Spinach benefits for skin pigmentation.REGISTER NOW GET FREE 888 PESOS REWARDS!

Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

Forum: Developing with WordPress
In reply to: Weird and Dangerous : ro8kfbsmag.txt

davidholder
(@davidholder)

17 years, 3 months ago

No. The hacker changed the settings in the wp_options database table via WordPress not via SQL. The database port is disabled (and firewalled since I am paranoid) and only allows access from the localhost. Since I don’t have the POST data I cannot determine exactly how the hacker managed to change entries in wp_options. But what the traces do show is that it was done through a process of repeated POSTs first to admin.ajax.php, then options.php, upload.php, options.php and finally upgrade.php.

You are correct to suggest changing the passwords, which I had done but not mentioned. The hacker did not change these, but they did have access to the database and config file through the hack and therefore would have been able to take a copy of the passwords.

David

Forum: Developing with WordPress
In reply to: Weird and Dangerous : ro8kfbsmag.txt
davidholder
(@davidholder)

17 years, 3 months ago
I have experienced this problem too and have some more information and another solution.

The sequence of events was as follows (unfortunately my logs don’t record POST data):
1. POST /wp-admin/admin-ajax.php
2. POST /wp-admin/options.php
3. POST /wp-admin/options.php
4. POST /wp-admin/options.php
5. POST /wp-admin/options.php
6. POST /wp-admin/options.php
7. POST /wp-admin/options.php
8. POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1
9. POST /wp-admin/options.php
10. POST /wp-admin/options.php
11. GET /wp-admin/upgrade.php?step=1
12. GET /?kreved
13. GET /index.php?kreved&dira=./wp-content
14. GET /index.php?kreved&&dira=./wp-content/uploads
15. POST /index.php?kreved&&dira=./wp-content/uploads
16. GET /wp-content/uploads/
17. GET wp-content/uploads/zip.php
After this the hacker uploaded lost of nasty stuff as zip files into the /wp-content/uploads/ directory. The hacker did this using the backdoor mentioned in an earlier post. The backdoor is configured within WordPress as a plugin and is referenced by the URL /?kreved. This executes the file that has been uploaded by the hacker into /tmp. The file is called ro8kbsmag.txt.

After carefully checking my wordpress files (using checksums against a clean install) I determined that the hacker had not changed any of the standard files.

What the hacker had done is modified two options in the database, specifically; upload_path and active_plugins.

Upload_path was set to /../../../../../../../../../../../../../../../../../tmp and active_plugins to a:1:{i:0;s:69:”/../../../../../../../../../../../../../../../../../tmp/ro8kbsmag.txt”;}.

Setting these back to their default values fixed my installation.

To stop the hacker doing it again I added web server access controls to the wp-admin directory. This extra layer of security should stop them getting in again.
It would be nice to know what the POST data was that allowed the hacker to do this. Has anyone else captured this?

David

Viewing 2 replies - 1 through 2 (of 2 total)