Weird and Dangerous : ro8kfbsmag.txt

  • Well, I don’t know where to post this question.

    LAST WEEK, I had a big problem on my wordpress installation. All the plugins was disable and all the “attachement” posts status had changed to “post”… As a result, I saw no uploads file via the admin browser.

    After a short investigation, I saw that the last post in the database had only “ro8kfbsmagtxt” for content…

    I was able to repair the site by using a backup on my server.

    YESTERDAY, I was browsing via SSH on my server and I found in the TMP folder a file called “ro8kfbsmag.txt”… Hum hum. I downloaded it, and it’s a PHP script, with a form, and with the title :”Magic Include Shell by Mag icq 884888”

    Well, I don’t like it… ??

    Here is the content of the file… If any WP guru could take care of it, It sounds dangerous to me…

    S.

    ———- ro8kfbsmag.txt —————

    <?php
/*Magic Include Shell by Mag icq 884888*/
//TODO: ??èòü ?àé?? íà ?a?é ?ò? (!), eàá?òà ? ?èeàìè (.), e?í?éì ?àé??a (?), ?ò?eàaêà ???ò, ??ò, êóê?a ÷?e?? ??ê?ò? (!!!)
$ver='1.6';
if(isset($_GET[pizdecnax]))
{
...

    Large PHP code removed by moderator. You can find this file via google, if you want.

Viewing 15 replies - 31 through 45 (of 46 total)

  • You’re welcome, K3200 – glad I could be of any help.

    One of my WordPress 2.1.2 blogs (Divide and Conquer) got attacked like this during the morning but it looks like it was not entirely successful.

    Collected information and solutions attempted in the codex documentation wiki at

    https://codex.www.ads-software.com/User:Here/Exploits/ro8kfbsmag

    Please help expand and clarify (!)

    [mod edit to link]

    Here ill expand. Upgrade your f*cking blogs.

    Who gives a crap if some un-upgraded 2.1.x blog got hacked. I dont. You reap what you sow, brother.

    Moved these three articles to Here’s user pages awaiting further expansion of the subject:
    *User:Here/Exploits
    *User:Here/Exploits/ro8kfbsmag
    *User:Here/Exploits/wp-info

    a couple of my sites have been hacked, but i am more interested in prevention – how does on keep an clean site from being hacked? it seems that even 2.5 is vulnerable?

    chill whooami, this issue is stressful enough…tgif

    i thought you said earlier in this post it didn’t matter what version one was running (fort fricken knox entry)

    and who wants to be an early adopter with wordpress software? i am running 2.5 on a site but seriously consider it still beta and i do want to upgrade by oldest/largest site to 2.5 eventually.

    now back to the issues at hand. just got hacked this week. was hacked in 1/08 and today found this thread thank goodness. as a result i just found the culprit in plugin “commentluv” and trying to comprehend from this thread what to do with it.

    there are several posts that suggest prevention = https://iboughtamac.com/2008/03/28/protecting-wordpress-from-magic-include-shell/

    there are several links in this post at the bottom that offer ” other resources “

    btw – someone mentioned earlier about a quick-scan desitination for when something this big happens. this is a big forum and it ain’t so easy sometimes to find things.

    dude, youre the one thats needs to chill.

    This thread is identified in the topic title as refering to something that is a PHP rootshell – that its been cluttered up by countless other crap isnt my doing. Im not the one with the hacked blog.

    Here is exactly what I said, and you’ll see I refer specifically to whats was originally identified in the the topic title.

    Lastly, as an addendum, ro8kfbsmag.txt is a PHP rootshell. left unnoticed on ANY web site, it does not matter what version of anything someone is using. …..

    You indicate that you were hacked in January. I’ll bet you were never “unhacked” – in other words, you site, regardless of what you have done since then has not been secure since that point.

    whooami, where can I find that ro8kfbsmag.txt file? Or can I search for it across my directories so I can send it to hell where it belongs?

    I’ve upgraded to 2.5 since my blog was hacked, but want to be sure I’m not leaving a backdoor into my database, as I think you’re alluding to as being a possibility.

