skitals

Are you also getting the “document.write” crap at the bottom of the file? I was up way too late last night figuring everything out. In my case it seemed to be an instance of the xmlrpc exploit which was fixed in the latest WP update. While that hole may be closed, a php shell could have been installed anywhere on your site before you updated. That includes non-system folders you may not have checked or removed when updating, or in my case, scripts were placed in my custom theme directory which I was dumb enough to copy back to my fresh WP installation.

I’m nearly certain whoever did this used the hacking toolset I posted above. I’m looking through it all now, and it even includes an xmlrpc vulnerability scanner and exploiter, which is what I believe the latest WP security update patches.

So it looks like case closed. It was a known wp vulnerability that was recently patched. The moral of the story is: always keep your installation up to date, and DO NOT BLINDLY COPY BACK YOUR CUSTOMIZED FILES. Perhaps the WP readme should make a point of this in the future. While the vulnerability was plugged, I was still left with the malicious software that was installed.

Crap. It looks like this may all be my own fault. When my site was first hacked with an ancient wordpress version, yes, I erased my entire http root and installed the latest wp release. But what did I copy back? My wp theme. And what was in my theme directory? TWO HACKED PHP/JAVA SCRIPTS!

One appears to be “nstview”, a file management script included with a lot of “web hacking for newbs” kits. It is tagged at the bottom: <!– Network security team :: nst.void.ru –>

The is “C99madShell v. 2.0 madnet edition” which also looks to be a remote file manager.

Now, I have no way of knowing if these are from a related hack, but clearly these are wide open backdoors that hackers somehow installed on my OLD wordpress installation. I can’t believe I’m dense enough to not thoroughly check my personal theme directory when I was trying to be so meticulous in my upgrade.

With these files removed (that entire theme directory, actually), I guess it’s now just a game of wait and see. I should do a fine search to see if anything else has been tampered with while this backdoor was in place.

Interestingly enough BOTH of these shell scripts as well as “PHP Injection Scanner” tools were recently posted in a “web hacking tools collection” posted on this script kiddie site: https://www.katzforums.com/showthread.php?t=50022 No doubt that package has everything that was used in this exploit.

The only question that remains is: is my site still vulnerable?

We will see. I gave them a link to this thread as reference. I’ve yet to hear back from them.

I checked my permissions of wp-settings.php (the file hacked), and it is set to 644, which I BELIEVE is correct. Please let me know if this shines any new light on the issue.

Ok, a support ticket has been sent to dreamhost. Sorry I was so quick to blame this on WP, I just forgot how many variables there are involved in this, especially when running a site on a shared server I don’t administer. I was just under the impression dreamhost was more security conscious than this ??

Ok, I will be contact dreamhost… but regarding permissions… how should I set my permissions for a wordpress install? You know how WP is, with the over-simplified instructions. I will be honest, I didn’t do anything but upload all the files and run the upgrade script.

As far as I can tell, the only file modified this time around was wp-settings.php. Removing the code from that file fixed my rss feed, but there still may be more modified files that I can’t find as there was last time.

Er, I meant to say, “I just updated to WordPress 1.5.1.3 (from 1.5.1.2)”