Serious hacking threat to newest WordPress?

  • Hi there,

    Recently, my site was hacked. I’ve found that what hit me, hit also
    hundreds (and very likely many thousands) sites! The sites affected
    are running mostly WordPress blogs, but I saw some forums and other
    CMSes being hacked as well (although a WP installation may exist on
    those servers and only the malicious code is embeded in other CMSes).
    Examples:
    – Moodle: https://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:elearning.emate.ucr.ac.cr+loan
    – SMF forum: https://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:spinnershome.net+loan
    I ask you to help me get to the bottom of this and find the bug.

    Please note, that it is quite hard to notice the hack if you don’t
    look for it. Check Google with the following phrase:
    site:example.com loan
    Where “example.com” is your domain (or some affected domain). You’ll
    see a lot of crap that you didn’t even know existed.

    First, a list of sites that link to my hacked site (so they’re also hacked):
    https://pokazywarka.pl/wh96r1-2/
    NOTE that you will not see the malicious text, it shows up only to
    crawlers. BUT if you run the Google’s site: search, you’ll notice it.
    About 10 of those hundreds of pages are viable links, rest is due to
    this hacking going on. And that’s only the sites that link to mine
    after a few days. My address is blogtimes.pl which occurs a few times
    as I link to myself obviously.

    I was/am running the latest WordPress installation (3.0.1) with some
    daily updated plugins:
    Akismet, All in one SEO Pack, Broken Link Checker, FD Feedburner
    Plugin, Google Analyticator, Google XML Sitemaps, Move WordPress
    Comments, No Self Pings, Popularity Contest, Raw HTML Capability, SEO
    Friendly Images, SEO Smart links, Sociable, Sociable Poland, Subscribe
    to comments, WordPress Database Backup, WP-PageNavi, WP BlipBot
    (Polish equivalent of Twitter), WP No Category Base, WP Super Cache,
    Yet Another Related Posts Plugin.

    My hosting provider is DreamHost with shared hosting. My password for
    WP was quite strong and it doesn’t seem like it is the weak link. My
    username was however “admin”. My FTP details were randomly generated.
    My CHMODs were as supposed to (safe). I did not run any other site on
    this account, nor did I have shell access enabled. MySQL database
    doesn’t seem to be affected at all. After the attack I run some
    plugins to check for vulnerabilities and none found anything.
    DreamHost states that my FTP account was not accessed, so the hack
    occured through HTTP most likely (or the shared server, which is
    unlikely judging on the number of sites affected). DreamHost doesn’t
    have logs reaching over a week in the past (…) so I’m not able to
    check which files were accessed during the hack. I can however do some
    other sniffing.

    This is how the attack progressed in time:
    07th Nov. 2010
    ./wp-config.php was modified at 07:26 (no malicious code there, could
    be that the attacker just looked at my MySQL DB credentials or changed
    the unique keys that wp-config.php has)
    ./wp-admin/includes/version.php was modified at 07:27 (totally changed
    with heavily encrypted PHP code. The decrypted version can be found at
    https://pastebin.com/3JWb96z6 This file is basically an admin panel for
    managing files and running shell commands. You need to provide a
    variable using POST for the page to show up)

    11th Nov. 2010
    These files were uploaded: https://pokazywarka.pl/i3r0i6/
    They are encrypted and I don’t yet know what is their purpose.
    Also, the ./wp-includes/post-template.php was modified that day. It
    had some heavily encrypted PHP code boundled inside. I’ve decoded it:
    https://pastebin.com/kx7ahkrW
    The first and second functions are basically wrappers for the content
    below them. What you can see is that some pages from my blog are
    changed to malicious ones (probably nested inside the files uploaded
    the same day), but only if the crawler visits the page. As a result,
    Google dropped my ranks for the whole domain at 15th Nov. and that
    ringed my bell. You can also see that the script takes a “pw” variable
    through GET. This way the attacker can run a CURL query (look up
    another site) and open or write a local file.

    19th Nov 2010
    ./wp-content/languages/mo/index.php was modified (or uploaded the
    first time). It probably is a gateway to version.php (I can see there
    are POST requests executed on it), or it is another way to manage the
    hacked site. DreamHost reports that in the same dir there are other
    files which are browsable through HTTP, like:
    https://blogtimes.pl/wp-content/languages/mo/reducingdebtwith.html
    I however do not see any files in this directory using LIST -al and
    LIST -alh with many FTP clients. It may be that I have to turn on
    shell on this account to look them up, which I am not willing to do.
    Anyone knows if this is the case? Can you hide files from FTP access
    without having power over the FTP server?

