Page 1 of 2 12 LastLast
Results 1 to 25 of 29
  1. #1
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436

    New wordpress hack?

    Hi,

    I have a fresh install of wordpress 3.4.2 with only one template - the default twentyeleven - that was hacked 2 times in the last week. They definatly hacked via the web, there were no ftp or ssh connection to the server. I search the access log and couldn't find anything suspicious.

    Is there a new wordpress hack running around?

    Thanks

    Guy
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  2. #2
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,954
    Quote Originally Posted by rcs View Post
    Hi,

    I have a fresh install of wordpress 3.4.2 with only one template - the default twentyeleven - that was hacked 2 times in the last week. They definatly hacked via the web, there were no ftp or ssh connection to the server. I search the access log and couldn't find anything suspicious.

    Is there a new wordpress hack running around?

    Thanks

    Guy
    Try streaming the logs offsite to ensure they can't wipe them to catch them? Was this the only site effected on the server? It's just weird that a new site would randomly be targeted by a 0day twice. Would think that if there was a new exploit major sites would have been hit by now.

  3. #3
    First thing I will suggest you to change your database and FTP passwords as soon as possible. Also, please check each and every files/folders of your website and make sure that there is no suspicious contents. If you have managed services then consult your hosting provider about this issue. Please keep your local system up to date and regulars scan it using latest anti-virus software.

    Enhance PHP security via mod_security, Firewall like CSF,

  4. #4
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    A few sites have been defaced. This is a cpanel server so no cross site access is possible and the server wasn't rooted. I only mentioned this one site because since its only is basic install it's easier to debug.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  5. #5
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Quote Originally Posted by BestServerSupport View Post
    First thing I will suggest you to change your database and FTP passwords as soon as possible. Also, please check each and every files/folders of your website and make sure that there is no suspicious contents. If you have managed services then consult your hosting provider about this issue. Please keep your local system up to date and regulars scan it using latest anti-virus software.

    Enhance PHP security via mod_security, Firewall like CSF,
    I'm the hosting provider. mod_security and a firewall are implemented.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  6. #6
    Join Date
    Apr 2011
    Location
    Fairfax, California
    Posts
    1,226
    This same thing happened to me. My michelstaake.me blog was hacked (I just deleted WordPress and switched to get simple CMS)...
    I was not running a lot of plugins and only had one, very popular, theme installed.

  7. #7
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,954
    Quote Originally Posted by rcs View Post
    A few sites have been defaced. This is a cpanel server so no cross site access is possible and the server wasn't rooted. I only mentioned this one site because since its only is basic install it's easier to debug.
    Were the sites all WP? Now are you running CL or the default kernel? One thing I can think of is what if this was a symlink attack/config files and dirs that were world readable?

  8. #8
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,954
    Quote Originally Posted by shovenose View Post
    This same thing happened to me. My michelstaake.me blog was hacked (I just deleted WordPress and switched to get simple CMS)...
    I was not running a lot of plugins and only had one, very popular, theme installed.
    Take it this was a recent hit? Maybe there is a new WP exploit going around.

  9. #9
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Quote Originally Posted by SolidShellSecurity View Post
    Were the sites all WP? Now are you running CL or the default kernel? One thing I can think of is what if this was a symlink attack/config files and dirs that were world readable?
    all WP, most of them 3.4.2 with updated plugins and themes. That's why I think there might be a new wp exploit.
    Server is running latest centos kernel and all files are 644/755 the server is working with suphp.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  10. #10
    May be a clean wordpress installation will help and also strictly follow suggestions, I have mentioned earlier. I would also suggest you to check your database and make sure that there is no suspicious values inserted.

  11. #11
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    We've noticed a lot of brute force attempts as of late on WP installs, so make sure to change all of your administrator passwords. You might also install a plugin to block brute force attempts and enforce stronger passwords.

  12. #12
    Join Date
    Aug 2006
    Posts
    1,171
    WebSitePanel/ MspControl / SolidCP / Smartermail / Installation / Configuration / Troubleshooting / Migrations
    Windows Server Management / Security / Hardening
    I speak English and Spanish

  13. #13
    Join Date
    Apr 2003
    Posts
    209
    I will recommend running cxs, malder and clamav through all accounts. Probably someone has a C99shell and was able to get access to your site from another account.
    Servicios hosting en Colombia
    Marketing Digital Internet con Resultados

  14. #14
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,954
    Quote Originally Posted by cuantica View Post
    I will recommend running cxs, malder and clamav through all accounts. Probably someone has a C99shell and was able to get access to your site from another account.
    From what I have gathered on the internet that is not the case. And such methods will not block shells. If the users can access the other sites then your security is poor.

  15. #15
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    16,703
    I've diagnosed at least one odd 3.4.2 exploit in the past month. There was no obviously detectable error outside of WordPress itself. The one I did see is thwarted by nuking your "plugin-editor.php" and "theme-editor.php" files. I'm of the opinion that live editors are dangerous and unnecessary anyway. There's a number of files that should be removed, renamed, or firewalled in general anyway, and these are two of them.
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

  16. #16
    Join Date
    Mar 2012
    Location
    Tampa, FL =)
    Posts
    1,954
    Quote Originally Posted by kpmedia View Post
    I've diagnosed at least one odd 3.4.2 exploit in the past month. There was no obviously detectable error outside of WordPress itself. The one I did see is thwarted by nuking your "plugin-editor.php" and "theme-editor.php" files. I'm of the opinion that live editors are dangerous and unnecessary anyway. There's a number of files that should be removed, renamed, or firewalled in general anyway, and these are two of them.
    Will agree with that.

