Serious hacking threat to newest WordPress?

  • Hi there,

    Recently, my site was hacked. I’ve found that what hit me, hit also
    hundreds (and very likely many thousands) sites! The sites affected
    are running mostly WordPress blogs, but I saw some forums and other
    CMSes being hacked as well (although a WP installation may exist on
    those servers and only the malicious code is embeded in other CMSes).
    Examples:
    – Moodle: https://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:elearning.emate.ucr.ac.cr+loan
    – SMF forum: https://www.google.pl/search?sourceid=chrome&ie=UTF-8&q=site:spinnershome.net+loan
    I ask you to help me get to the bottom of this and find the bug.

    Please note, that it is quite hard to notice the hack if you don’t
    look for it. Check Google with the following phrase:
    site:example.com loan
    Where “example.com” is your domain (or some affected domain). You’ll
    see a lot of crap that you didn’t even know existed.

    First, a list of sites that link to my hacked site (so they’re also hacked):
    https://pokazywarka.pl/wh96r1-2/
    NOTE that you will not see the malicious text, it shows up only to
    crawlers. BUT if you run the Google’s site: search, you’ll notice it.
    About 10 of those hundreds of pages are viable links, rest is due to
    this hacking going on. And that’s only the sites that link to mine
    after a few days. My address is blogtimes.pl which occurs a few times
    as I link to myself obviously.

    I was/am running the latest WordPress installation (3.0.1) with some
    daily updated plugins:
    Akismet, All in one SEO Pack, Broken Link Checker, FD Feedburner
    Plugin, Google Analyticator, Google XML Sitemaps, Move WordPress
    Comments, No Self Pings, Popularity Contest, Raw HTML Capability, SEO
    Friendly Images, SEO Smart links, Sociable, Sociable Poland, Subscribe
    to comments, WordPress Database Backup, WP-PageNavi, WP BlipBot
    (Polish equivalent of Twitter), WP No Category Base, WP Super Cache,
    Yet Another Related Posts Plugin.

    My hosting provider is DreamHost with shared hosting. My password for
    WP was quite strong and it doesn’t seem like it is the weak link. My
    username was however “admin”. My FTP details were randomly generated.
    My CHMODs were as supposed to (safe). I did not run any other site on
    this account, nor did I have shell access enabled. MySQL database
    doesn’t seem to be affected at all. After the attack I run some
    plugins to check for vulnerabilities and none found anything.
    DreamHost states that my FTP account was not accessed, so the hack
    occured through HTTP most likely (or the shared server, which is
    unlikely judging on the number of sites affected). DreamHost doesn’t
    have logs reaching over a week in the past (…) so I’m not able to
    check which files were accessed during the hack. I can however do some
    other sniffing.

    This is how the attack progressed in time:
    07th Nov. 2010
    ./wp-config.php was modified at 07:26 (no malicious code there, could
    be that the attacker just looked at my MySQL DB credentials or changed
    the unique keys that wp-config.php has)
    ./wp-admin/includes/version.php was modified at 07:27 (totally changed
    with heavily encrypted PHP code. The decrypted version can be found at
    https://pastebin.com/3JWb96z6 This file is basically an admin panel for
    managing files and running shell commands. You need to provide a
    variable using POST for the page to show up)

    11th Nov. 2010
    These files were uploaded: https://pokazywarka.pl/i3r0i6/
    They are encrypted and I don’t yet know what is their purpose.
    Also, the ./wp-includes/post-template.php was modified that day. It
    had some heavily encrypted PHP code boundled inside. I’ve decoded it:
    https://pastebin.com/kx7ahkrW
    The first and second functions are basically wrappers for the content
    below them. What you can see is that some pages from my blog are
    changed to malicious ones (probably nested inside the files uploaded
    the same day), but only if the crawler visits the page. As a result,
    Google dropped my ranks for the whole domain at 15th Nov. and that
    ringed my bell. You can also see that the script takes a “pw” variable
    through GET. This way the attacker can run a CURL query (look up
    another site) and open or write a local file.

    19th Nov 2010
    ./wp-content/languages/mo/index.php was modified (or uploaded the
    first time). It probably is a gateway to version.php (I can see there
    are POST requests executed on it), or it is another way to manage the
    hacked site. DreamHost reports that in the same dir there are other
    files which are browsable through HTTP, like:
    https://blogtimes.pl/wp-content/languages/mo/reducingdebtwith.html
    I however do not see any files in this directory using LIST -al and
    LIST -alh with many FTP clients. It may be that I have to turn on
    shell on this account to look them up, which I am not willing to do.
    Anyone knows if this is the case? Can you hide files from FTP access
    without having power over the FTP server?

    Finally, 19th and 20th Nov. (never logs are yet to come from DreamHost
    I guess), there have been numerous attempts to further compromise my
    server (and likely access my linux password). I do have access to the
    HTTP logs for this timeframe, so I was able to review the malicious
    requests. You can see them here:
    https://pastebin.com/Rf3uXZsR
    Note that 24.185.11.54 is the IP of the attacker. He is the only one
    who knows that he should access index.php and does so using POST (so
    he provides his passphrase). You can see that he uses an iPhone and
    probably some kind of an automated application on a computer (hence
    the 3 requests per second) to upload files (most likely). This IP
    belongs to the ISP Optimum Online and is shared from the pool
    24.185.x.x in Brooklyn, NYC.
    Other IPs are most likely script kiddies and bots, not related to this hack.
    I do not see any other malicious requests on the 19th, so eigther the
    index.php modified itself (bacuse the modification date = 19th) or it
    was modified by some other protocol.

    This is very weired, as I can not seem to find how the initial upload
    was able to take place and how the 19th modification of index.php took
    place. We can be sure that the issue is large in scale. I still have
    some files that I can decode (index.php) and if I do so, I’ll try to
    put a trap on the attacker and get to know his passphrase.

    Any comments will be appreciated!

    Chris

Viewing 11 replies - 16 through 26 (of 26 total)
Viewing 11 replies - 16 through 26 (of 26 total)
  • The topic ‘Serious hacking threat to newest WordPress?’ is closed to new replies.