need forsensic help following unauthorized post

  • A registered user with Subscriber access recently published unwanted material on my site. I’m trying to figure out how he managed to get sufficient authority to publish the post without it being held for review.

    • I don’t think my code base was hacked. All of my .php are checksum’d (core & plugins) and there’s no sign of interference.
    • I do have a record of all logins. That shows the problem user logging in (twice) around the time of the posting.
    • I checked the problem user’s authority after the fact. It is still Subscriber.
    • I do use Role Scoper to elevate users to Contributor when they post in just one category, but the problem post was uncategorized.
    • Revision history for the post shows the first revision by the problem user, immediately followed with a second revision by my own Administrator username. But there’s no record of a login by that Administrator.

    So what else can I look for?
    Here’s the relevant portion of the web access log:

    83.28.31.252 - - [14/Feb/2011:15:38:29 -0800] "POST /wp-login.php HTTP/1.1" 302 969 "https://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
83.28.31.252 - - [14/Feb/2011:15:38:31 -0800] "GET /wp-admin/post-new.php HTTP/1.1" 200 68558 "https://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
83.28.31.252 - - [14/Feb/2011:15:38:34 -0800] "POST /wp-admin/post.php? HTTP/1.1" 403 1639 "https://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
83.28.31.252 - - [14/Feb/2011:15:38:35 -0800] "POST /wp-login.php HTTP/1.0" 302 1094 "-" "Snoopy v1.2.4"
83.28.31.252 - - [14/Feb/2011:15:38:36 -0800] "POST //wp-admin/ HTTP/1.0" 200 32961 "-" "Snoopy v1.2.4"
83.28.31.252 - - [14/Feb/2011:15:38:38 -0800] "GET //wp-admin/press-this.php HTTP/1.0" 200 22967 "-" "Snoopy v1.2.4"
83.28.31.252 - - [14/Feb/2011:15:38:40 -0800] "POST //wp-admin/press-this.php?action=post HTTP/1.0" 200 23174 "-" "Snoopy v1.2.4"
Viewing 7 replies - 1 through 7 (of 7 total)

  • When did you upgrade to WP 3.0.5?

    Thread Starter flymike

    (@flymike)

    my mistake; 3.04 on Jan 4, not 3.05

    If this problem occurred when you were using 3.0.4, then that might be your answer. 3.0.5 addressed this security issue, if I remember correctly.

    yes – this is exactly what 3.0.5 addresses

    Hello dear friends,

    I’m having this issue since I use 3.0.5!

    Any suggestions? Thanks in advance.

    Angie

    Thread Starter flymike

    (@flymike)

    This intrusion has recurred – this time on the current version, 3.1.1.
    The hacker logs in (validly) as subscriber, creates a post – which should have gone into Pending Review state – then immediately updates the post as Administrator to Published state. The access log is below. Both of the logins were with the Subscriber username (my site records all logins with username and IP).
    I can’t figure out how this hacker is getting Administrator privilege.

    83.28.5.21 - - [25/Apr/2011:09:26:57 -0700] "POST /wp-login.php HTTP/1.1" 302 969 "https://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
83.28.5.21 - - [25/Apr/2011:09:26:59 -0700] "GET /wp-admin/post-new.php HTTP/1.1" 200 38080 "https://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
83.28.5.21 - - [25/Apr/2011:09:27:03 -0700] "POST /wp-admin/post.php? HTTP/1.1" 403 1639 "https://sarasotasailingsquadron.org/wp-admin/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
83.28.5.21 - - [25/Apr/2011:09:27:07 -0700] "POST /wp-login.php HTTP/1.0" 302 1094 "-" "Snoopy v1.2.4"
83.28.5.21 - - [25/Apr/2011:09:27:09 -0700] "POST //wp-admin/ HTTP/1.0" 200 30707 "-" "Snoopy v1.2.4"
83.28.5.21 - - [25/Apr/2011:09:27:12 -0700] "GET //wp-admin/press-this.php HTTP/1.0" 200 31442 "-" "Snoopy v1.2.4"
83.28.5.21 - - [25/Apr/2011:09:27:14 -0700] "POST //wp-admin/press-this.php?action=post HTTP/1.0" 200 31671 "-" "Snoopy v1.2.4"
83.28.5.21 - - [25/Apr/2011:09:27:23 -0700] "GET / HTTP/1.0" 200 69061 "-" "-"

    Unfortunately in many cases updating after your site has been compromised wont stop further problems. Will use a poorly configured server or a WordPress exploit to gain initial access. However, once in they will usually install some form of backdoor entrance which will allow them to access your server/site, even if you upgrade.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘need forsensic help following unauthorized post’ is closed to new replies.