    Correct if I am wrong but if the wp-admin was IP white listed that should remove at least half the exploits right? At least from looking at the some access_logs the wp-admin area does get used a lot.
    Last edited by TravisT-[SSS]; 09-28-2012 at 11:56 AM.

  17. #17
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by rcs View Post
    A few sites have been defaced. This is a cpanel server so no cross site access is possible and the server wasn't rooted. I only mentioned this one site because since its only is basic install it's easier to debug.
    Quote Originally Posted by rcs View Post
    all WP, most of them 3.4.2 with updated plugins and themes. That's why I think there might be a new wp exploit.
    Server is running latest centos kernel and all files are 644/755 the server is working with suphp.

    Are you implementing any kind of patching for this issue:

    http://forums.cpanel.net/f185/how-pr...rs-202242.html

    suphp and permissions are not enough to prevent it.

    Try running:

    find /home/*/public_html -type l
    If not patched you need one of the apache source code patches, mod_ruid2, or cloudlinux cagefs/securelinks.
    Last edited by Steven; 09-28-2012 at 12:32 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  18. #18
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Quote Originally Posted by Steven View Post
    Are you implementing any kind of patching for this issue:

    http://forums.cpanel.net/f185/how-pr...rs-202242.html

    suphp and permissions are not enough to prevent it.
    I've implemented today harden-symlinks.patch on all our cpanel servers after finding the directory with sym links on the server.
    This is yours if I'm not mistaken, so thanks for that

    How is the symlink used to hack into an account if I may ask?
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  19. #19
    Join Date
    Apr 2003
    Posts
    209
    Indeed, thatīs the reason I suggested a c99shell traversing your directories.

    http://www.raidten.com/followsymlink...vulnerability/

    Modsecurity and phpsuexec are not enough to fix this vulnerability. mod_ruid2 should help
    Servicios hosting en Colombia
    Marketing Digital Internet con Resultados

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by rcs View Post
    I've implemented today harden-symlinks.patch on all our cpanel servers after finding the directory with sym links on the server.
    This is yours if I'm not mistaken, so thanks for that

    How is the symlink used to hack into an account if I may ask?
    Since public_html is owned by user:nobody so apache can load static files... by symlinking to a php file and giving it an extension .txt it is loaded by user nobody... which allows it to be read.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by cuantica View Post
    Indeed, thatīs the reason I suggested a c99shell traversing your directories.

    http://www.raidten.com/followsymlink...vulnerability/

    Modsecurity and phpsuexec are not enough to fix this vulnerability. mod_ruid2 should help
    c99 is not required for this. There are perl scripts that troll through an entire server with symlinks, and mass deface the entire server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  22. #22
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Quote Originally Posted by cuantica View Post
    Indeed, thatīs the reason I suggested a c99shell traversing your directories.

    http://www.raidten.com/followsymlink...vulnerability/

    Modsecurity and phpsuexec are not enough to fix this vulnerability. mod_ruid2 should help
    Thanks, this link is very informative.

    So I read about mod_ruid a little. Are there any concerns when setting it on cpanel? I read that most users doesn't use suphp with it, which should be used - mod_ruid with dso or suphp? To be honest, I like to still keep knowing which script is running at a current time on the server, I don't think it's possible with ruid, and the symlink patch seems to fix the major problem.
    Last edited by rcs; 09-28-2012 at 01:03 PM.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  23. #23
    Join Date
    Apr 2003
    Posts
    209
    Mod_ruid works the same way phpsuexec but for html files, so html files are handled only by its owner only. You will see more processes owned by each user and less processes owned by user nobody
    Servicios hosting en Colombia
    Marketing Digital Internet con Resultados

  24. #24
    Join Date
    Oct 2002
    Location
    Tel-Aviv, Israel
    Posts
    436
    Apperently there is a wp 3.4.2 hack going around, a week old:
    http://1337day.org/exploits/19447
    But it's a cross site request vuln not a direct hack.
    Uadm.com - Unix Administration, Security and Support.
    http://www.uadm.com
    "Unix is user friendly; it's just picky about who its friends are."

  25. #25
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,737

    *

    Quote Originally Posted by rcs View Post
    all WP, most of them 3.4.2 with updated plugins and themes. That's why I think there might be a new wp exploit.
    Server is running latest centos kernel and all files are 644/755 the server is working with suphp.
    Could well be a symlink hack. This allows a hacker to read the contents of your Wordpress config file and see the database user and password.

    Change the DB password and change the permissions on the .php files to 600 to prevent future incidents.

    You also want to look at Steven's patch mentioned above.
    Last edited by brianoz; 09-28-2012 at 08:46 PM.

Page 1 of 2 12 LastLast

Similar Threads

  1. Wordpress Hack, Need Input
    By Christian Little in forum Hosting Security and Technology
    Replies: 6
    Last Post: 01-26-2012, 06:20 PM
  2. Replies: 5
    Last Post: 07-06-2011, 11:10 AM
  3. Wordpress hack and phpRemoteView
    By rankris in forum Hosting Security and Technology
    Replies: 10
    Last Post: 06-16-2011, 09:47 AM
  4. Replies: 9
    Last Post: 11-19-2010, 11:54 AM
  5. Br0keN-Pr0xy hack - FIX (the popular index defacement hack)
    By layer0 in forum Hosting Security and Technology Tutorials
    Replies: 5
    Last Post: 09-09-2006, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •