Weird and Dangerous : ro8kfbsmag.txt

This also happened to my wordpress blog. The plugins were all disabled, the pages showed up as posts, and the admin password was changed.

The attacker was also able to upload a new theme in the wp-content dir. They were also able to explore the file system using the ‘dira’ parameter.

The same ro8kfbswmag.txt was placed in /tmp/

The initial attack showed up in the access logs

dan.smith.name 82.103.135.182 – – [05/Nov/2007:09:33:29 -0600] “GET / HTTP/1.0” 200 38326 “-” “Opera/9.23 (Windows NT 5.1; U; ru)” 195 38635
dan.smith.name 82.103.135.182 – – [05/Nov/2007:09:35:31 -0600] “GET /?piska HTTP/1.0” 200 8423 “https://localhost/wp-toolz/?mode=shell&what=2122” “Opera/9.23 (Windows NT 5.1; U; ru)” 259 8671
dan.smith.name 82.103.135.182 – – [05/Nov/2007:09:35:50 -0600] “POST /index.php?piska&dira=./ HTTP/1.0” 200 8774 “https://dan.smith.name/?piska” “Opera/9.23 (Windows NT 5.1; U; ru)” 364 9022

Please let me know if you need any additional information, and advise.

1. Alert your host! – it might be that the hacker got access to the server elsewhere…
2. Do NOT have any files left world writable (chmod 666) – like when editing theme files online.
3. Change all your passwords.
4. UPGRADE!

Many Thanks Moshu for your answer.

The host is me… ?? It’s my own server, the site generated too much traffic and server load for a “standart host”, so, I bought my own server and I’m now on my own. I alerted the sysdamin I hire for the server and I gave him a copy of the “ro8kfbswmag.txt” file.

I can’t find any logs like those posted by smithdan, but I see some weird entry a little while before the attack, and on the same day, from a korean ISP :

________The days before :
220.120.22.131 – – [21/Oct/2007:22:45:29 -0400] “GET https://91pinker.com/prx.php HTTP/1.0” 404 –
220.120.22.131 – – [21/Oct/2007:22:45:29 -0400] “GET https://91pinker.com/prx.php HTTP/1.0” 404 –
220.120.22.131 – – [21/Oct/2007:22:45:29 -0400] “GET https://91pinker.com/prx.php HTTP/1.0” 404 –
220.120.22.131 – – [21/Oct/2007:22:45:29 -0400] “GET https://91pinker.com/prx.php HTTP/1.0” 302 293
220.120.22.131 – – [21/Oct/2007:22:45:29 -0400] “GET https://91pinker.com/prx.php HTTP/1.0” 302 293
_________________________________

__________THE SAME DAY :

220.120.22.131 – – [23/Oct/2007:23:12:49 -0400] “GET https://135531.com/prx.php HTTP/1.0” 404 –
220.120.22.131 – – [23/Oct/2007:23:12:49 -0400] “GET https://135531.com/prx.php HTTP/1.0” 404 –
220.120.22.131 – – [23/Oct/2007:23:12:49 -0400] “GET https://135531.com/prx.php HTTP/1.0” 404 –
220.120.22.131 – – [23/Oct/2007:23:12:49 -0400] “GET https://135531.com/prx.php HTTP/1.0” 302 293
220.120.22.131 – – [23/Oct/2007:23:12:49 -0400] “GET https://135531.com/prx.php HTTP/1.0” 302 293
____________________________

If you take a look at the first domain : https://91pinker.com/prx.php

Or the root :
https://91pinker.com/

It seems to be a php proxy… Well… At this point, I really don’t have the knowledge to figure anything, but it looks weird and dangerous. ?? The second domain is different ( 135531.com ) but it uses the same prx.php …

——————
Anyway, I hope that posting these infos here will be helpful for the wordpress community and the wordpress team to determine the nature of this “exploit” and if it bears on a security hole in WP. If I can be of any help for more information, just let me know!

——————

Thanks again Moshu for your advises… As you suggest, I changed ALL my passwords, everywhere, on the server and on the WP admin accounts. I did’nt have any other problem since.

I know that I’m ready for an upgrade, but the site is really heavy and I’ll have to work around some theme and plugins problems before to do so. ??

Thanks again.

S.

Oh! And I forgot…

The problem description by DanSmith was exactly the same for me… :”The plugins were all disabled, the pages showed up as posts, and the admin password was changed.”

S.

I have experienced this problem too and have some more information and another solution.

