security hole in wp-login.php and/or wp-atom.php??

I’m fairly confident I don’t have a tainted install.

Have you checked?

https://sitecheck.sucuri.net/scanner/

Yes, checked and reinstalled from backup. The code is not tainted.

I’ve been seeing this on clean WP sites too. Have yet to find a solution. I’m installing mod_dumpIO for apache to try to get more data from the POST requests, but just POST /blog/ is all that’s in the domain logs for now, and it’s definitely putting spam into the servers e-mail queue at the same time as the POST requets. I’ve checked every single use of eval( in the site code, nothing looks injected or tampered with at all. Default theme.

Stolen password?

Far as I can tell, this has nothing to do with using a password. I’ve worked in an abuse team for a major webhost for several years, and I deal with multiple hacked sites a day; a good section of those being wordpress. This isn’t the normal outdated theme/plugin/etc. issue, or code injection issues that I see on a daily basis. Site is using 3.4.2

The normal Apache domlog only shows:

(offending IP address) - - [15/Nov/2012:08:03:56 -0500] "POST /blog/ HTTP/1.1" 200 32 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"

over and over and over. At the same time as these “POST /blog/” entries, the exim queue receives an outgoing e-mail message from a fake account @affecteddomain.com

If there’s a code injection, it’s hidden extremely well. Hoping they hit it again now that I have mod_dumpio and debug logging on.

It might be worth checking to see if there is a specific plugin or theme involved in all cases.

This site was using the really old WordPress Default Version 1.6 theme from like 2007. Betting there’s an issue with that. I updated it to the version from 2010 (1.7.2, last release of that theme). We’ll see if that stops it. Does anyone know of any remote code exec vulns with that old default theme?

It might not even be WordPress, have you checked your apache version? Older remote apache vulnerabilities are a dime a dozen. Earlier this year there was a remote PHP exploit running wild also. HTH!

Appreciate the advice everyone. Apache is the newest 2.2.x (2.2.23) build supported by cPanel, and PHP is at the last 5.2.x version available, 5.2.17 I believe. I’m still hoping the site gets hit again so I get some debug info.

This actually looks just like the PHP fastcgi exploit!

Its executing command line arguments via PHP and using the normal wordpress php scripts to do it since it requires a file to be present on the server.

https://www.php.net/archive/2012.php#id2012-05-03-1

That exploit doesn’t work on cPanel servers, cPanel wraps the requests for CGI handlers and strips any command line options.

Server is using SuPHP for PHP handling.

(edit for reference) https://cpanel.net/cpanel-protects-against-php-vulnerability/

Heres a lot more information on it: php-cgi-advisory-cve-2012-1823

Interesting vulnerability. Let me know what you find.

Ahh.. Ok, well hope you figure it out. ??

Sincerely appreciate the input. Like I said, I work for a web host, and we’re pretty on top of PHP/Apache vulns since 90% of our customers are using LAMP stack servers.

I’m betting it was the 2007 theme files. I’ve seen some other threads with similar issues, but most people found code injections that eval() a post variable. Not the case here. Some of the other threads I’ve found never did find code injections, and never seem to have solved it. If I get to the bottom of this, I’ll post what I find.