• Resolved adamprato

    (@adamprato)


    A ways our hosting provider said we had spam script installed and threatened to remove our account if we didn’t eliminate the vulnerability. After some research (I manually cleaned up 70+ backdoors….) a friend told me about Wordfence. After installing that it found a backdoor I had overlooked.

    Since running it, it caught two vulnerabilities recently. In both cases the scripts were newly added.

    For the most recent one, I have a log of what seems to be the attack:

    178.162.205.3 – – [04/Jan/2015:14:09:50 +0000] “GET /images/jquery.php HTTP/1.1” 404 665 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0”
    75.127.224.10 – – [04/Jan/2015:14:09:52 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 776 “https://site/wp-admin/admin.php?page=WordfenceSecOpt” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”
    75.127.224.10 – – [04/Jan/2015:14:09:54 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 776 “https://site/wp-admin/admin.php?page=WordfenceSecOpt” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”
    75.127.224.10 – – [04/Jan/2015:14:09:56 +0000] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 776 “https://site/wp-admin/admin.php?page=WordfenceSecOpt” “Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36”
    178.162.205.3 – – [04/Jan/2015:14:09:55 +0000] “GET /images/jquery.php?q=Pass12$ HTTP/1.1” 404 664 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0”
    178.162.205.3 – – [04/Jan/2015:14:09:58 +0000] “GET /jquery.php?q=Pass12$ HTTP/1.1” 200 86301 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0”

    The first entry is a 404 of the attacker trying to access a backdoor. Then my IP apparently keeps refreshing the Wordfence page, Then there’s the attacker’s IP with two consective hits; a 404 and a success once the hack is installed.

    Any ideas how that could have possibly been installed when the only two results were a 404 and a 200? Those consecutive log entries were not altered, and nothing occurred in between (unless the attacker scoured the logs…)

    I can provide an example of the backdoor if anyone is curious. It appears to be preg(‘/.*/e,$code); where $code has the eval(gzinflate(uudecode())) crap in it.

Viewing 8 replies - 1 through 8 (of 8 total)
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Hacks keep appearing.’ is closed to new replies.