The sequence of events was as follows (unfortunately my logs don’t record POST data):

1. POST /wp-admin/admin-ajax.php
2. POST /wp-admin/options.php
3. POST /wp-admin/options.php
4. POST /wp-admin/options.php
5. POST /wp-admin/options.php
6. POST /wp-admin/options.php
7. POST /wp-admin/options.php
8. POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
9. POST /wp-admin/options.php
10. POST /wp-admin/options.php
11. GET /wp-admin/upgrade.php?step=1
12. GET /?kreved
13. GET /index.php?kreved&dira=./wp-content
14. GET /index.php?kreved&&dira=./wp-content/uploads
15. POST /index.php?kreved&&dira=./wp-content/uploads
16. GET /wp-content/uploads/
17. GET wp-content/uploads/zip.php

After this the hacker uploaded lost of nasty stuff as zip files into the /wp-content/uploads/ directory. The hacker did this using the backdoor mentioned in an earlier post. The backdoor is configured within WordPress as a plugin and is referenced by the URL /?kreved. This executes the file that has been uploaded by the hacker into /tmp. The file is called ro8kbsmag.txt.

After carefully checking my wordpress files (using checksums against a clean install) I determined that the hacker had not changed any of the standard files.

What the hacker had done is modified two options in the database, specifically; upload_path and active_plugins.

Upload_path was set to /../../../../../../../../../../../../../../../../../tmp and active_plugins to a:1:{i:0;s:69:”/../../../../../../../../../../../../../../../../../tmp/ro8kbsmag.txt”;}.

Setting these back to their default values fixed my installation.

To stop the hacker doing it again I added web server access controls to the wp-admin directory. This extra layer of security should stop them getting in again.
It would be nice to know what the POST data was that allowed the hacker to do this. Has anyone else captured this?

David

You said your self that the whole reason that the hacker was able to do anything was because they modified your database. You need to secure that. Change the password, and username for the database. If your hosting yourself don’t allow tcp connections from outside to the mysql port, better yet disable the port all together it’s not needed when wp and the database are on the same server. Lastly make sure that your wp-config.php file has the correct permissions.

No. The hacker changed the settings in the wp_options database table via WordPress not via SQL. The database port is disabled (and firewalled since I am paranoid) and only allows access from the localhost. Since I don’t have the POST data I cannot determine exactly how the hacker managed to change entries in wp_options. But what the traces do show is that it was done through a process of repeated POSTs first to admin.ajax.php, then options.php, upload.php, options.php and finally upgrade.php.

You are correct to suggest changing the passwords, which I had done but not mentioned. The hacker did not change these, but they did have access to the database and config file through the hack and therefore would have been able to take a copy of the passwords.

David

Just had this happen to my WP install. Please keep this thread updated.

This text file you mentioned, is a shell. The hacker probably uploaded it trough an exploit in WordPress (or just bruteforced the admin account) and uploaded a shell. A shell is used to have easy remote access to databases and files. It’s actually just a trojan/backdoor for a web server.
It’s best to try to find out where the exploit is, and how you could remove it. Also, you should report the exploit to the WordPress team, and wait for a fix, or write one yourself if you’re skilled enough. If you got any questions, e-mail me at [email protected].

Good luck.

thats a standard php include attack — it does NOT require anyone to brute force the admin account.

Furthermore, Google’s cache of ryancannon.com as of Dec 24 shows you running 2.2.1. That pretty much covers the “how did they do it”.

I did a Google search & some site came up about it, but most of it is in a different language.

I’m glad this doesn’t affect 2.3.1

This also happened to my site. I’m no programmer, but the explanation of this particular hack on the url below appears to be a good one:

https://blog.taragana.com/index.php/archive/detailed-post-mortem-of-a-website-hack-through-wordpress-how-to-protect-your-wordpress-blog-from-hacking/

This happened to me as well. I checked my database and found this:

Upload_path was set to /../../../../../../../../../../../../../../../../../tmp and active_plugins to a:1:{i:0;s:69:”/../../../../../../../../../../../../../../../../../tmp/ro8kbsmag.txt”;}.

The solution above says: “Setting these back to their default values fixed my installation.”

What are the default values?

Thanks much.

What are the default values?

wp-content/uploads

FYI, just go to Option > Miscellaneous

I did as you suggested, it worked. now what i need to know is, is ther anything besides the mysql post_type tag which differentiates pages from posts (so i could automate restoration)