    I shall never wait to upgrade again.
    I shall never wait to upgrade again.
    I shall never wait to upgrade again.

    dude works for me. you are positively correct. i have spent the whole day cleaning house going back all the way to 10/07! fun and games. it helps knowing what the problem is, thank you very much. also, i just placed a server password on wp-admin if that is a step in the right direction.

    i found my file (maybe there are more) via sql query =

    SELECT * FROM wp_options WHERE option_name = ‘active_plugins’;

    If one exists, run the following query = UPDATE wp_options SET option_value=”” where option_name=”active_plugins”;

    david holder towards the beginning of this thread mentions changing the corrupt code in the uploads and plugins back to the default. i have changed the uploads. where/how does one find/change the path of the plugins? what is the plugins default path?

    Bits of information, some of it helpful.

    Combinations of attacks have been around since the ole ‘One-Two punch’ and will continue to be around till the end of time.

    There are two questions here, not just one.

    1. How did they gain access to your site?
    This is the initial security concern. What door was open? Do you have a compromised plugin? a tool to allow users to upload photos? a really lax registration policy? (new users become admins) or a piece of compromised code in the wp install, it’s self?

    The most common form of open door comes from older installations and/or week plugins that are vulnerable to “SQL Injection” attacks.

    In these attacks, crackers attempt to trick php scripts that accept inputs to execute code in your sql server, dumping the output to their screen. They send requests to the scripts with encoded sql scripts in the post variables. Once they find a vulnerable script, the whole SQL system is open to them, they can reset passwords at will, create new admin users, change passwords, etc.

    Once that is done, they can then gain access through more traditional WordPress features such as the admin dashboard. Using the edit and upload abilities of wordpress they can hide more back doors in the system for later use. In the worst cases, crackers even modify themes to include back door code so all they have to search for, are theme specific references in google to find your site, which is already wide open.

    The second question is; How Can I Secure My Server?
    If you have already been attacked, you may want to sanitize your site. Unfortunately in some cases the only way to tell that you have been compromised is by going through all of your directories and looking for files that should not be there. /tmp/ directories and /uploads/ directories are the most frequent targets. However files can be hidden in wp-admin, wp-content, and other locations without your knowing it.

    This has been a small bit of information… I hope it has been helpful.

    my site has been down two weeks in an effort to get rid of the hack. i’ve found it in several place. still don’t know how to find it in the plugins as stated above. my uploads are cleaned out. i have not yet successfully converted my pages from posts yet.

    i wish to upgrade from 2.1.1 to 2.5. any advice? should i upgrade now and continue to look for the hack and hopefully change the page/posts after the upgrade?

    my site is mature with many plugs/widgets. should i throw the plugs out and upgrade the plugs immediately following the upgrade?

    I had to fix this same problem on a 2.1.2 WP install I’m helping a friend with. I did find the post type changed to post, and fixed that with a query. I also found a suspicious entry in active_plugins in wp_options, but all of the plugins were still activated. I have a feeling it was an aborted attempt, as I can’t locate the .txt file referenced anywhere in the user account, even within the upload directory. Also found the default upload location set to “/../../../../../../../../../../../../../../../tmp/”, and the .txt file pointed to in the active_plugins parameter was:

    /../../../../../../../../../../../../../../tmp/3116725041d8eb2ad71627595648d850.txt

    I’m guessing this is the filename we need to search for. As I can’t find it in any of our directories, I’m having our host search for it.

    One other precaution I took was to rename the “admin” account login name to something else, and give it a really long password of random numbers and letters (upper- and lower-case). Not sure if it will help, but I know that WP does not let you edit the admin account’s login name, and it is just one more thing for the hackers to guess at. I did it directly in the database. (UPDATE wp_users SET user_login= ‘whateveryouwant’ WHERE ID=1)

    Hope this helps someone! This was an easy fix…and shame on me for not keeping WP current. ??

    One other thing to check…

    I just found a post made by the hacker, that pointed to the .txt file I referenced above. Since the admin user (ID #1) does not post on this blog, it was easy to find. Not sure if that post was significant or not, but I got rid of it anyway.

    Almost wish I could get rid of the admin user (ID #1) entirely…in fact, I don’t see any reason why we couldn’t, as both of us with logins already have administrator privileges.

Viewing 15 replies - 31 through 45 (of 46 total)
  • The topic ‘Weird and Dangerous : ro8kfbsmag.txt’ is closed to new replies.