WordPress security question

  • Hi! One of my sites was hacked. Some bot had modified category.php – instead of showing posts of certain category it was showing file upload form.

    Then I made some digging and that is what I found in web server logs:

    77.247.181.165 - - [20/Oct/2014:07:38:11 +0400] "GET /wp-login.php HTTP/1.1" 200 3578 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:13 +0400] "POST /wp-login.php HTTP/1.1" 302 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:16 +0400] "GET /wp-admin/ HTTP/1.1" 200 59000 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:20 +0400] "GET /wp-admin/ HTTP/1.1" 200 59000 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:26 +0400] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 68294 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:28 +0400] "GET /wp-admin/theme-editor.php?file=category.php&theme=sometheme HTTP/1.1" 200 43929 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:29 +0400] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:33 +0400] "GET /theme-editor.php?file=category.php&theme=sometheme&scrollto=0&updated=true HTTP/1.1" 404 25658 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:37 +0400] "POST /wp-content/themes/sometheme/category.php HTTP/1.1" 200 46 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:39 +0400] "GET /wp-content/themes/sometheme/wp-upload.php HTTP/1.1" 200 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:39 +0400] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 68395 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:42 +0400] "GET /wp-admin/theme-editor.php?file=category.php&theme=sometheme HTTP/1.1" 200 45418 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:46 +0400] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:52 +0400] "GET /theme-editor.php?file=category.php&theme=sometheme&scrollto=0&updated=true HTTP/1.1" 404 25658 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:55 +0400] "POST /wp-content/themes// HTTP/1.1" 200 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:38:55 +0400] "GET /wp-content/themes//wp-upload.php HTTP/1.1" 301 1 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:39:03 +0400] "GET /wp-content/themes/wp-upload.php HTTP/1.1" 404 25597 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:39:08 +0400] "POST /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 42445 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:39:09 +0400] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 35580 "https://somesite.com/wp-admin/plugin-install.php?tab=upload" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"
77.247.181.165 - - [20/Oct/2014:07:39:14 +0400] "GET /wp-content/uploads/2014/10/maink.php HTTP/1.1" 200 88800 "https://somesite.com/wp-admin/plugin-install.php?tab=upload" "Opera/9.80 (Windows NT 5.1); U) Presto/2.7.62 Version/11.00"

    I couldnt find any other requests to category.php so I think this is the moment my file was changed.

    Can anyone tell me if I right or wrong in my suggestion that this bot knows username and password and successfully enters website administration page?

    And I couldnt get what is this bot doing since 07:38:39. I think wp-upload.php is the file it uploaded via upload form, but reason of other actions is not clear.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Are you still cleaning up your hacked website?

    Thread Starter Max Sharlaev

    (@e13)

    Andrew, I have already cleaned it up – at least what I could find (there was lots of files and code inserts). Now I am trying to understand how the attacker got in. And if it is possible – what exactly did he done.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Just to be clear, you’re aware of the PHP file in your uploads directory?

    The pattern of page visits in your logs appears to be a manual login and edit of each of those files. Note that each step that a person would have to take to get to the file editor was taken. A bot would have logged in and posted directly to /wp-admin/theme-editor.php

    Check to see if there is a new administrator user on the site and look in your plugins and themes folders for any unused or outdated plugins and/or themes.

    The fact that there were not large numbers of attempts to POST to wp-login.php means that the user that did this has a username and password. if you have backups of your site, I would use one before [20/Oct/2014:07:38:11 +0400] and update all plugins and themes.

    Thread Starter Max Sharlaev

    (@e13)

    Andrew, yes, I’ve deleted this file. For now it seems all malware is cleared (catched the last one today – it didnt contain eval function, so I couldnt find it at once).

    Benjamin Cool, thank you, I didn’t noticed that bot would go directly to /wp-admin/theme-editor.php . All other actions looks like bot activity (many files were created in random directories and certain line of code was inserted in random existing files).

    I’ve checked users – there was no new administrators. I think attacker could use account of my colleague because I have a quite strong password.

    I think I should reinstall WP and check theme files. Now I see peroidic POST requests to wp-login.php like somebody is trying to bruteforce my site. Hope security plugin will handle bruteforce well.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WordPress security question’ is closed to new replies.