1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WARNING - WordPress Exploits

Discussion in 'Blogging' started by madoctopus, Nov 12, 2012.

  1. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,252
    Likes Received:
    3,518
    Occupation:
    Full time IM
    I've had my site (www.imfaction.com - DO NOT OPEN IT IN YOUR BROWSER) hacked like a month ago. Didn't had much time to take care of it but now found some. If you want to look at the site (not much to see) I recommend you open it in a sandbox environment or virtual machine just in case there's a browser exploit hooked on the page that might infect you. Doesn't seems to be but I can't be 100% sure.

    Ok, so I had the site hacked about 3-4 times within this month, by 3-4 people. Or maybe just once but he changed the defacement page (less likely). WordPress was at latest version and I had some plugins which were not up to date but when I checked their changelogs there are no security related entries so I don't think that's how they got in.

    Also my host seems to have issued several press releases about WP exploits. They were unable to figure out how the exploits work though and what was the attack vector. Thing is, somebody seems to know a way in and the exploit is not public.

    I also have a Piwik install in the same host and though I think it was at latest version when I got hacked 1st time, a new version appeared meanwhile. Had no time yet to check Piwik. I don't think that was how they got in though.

    Anyway, what I was able to find so far was a mail form coupled with a random-password session script so the hacker protects it from others. Both files are in /public_html/.

    A PHP shell in /wp-content/themes/ directory. The shell dir contains a symlink to the root dir. Didn't got to analyze what it does.

    A modified index.php file of the theme I had enabled. This contains the current defaced homepage that is seen publicly.

    The wordpress credentials were changed. I had a non-default admin username but now it is 'admin', he also changed the email address with another one (free email) and the password. Password is 34 characters which means it is not a MD5 hash. Not sure if WP salts the paswords adding extra characters or it's a hack of the guy who hacked me.

    There are 2 more themes in the /wp-contents/themes which one is the shell, the other I haven't looked into but is made by one of the hackers. The directories are 'x' and 'shell'. In WP admin interface 'x' appears as a child theme of Twenty Ten default WP theme.

    Plugins I have installed and enabled:
    Acronyms 2
    Akismet
    Enable Image Scaling on Upload
    W3 Total Cache
    WP-Piwik
    WP No Category Base

    Plugins installed but NOT enabled:
    Accessibility Abbreviation
    File Inliner
    MailPress
    Newsletter
    Newsletter Sign-Up
    Sendit
    WP No Category Base - WPML compatible
    WP No Tags Base

    Active Theme: Nest

    Inactive Themes:
    Twenty Eleven
    Twenty Ten


    My recommendations:
    1. BACKUP EVERYTHING. Backup now and backup every time you make updates to the site, or setup an automated backup system.

    2. Set restrictive permissions to all files and directories. /wp-content/uploads/ has to be writable, same with the 'cache' directory if you have a caching plugin. The rest should be read-only - both the files and the directories.

    3. Uninstall and completely delete all plugins that you don't have enabled.

    4. Uninstall and completely delete all plugins you don't really need.

    That's all I have so far. Will update when I find something new.
     
    • Thanks Thanks x 5
  2. thetechnofreak

    thetechnofreak Registered Member

    Joined:
    Jun 30, 2011
    Messages:
    87
    Likes Received:
    38
    Occupation:
    dev
    the plugins you installed...were they all from wordpress.org, and did they all have enough downloads (maybe >10000)?
    I think that plugins with more than 10k downs can't be scam...so correct me if this is not the case
     
  3. qrazy

    qrazy Senior Member

    Joined:
    Mar 19, 2012
    Messages:
    1,115
    Likes Received:
    1,725
    Location:
    Banana Republic
    First thing people do is open the link, so better remove it from your post....................
     
    • Thanks Thanks x 2
  4. gerryboy

    gerryboy Junior Member

    Joined:
    Sep 30, 2009
    Messages:
    115
    Likes Received:
    22
    i'll have my enemies visit your site:), btw, wp plugins have many exploits. i had many wp sites intruded with conditional redirect viruses. it infects all sites on a host server. crazy stuff but fixable. you can fix this
     
  5. Qokaine

    Qokaine Regular Member

    Joined:
    Mar 8, 2009
    Messages:
    367
    Likes Received:
    122
  6. subster

    subster Elite Member

    Joined:
    Apr 5, 2008
    Messages:
    1,882
    Likes Received:
    1,454
    Location:
    Krauthausen
    Use this nice script to find base64 decoded evals on your server:

    Code:
    <html><head><title>Find String</title></head><body>
    <?php
    // ini_set('max_execution_time', '0');
    // ini_set('set_time_limit', '0');
    find_files('.');
    function find_files($seed) {
      if(! is_dir($seed)) return false;
      $files = array();
      $dirs = array($seed);
      while(NULL !== ($dir = array_pop($dirs)))
        {
          if($dh = opendir($dir))
            {
              while( false !== ($file = readdir($dh)))
                {
                  if($file == '.' || $file == '..') continue;
                  $path = $dir . '/' . $file;
                  if(is_dir($path)) {    $dirs[] = $path; }
                 else { if(preg_match('/^.*\.(php[\d]?|txt|js|htaccess)$/i', $path)) { check_files($path); }}
                }
              closedir($dh);
            }
        }
    }
    function check_files($this_file)
    {
        $str_to_find[]='base64_decode';
        $str_to_find[]='edoced_46esab'; // base64_decode reversed
        $str_to_find[]='preg_replace';
        $str_to_find[]='HTTP_REFERER';
        $str_to_find[]='HTTP_USER_AGENT';
                   
        if(!($content = file_get_contents($this_file))) 
           { echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); }
        else 
            { 
               while(list(,$value)=each($str_to_find))
                   {
                      if (stripos($content, $value) !== false) 
                         { 
                             echo("<p>$this_file -> contains $value</p>\n"); 
                          }
                     }
                }
        unset($content);
    }?>
    </body></html>
    One of the most used methods to cloak malicious code in your wordpress files.
     
