Hello,
Recently files have been added to some accounts under our servers (all WordPress accounts). They all follow the same pattern, as wp-apps.php and wp-configure.php files are added which contain malicious content. I've checked the account which has been affected below and there doesn't seem to be any rogue plugin, or any plugin which is the same as in any other account which has been affected, apart from the default plugins.
Here is part of the log for last night (when the malicious files were added):
*I've starred out personal details such as the domain and username*
Quote:
93.172.144.240 - - [09/Mar/2012:20:12:20 +0000] "GET /wp-apps.php?image=smiley HTTP/1.1" 200 92 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:20 +0000] "GET /wp-apps.php?image=folder HTTP/1.1" 200 90 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:19 +0000] "GET /wp-apps.php HTTP/1.1" 200 110942 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=hidden_file HTTP/1.1" 200 93 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=file HTTP/1.1" 200 93 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=arrow HTTP/1.1" 200 70 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:06 +0000] "GET /wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1 HTTP/1.1" 200 10968 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=smiley HTTP/1.1" 200 92 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=folder HTTP/1.1" 200 90 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=arrow HTTP/1.1" 200 70 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
|
What seems interesting is this line:
Quote:
|
93.172.144.240 - - [09/Mar/2012:20:13:06 +0000] "GET /wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1 HTTP/1.1" 200 10968 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
|
It appears, if I am correct, that the hacker is trying to get into the public_html directory to upload/modify files using the wp-apps.php file?
We have fixed all the sites now within minutes of being aware that these files existed but how can we prevent this from happening in the future? It's happened on at least three occasions and that's three too many... We're using cPanel on Cent OS 5.
Really appreciate any help - thanks!
James
Linear Mode