    Finally, 19th and 20th Nov. (never logs are yet to come from DreamHost
    I guess), there have been numerous attempts to further compromise my
    server (and likely access my linux password). I do have access to the
    HTTP logs for this timeframe, so I was able to review the malicious
    requests. You can see them here:
    https://pastebin.com/Rf3uXZsR
    Note that 24.185.11.54 is the IP of the attacker. He is the only one
    who knows that he should access index.php and does so using POST (so
    he provides his passphrase). You can see that he uses an iPhone and
    probably some kind of an automated application on a computer (hence
    the 3 requests per second) to upload files (most likely). This IP
    belongs to the ISP Optimum Online and is shared from the pool
    24.185.x.x in Brooklyn, NYC.
    Other IPs are most likely script kiddies and bots, not related to this hack.
    I do not see any other malicious requests on the 19th, so eigther the
    index.php modified itself (bacuse the modification date = 19th) or it
    was modified by some other protocol.

    This is very weired, as I can not seem to find how the initial upload
    was able to take place and how the 19th modification of index.php took
    place. We can be sure that the issue is large in scale. I still have
    some files that I can decode (index.php) and if I do so, I’ll try to
    put a trap on the attacker and get to know his passphrase.

    Any comments will be appreciated!

    Chris

Viewing 15 replies - 1 through 15 (of 26 total)
  • Jarret

    (@jarretc)

    If this has hit hundreds of sites it is most likely due to a site being on a shared server that was hacked. I haven’t heard of any vulnerabilities like this with the latest WP version so I am sure that is not the issue.

    More than likely the shared sever that is hosting these sites is compromised and thus the reason for all the sites being hacked. This happened in the past a few months ago with a few major hosting providers who tried to put the blame on WP for the issues.

    Eventually the hosting providers submitted and took the blame for their servers being hacked and that WP itself was not the point of entry.

    If I were you I would be getting in contact with somebody at your hosting company and demanding more detailed logs be provided.

    I will ask them if they host this sites. This could clear things up. Thanks for the idea, Jarret.

    deflorence

    (@deflorence)

    I am reporting 2 hacking/attack on 2 different WP installations:

    1)WP 3.01 Multisite: duplication every minute or so of an 80MB zip file. As a result, the site ran out of space and would no longer load up. This site runs on own server (at home), with leased lines (www.lutecium.org). My colleague and I are still working on restoring this site.

    2)WP 3.01 normal: apparition in /htdocs/ of a file called “google1928374w0.html”, the content consisting of a single line: “aope9ndm6d6sd6hsg2038sdhdl”. This affected all the 12 sites I run on shared hosting with gradwell.com. After deleting all the instances of that file, there has been no re-ocurrence so far.

    Hello deflotrence,

    Doesn’t seem like the first case is the same problem as I have. If you encounter a bigger problem, you may want to consider posting a whole new topic.

    The 2nd problem of yours: it were files that are needed to exist on a domain to manage it through Google Webmaster Tools and one more Google tool, I think it was the Ad Planner. It’s likely that someone uploaded these files to your hosting and tracked your pages.

    Since this may not be a WordPress-only related issue, I’ve posted the same content to the SitePoint forums at https://www.sitepoint.com/forums/showthread.php?p=4745151#post4745151
    I will update both topics when something new comes up, but you may want to keep track of the replies there.

    I received an e-mail from DH support.

    I was unable to see the files through FTP because the hacker changed the default CHMOD of the “mo” folder to d-wx–x–x, which basically means he removed the default Read rule. After changing it to drwxr-xr-x I was able to see the malicious files, including index.php. Another person who’s been hacked by the same guy stated that he had to change the ownership of the files and folders before working on them, so it’s a common trick. He has been hacked in January, so this is going on for a WHILE now.

    I got an explanation about how the log files are named and now I have a full one-week history. After 19th Nov. there have been 2 requests per day from the attacker’s IP, both stating that came from an iPhone. I now doubt that and think it is a spoof for an automated mechanism which checks if the hacked website has not fixed itself.

    DreamHost also stated, that they host 4 random hacked sites that I asked them about. It’s still too early to judge if this hack is DH-only related. I asked them to match another 19 domains and investigate.

    Inside the “mo” folder I have a lot of plain html, css and graphic files and one key index.php file. Both me and the DH support made a bit of mistakes on noting the dates. I triple checked them and it is now clear that the modifications (uploads) took place in this order:
    4th: wp-config.php (07:26), ./wp-admin/includes/version.php (07:27), https://pokazywarka.pl/i3r0i6/ (10:00) and ./wp-includes/post-template.php (15:17)
    6th: ./wp-content/languages/mo/index.php
    7th: Malicious website files ( https://pokazywarka.pl/v8qroy-2/ ) inside the ./wp-content/languages/mo/ directory (06:40)
    19th: ./wp-content/languages/mo/index.php was accessed through HTTP POST (NOT modified as stated previously), you can see this in the access logs above

    It is clear that ./wp-content/languages/mo/index.php is the newest version of the same admin panel as in version.php

    The index.php file is of course heavily encrypted. I did manage to decode some of it: https://pastebin.com/MpTVREy3
    However the rest needs a password send through POST to be decrypted. The password is compared to md5. From all the various passwords the attacker used, only 1 md5 hash was in an md5 hashes database and it was a random string, so it’s unlikely that I will decode it further.
    I did however compare the length of the strings that are being urldecoded and then passed to a function that doesn’t change their length. From that I state that the index.php main code has 5092 characters, while post-template.php has 5206 characters (see it at https://pastebin.com/kx7ahkrW ). So, index.php is eighter a bit modified version of post-template.php or is a new gateway to the hacked site, similar in code size. The length of the third PHP file, version.php, is two times more, so it’s a totally different piece of code.

    Sorry, I confused myself a bit at the end.

    version.php is an admin panel, whcih has over 10.000 characters in length.
    post-template.php is a script that redirects pages and enables simple upload, download and execute commands to be done, it has 5206 characters in length.

    What confused me (and what I wrote) is that it would be likely that index.php is a newer version of version, so the admin panel. The length suggests however, that it is not. On the other hand, it would be stupid to make another file for redirections, especially in that location. So basing on that, I state that this index.php file is something new, which I only know that has 5092 characters in length and (from the logs) can be automatically executed many times per second.

    I have confirmation that the hack occured on a in-door servers, so it’s not DH-related.
    I’m investigating the plugins that the hacked sites used.

    mosco

    (@mosco)

    we’re also seeing an active exploit, not sure yet but to us it looks like it affects only blogs that have commenting enabled and the hack does not need access to the wp-admin (we have it completely blocked off for some blogs and it still happens.)
    See here: https://www.ads-software.com/support/topic/wordpress-301-hack-or-exploit

    I have matched the plugins used by me and one other hacked person and we both use only Akismet and wp-db-backup.
    Akismet is used by everyone, so it’s not likely that the bug is inside of it. It could be that wp-db-backup is vulnerable. I’ll take a look at the code in the next 48hours.
    If this is not the case, we could be looking at a WP 3.0.1 hack that’s been going on for months now. It could be in the comments, like mosco said.

    mosco: you get an injection, we get malicious files. it still, however, could be from the same source. how about your addons?

    mosco

    (@mosco)

    we use akismet, all the hacked blogs have it (latest version)
    we don’t use wp-db-backup

    From what we’ve done to narrow it down to me it looks like the most likely source is the commenting system, or maybe akismet?

    the only blog we have that doesn’t get hacked, doesn’t allow comments and doesn’t have akismet active, all the others do.

    mosco

    (@mosco)

    I think 3.0.2 fixes the exploit, we haven’t had any new hits since we upgraded.

    Maybe it does yours, but not ours.
    The 3.0.2 WordPress update addresses 2 security issues. One is related
    to a registered user taking over admin privileges. This isn’t the
    source of the hack, since my site was hacked and I had no registered
    users. The other addressed issue is an XSS vulnerability, but the
    admin would have to install a malicious plugin for it to work. The
    plugins that I narrowed the hack to (wp-db-backup and akismet) don’t
    have the XSS code (I checked), so the hack did not occur this way
    eighter.

    Oh and I had a look at wp-db-backup. It looks clean, although it is a large file and there is a very slight chance I may have missed something.
    I am now trying to investigate further with the help of my hosting provider, analysing other hacked sites.

    mosco

    (@mosco)

    For us the 3.0.2 update so far has stopped the hacks, we were getting hit twice a day before. So I think that 3.0.2 might also have fixed an sql injection hack that they are not publicly acknowledging or might not be aware of?
    The hack that was hitting us was definitely not using admin privileges or xss, we would get hacked even with the admin completely blocked off. And it was doing an sql injection (I have the sql statements logged in our database logs).
    Since the 3.0.2 upgrade (2 days now) no new hack.

Viewing 15 replies - 1 through 15 (of 26 total)
  • The topic ‘Serious hacking threat to newest WordPress?’ is closed to new replies.