Results 1 to 13 of 13
  1. #1
    Join Date
    Oct 2006
    Location
    New Westminster, BC
    Posts
    27

    Wordpress 2.8.5 site hacked

    The perpetrator was 66.33.213.21, and I think that this was the way he did the damage:

    66.33.213.21 - - [10/Nov/2009:04:13:39 -0800] "POST /wp-content/plugins/wptags-4-metakeywords/keyword.php HTTP/1.1" 200 3023 "http://xxxx.org/wp-content/plugins/wptags-4-metakeywords/keyword.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)"

    At first glance, you might think that the vulnerability was in the Metaheader Keywords plugin, and yes, this was a old version. However, I strongly suspect that the keyword.php file was placed on the server by exploiting a vulnerability somewhere else. (The tripwire program shows that it was added at 04:13:10, 29 seconds earlier.) See this line in access.log:

    66.33.213.21 - - [10/Nov/2009:04:13:10 -0800] "POST /wp-content/plugins/cforms/languages/about.php HTTP/1.1" 200 3779 "http://xxxx.org/wp-content/plugins/cforms/languages/about.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)"

    Problem is, the about.php file is gone. The tripwire program shows that the /wp-content/plugins/cforms/languages was altered in some way.

    What this hack did was:

    1. Create a file, suffix.php, in wp-includes.

    2. Alter classes.php so that it includes suffix.php.

    3. Created the file /wp-includes/images/crystal/screenshot.png. This isn't really a png file; it contains PHP code.

    4. Created the file wp-content/plugins/contact-form-7/images/loader.gif

    5. Created the file /wp-includes/images/smilies/icon_tar.gif

    Also, I've installed the "Wordpress Exploit Scanner" on this site and another one, and it's useful for analysing problems like this.

  2. #2
    nice information
    <<< Please see Forum Guidelines for signature setup. >>>

  3. #3
    Join Date
    Nov 2003
    Location
    Marylebone, London, UK
    Posts
    526
    Looks like the IP is located at dreamhost.
    Send your log file info to their abuse
    mail address to investigate.

  4. #4
    Upgrade your wordpress to the latest version and reset all the password and set strong password. Do not use any vulnerable script also install only those plugins which are compatible with your wordpress version.
    Shared Hosting | Reseller Hosting | VPS Hosting | Dedicated Servers
    KeserHosting.Com

  5. #5
    Join Date
    Dec 2002
    Posts
    374
    Quote Originally Posted by keserhosting View Post
    Upgrade your wordpress to the latest version and reset all the password and set strong password. Do not use any vulnerable script also install only those plugins which are compatible with your wordpress version.
    2.8.5 is the latest version.

    http://wordpress.org/download/

  6. #6
    Join Date
    Oct 2006
    Location
    New Westminster, BC
    Posts
    27
    Quote Originally Posted by squirrelhost View Post
    Looks like the IP is located at dreamhost.
    Send your log file info to their abuse
    mail address to investigate.
    Done.

    Another useful piece of info: I noticed after my posting yesterday that the wp-content/plugins directory and several of the sub-directories were world-writable. This is no longer the case.

  7. #7
    Join Date
    Jan 2004
    Posts
    445

  8. #8
    Join Date
    Oct 2006
    Posts
    85
    Quote Originally Posted by XSV View Post
    2.8.5 is the latest version.

    http://wordpress.org/download/
    Not any longer...looks like there were security problems with it =) 2.8.6 is out.

  9. #9
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    There where indeed 2 security fixes http://wordpress.org/development/200...urity-release/

    As they put it: If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

  10. #10
    Interesting. Good work roberb7!

  11. #11
    Join Date
    Oct 2006
    Location
    New Westminster, BC
    Posts
    27
    Quote Originally Posted by squirrelhost View Post
    Looks like the IP is located at dreamhost.
    Send your log file info to their abuse
    mail address to investigate.
    I did. They have not investigated, AFAIK. Instead, I got a response that started with "If the keyword.php file was not part of the actual plugin installation it is likely a backdoor script left behind by the intruder from the original hack against the outdated WordPress installation." The point that 66.33.213.21 is one of their servers wasn't even addressed.

  12. #12
    Join Date
    Nov 2003
    Location
    Marylebone, London, UK
    Posts
    526
    Although it's a bit late (maybe even pointless now) you could
    always block all dreamhost IPs in your firewall. Can't think what
    traffic anyone would want from there anyway.

  13. #13
    Join Date
    Nov 2005
    Location
    God's Own Country!
    Posts
    35
    hmm, nice info

    I've updated my blog to 2.8.6 today, it contains a bugfix for the XSS vulnerability that the 2.8.5 had.

    Vinod

Similar Threads

  1. Wordpress and Joomla sites hacked
    By roberb7 in forum Hosting Security and Technology
    Replies: 60
    Last Post: 09-12-2009, 07:19 PM
  2. WordPress Help Desk Plugin - Add a help desk to your WordPress site
    By Hey It's Me in forum Software & Scripts Offers
    Replies: 0
    Last Post: 08-20-2009, 09:15 PM
  3. Need site converted to wordpress
    By David in forum Design Requests
    Replies: 5
    Last Post: 12-23-2008, 06:26 AM
  4. Replies: 6
    Last Post: 08-06-2008, 02:21 PM
  5. Site Hacked via php script placed in WordPress Uploads directory
    By cnymike in forum Hosting Security and Technology
    Replies: 8
    Last Post: 04-08-2007, 08:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •