correspond to a plugin that you use. If one exists, run the following query. You’ll need to reactivate your plugins afterward. (Before doing so, be sure to note the path of the hidden plugin, as indicated in bold above.)

    UPDATE wp_options SET option_value="" where option_name="active_plugins";

    Now, delete the hidden plugin and make sure that your version of WordPress is current. Additionally, check your upload directory to make sure that it is set correctly, and that no malicious files (especially hidden files, prepended with a ., which aren’t shown in some directory listings) have been placed there.

    Magic Include Shell gives an attacker the equivalent to console access, which means that the attacker can upload and execute arbitrary code. In other words, one should be extremely careful to ensure that the problem has been fully mitigated.

    If you would like to read the source code of Magic Include Shell, you’re welcome to read it here.

    Hope this helps!

    Best regards,

    Trey

    Edit: Fixed mistake in MySQL “SELECT” query.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Awesome, Trey! I have a client with that problem. Your instructions worked perfectly.

    Yes, we need to upgrade and will, but getting back on the air was their first priority.

    If there was bump system on this forum, you’d get big bump up.

    okay…so for the AVERAGE user, how does one eliminate the problem.
    I’ve gone to the root level of my server, but am clueless about using the PHP Admin/Query/etc.

    Is the any hope for the technologically “remedial” user?

    I am also an average user. Here is how I did it. So follow my example at your own risk. I may have taken steps that were unnecessary or risky. And I may have totally screwed up and just don’t know it yet! (but I was able to add my new post and edit my other one so right now I don’t care).

    1. I deactivated all the plugins
    2. Using my web host cpanel, I accessed the Myphpadmin tool.
    3. I selected my wordpress database from the left column
    4. I clicked “wp-options” from the left pane
    5. In the right pane, I selected the Browse action for “option_name”
    6. From the top of the left pane, I clicked the little SQL button that opened the query window.
    7. I pasted the SELECT… query string indicated above and then clicked go
    8. In the new screen that opened, I clicked to edit the active plugins option
    9. I copied what was there in a txt document just in case. And then I deleted what was there (should only be the malicious plugin if you deactivated the others).
    10. At the bottom of the page, I saved the change.

    I could not however, find the malicious plugin. I searched the indicated directory, plus I searched all my files.

    My webmaster credited this post with solving a similar problem on my blog. Here’s what she said: “Good lead (below from WordPress) for solving the problem of not being able to post to your blog.
    “It was not exactly the same situation, but I followed some of the advice and found a suspicious record in the database. I removed the info that did not seem legitimate. I also deleted over 2000 spam entries.”

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘WordPress Backdoor and How to Remove (Blank Page When Submitting Posts)’ is closed to new replies.