Results 1 to 5 of 5

Thread: Phishing Hacks

  1. #1
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98

    * Phishing Hacks

    Hello,

    Recently files have been added to some accounts under our servers (all WordPress accounts). They all follow the same pattern, as wp-apps.php and wp-configure.php files are added which contain malicious content. I've checked the account which has been affected below and there doesn't seem to be any rogue plugin, or any plugin which is the same as in any other account which has been affected, apart from the default plugins.

    Here is part of the log for last night (when the malicious files were added):

    *I've starred out personal details such as the domain and username*

    93.172.144.240 - - [09/Mar/2012:20:12:20 +0000] "GET /wp-apps.php?image=smiley HTTP/1.1" 200 92 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:20 +0000] "GET /wp-apps.php?image=folder HTTP/1.1" 200 90 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:19 +0000] "GET /wp-apps.php HTTP/1.1" 200 110942 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=hidden_file HTTP/1.1" 200 93 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=file HTTP/1.1" 200 93 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /wp-apps.php?image=arrow HTTP/1.1" 200 70 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:12:42 +0000] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:13:06 +0000] "GET /wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1 HTTP/1.1" 200 10968 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=smiley HTTP/1.1" 200 92 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=folder HTTP/1.1" 200 90 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    93.172.144.240 - - [09/Mar/2012:20:13:07 +0000] "GET /wp-apps.php?image=arrow HTTP/1.1" 200 70 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    What seems interesting is this line:

    93.172.144.240 - - [09/Mar/2012:20:13:06 +0000] "GET /wp-apps.php?dir=%2Fhome%2Fxxxxxxxx%2Fpublic_html%2Fboo1 HTTP/1.1" 200 10968 "http://www.xxxxxxxxxxxxxxx.co.uk/wp-apps.php" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
    It appears, if I am correct, that the hacker is trying to get into the public_html directory to upload/modify files using the wp-apps.php file?

    We have fixed all the sites now within minutes of being aware that these files existed but how can we prevent this from happening in the future? It's happened on at least three occasions and that's three too many... We're using cPanel on Cent OS 5.

    Really appreciate any help - thanks!

    James
    Reddex UK | Affordable, Low-Cost, Reliable & Secure Shared Hosting
    99.95% Uptime, cPanel Included, Over 200 Apps, Backup Utility, WordPress,
    CloudFlare, 24/7/365 Support, 30 Day Money Back, Social Media Support
    Shared Web Hosting | Reseller Hosting

  2. #2
    Join Date
    May 2009
    Location
    United Kingdom
    Posts
    1,317
    I know this is the most annoying question but do you know if all of the Wordpress/plugins/themes were up to date?

    9 times out of 10 Wordpress installs being hacked is down to running old versions.
    Zomex & Template Genie ~ In business since 2009 and still going strong!
    █ #1 Responsive Web hosting templates | WHMCS | Wordpress | HTML5 | Settings area
    █ A 5 step guide on > how to start a web hosting reseller business

  3. #3
    Join Date
    Jan 2011
    Location
    Plymouth, UK
    Posts
    98
    All completely up to date on that account, I've just checked.

  4. #4
    Good day:

    Make sure that http://codex.wordpress.org/Hardening_WordPress is done for each WordPress site.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  5. #5
    Join Date
    Apr 2006
    Posts
    98
    Apart from the wordpress installation and plugins being up to date, I'll check all the theme folders for the timthumb script. This is usually named timthumb.php or thumb.php. If there's a "cache" directory within the theme folder, it's also a pretty good give away.

    These outdated scripts have wreaked havoc across quite a number of sites hosted by us, before we coded a script to search for and update this little script.

    Open the the timthumb script and check the versions. If memory serves, pre 1.28 were an issue, but I would be skeptic of anything lower than version 2.x.

    New version can be found here: http://code.google.com/p/timthumb/

    It's a bit of a shot in the dark due to the access attempts on the wp-app.php file you mentioned, but I believe it's definitely worth a look.
    The most effective way to host your site

  6. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. Phishing
    By UH-James in forum Running a Web Hosting Business
    Replies: 2
    Last Post: 02-24-2012, 10:44 AM
  2. How's the phishing?
    By bear in forum Web Hosting Lounge
    Replies: 11
    Last Post: 06-19-2008, 09:10 AM
  3. Replies: 3
    Last Post: 03-06-2008, 11:35 PM
  4. Hacks for whatever
    By Starsurfer in forum Other Offers & Requests
    Replies: 5
    Last Post: 10-09-2005, 01:32 PM
  5. VB Hacks Anyone?
    By Bosco in forum Other Offers & Requests
    Replies: 4
    Last Post: 11-14-2002, 08:26 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •