It could have been worse.
A few weeks ago we were hit with an SMF v1.1.3 exploit just a few days after the release of v1.1.4. The intruder inserted a slew of hidden spam links into the main ‘index.php’.
It took me a day or two to detect the modification. And in this short time period forums.devside.net, which has been online since 2003, with a healthy Pagerank, had all it’s pages dropped from Google [with the exception of profiles and archives].
It’s a good thing I keep the forums on it’s own sub-domain, which Google treats more like a separate domain than anything else. A SE problem with the sub does not affect the main domain.
As a counter-measure to these “exploit app weakness, get shell, d/l script, profit” type of attacks, I disabled most of the shell related PHP functions.
And so I thought my problems where solved…
This time it’s my fault. I was running WordPress v2.2.2, with v2.2.3 having been released about a month ago. I’ve been checking the WP dashboard, but I must have missed it, or forgotten about it.
This time the intruder exploited one of many WP weaknesses, and inserted some type of a hidden “-1″ post that was nothing more than an attachment to this particular shell-script, executed with URL ‘/blog/?poncheg’…
217.118.81.46 - - [08/Oct/2007:07:10:20 -0400] "GET /wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 404 520 "-" "-" 217.118.81.46 - - [08/Oct/2007:07:10:25 -0400] "GET / HTTP/1.0" 200 12071 "-" "-" 217.118.81.46 - - [08/Oct/2007:07:10:35 -0400] "GET /blog/wp-includes/js/tinymce/wp-mce-help.php HTTP/1.0" 200 7665 "-" "-" 217.118.81.46 - - [08/Oct/2007:07:11:01 -0400] "POST /blog/xmlrpc.php HTTP/1.0" 200 4327 "-" "Opera" 217.118.81.46 - - [08/Oct/2007:07:11:49 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1647 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:11:56 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:11:59 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 200 1554 "http://www.devside.net/ blog/upload.php?style=inline&tab=upload&post_id=-1" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:14 -0400] "POST /blog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0" 302 509 "http://www.devside.net/b log/upload.php?style=inline&tab=upload&post_id=-1" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:25 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 200 1629 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:30 -0400] "POST /blog/wp-admin/options.php HTTP/1.0" 302 904 "http://www.devside.net/blog/wp-admin/options.php" "Opera" 217.118.81.46 - - [08/Oct/2007:07:12:33 -0400] "GET /blog/wp-admin/upgrade.php?step=1 HTTP/1.0" 200 1446 "-" "-" ... 82.103.135.182 - - [08/Oct/2007:07:12:48 -0400] "GET /blog/?poncheg HTTP/1.0" 200 4789 "-" "Opera/9.22 (Windows NT 5.1; U; ru)" ...
whois 217.118.81.46 JSC "VimpelCom" WLAN1 Moscow resolveip 82.103.135.182 Host name of 82.103.135.182 is vps206.fastvps.ru
Luckily, in addition to the disabled PHP functions, I also had all my file/dir permissions under WP locked down, so it does not look like anything was modified. I still recreated the entire WP directory, just for safety sakes, and had to manually go into the database and delete the hidden attachment/post.
It’s not a matter of if you are going to get hacked, it’s a matter of when. So keep those web apps patched!