Another Day, Another WordPress Hack.
It could have been worse.
A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’ file.
It took me a day or two to detect the modifications. And in this short time period forums.devside.net, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].
It’s a good thing I keep the forums on their own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.
As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I have disabled most of the shell related PHP functions on the server.
And so I thought my problems where solved…
This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.
This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…
217.118.81.46 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-" 217.118.81.46 - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-" 217.118.81.46 - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-" 217.118.81.46 - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera" 217.118.81.46 - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "http://www.devside.net/ blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "http://www.devside.net/b log/upload.php?style=inline&tab=upload&post_id=-1" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-" ... 82.103.135.182 - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)" ...
whois 217.118.81.46
JSC "VimpelCom" WLAN1 Moscow
resolveip 82.103.135.182
Host name of 82.103.135.182 is vps206.fastvps.ruLuckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.
It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!
This is why backing up your data at regular intervals and running your web services on locked down machines is critical.
tripwire all the way;)
I’ve been told that out of the Tripwire, AIDE, etc, file integrity checkers group Samhna is the better choice.
you stupid admin :) russian hacker’s forever :)
Poncheg, You are not a hacker, You are a skid. kthx
Also, If you want a secure site, Write you’re own CMS/blog/what ever
I have worked with WP a few times and the code is an absolute disgrace. Those guys sure haven’t heard of the DRY principle. If there code wasn’t so repetitive maybe there wouldn’t be so many security issues. Check out the site ‘milworm’ to have a look at a catalog of other issues.