    • Thanks Thanks x 4
  7. thatotherguy

    thatotherguy Power Member

    Joined:
    Mar 4, 2012
    Messages:
    555
    Likes Received:
    249
    my blogs keep getting hacked also I keep changing security. Some themes I found out have bug issues.
     
  8. madoctopus

    madoctopus Supreme Member

    Joined:
    Apr 4, 2010
    Messages:
    1,252
    Likes Received:
    3,518
    Occupation:
    Full time IM
    Yes all plugins were from WordPress and popular. I don't think it is a plugin exploit but a WordPress one that hasn't been discovered yet. I say that because my host issued several press releases about many WP installs getting hacked using an unknown method. That's why I posted here so you guys prepare yourself in case it happens to you.

    The stuff in my WP is not base64 encoded or encoded in any way. They found a way to do a remote file inclusion or file upload because they uploaded a shell. This is not a simple SQL injection or a plugin with a backdoor.
     
  9. michael8t6

    michael8t6 Regular Member

    Joined:
    Apr 28, 2012
    Messages:
    285
    Likes Received:
    229
    Location:
    somewhere on this god forsaken planet
    Not hating on you bro, but he clearly stated to open it sandboxed ;) I seen madoctopus in quite a few threads and he is always helping people, so I think he does kinda have a right to give advice ;) But you're right in a way he should of least given a link to a sandbox :)

    For anyone that doesn't know where to get a sandbox from here is a link to the most popular one, don't worry it's free ;)

    http://www.sandboxie.com/index.php?DownloadSandboxie
     
    • Thanks Thanks x 3
  10. SEORasta

    SEORasta Senior Member

    Joined:
    Sep 22, 2010
    Messages:
    1,001
    Likes Received:
    230
    Occupation:
    What Ever Makes Money..LEGALLY
    Location:
    Right Here!
    I am in the same boat. They put all kinds of shit in my footer. I take it out it comes back 5 days later. I did all the reconmondations as stated before. This is why im redoing my site with a enw template for the new year. This hack shit is out of control. How they hell do they do it if you play by the rules and try and protect yourself?????
     
  11. jejakanoname

    jejakanoname Junior Member

    Joined:
    Aug 30, 2010
    Messages:
    128
    Likes Received:
    27
    Home Page:
    just use wordpress firewall plugin, it block all exploit action script
     
  12. MatthewWoodward

    MatthewWoodward Senior Member

    Joined:
    Aug 31, 2012
    Messages:
    992
    Likes Received:
    1,694
    Occupation:
    SEO
    Location:
    UK
    Home Page:
    Yes I advocate the use of Wordpress Firewall 2

    Even if there is a dodgy plugin being used to exploit the site that prevents it in most cases - it even stops me editing things!

    Some hack/exploits of wordpress come from dodgy plugins or themes that contain the malicious code directly so it's always a good place to start.
     
  13. SEOWhizz

    SEOWhizz Power Member

    Joined:
    Oct 22, 2011
    Messages:
    608
    Likes Received:
    433
    Location:
    Lat: 38N 43' 11.298" Long: 27W 12' 7.733"
    As well as not using the default WP install, for security you can protect against hacking with something like this:
    http://wordpress.org/extend/plugins/bulletproof-security/

    Also, a good idea to have some kind of file monitoring system, so if the hacker changes files you will be alerted:
    http://wordpress.org/extend/plugins/websitedefender-wordpress-security/
    http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/
    http://wordpress.org/extend/plugins/wordfence/

    [If its a new hack, then not sure about Wordpress Firewall 2 as this one doesn't seem to have been updated for 2 years: http://wordpress.org/extend/plugins/wordpress-firewall-2/ (may be there's a newer version, but I've not seen it)].
     
  14. Pekton

    Pekton Regular Member

    Joined:
    Nov 28, 2009
    Messages:
    250
    Likes Received:
    104
    Location:
    upstate ny
    Just had this pop up with one of my plugins http://seclists.org/fulldisclosure/2012/Nov/51
    XSS vulnerability in swfupload in WordPress

    Seems its been fixed in wordpress core but some plugins are using old versions. Found out as they just updated Ultimate TinyMCE for this reason. Maybe some of your plugins are using it?
     
    • Thanks Thanks x 1
  15. SonicSam

    SonicSam Registered Member

    Joined:
    Aug 21, 2012
    Messages:
    57
    Likes Received:
    5
    Location:
    X
    Going to this hacked website, unless it does some funky ActiveX stuff for IE (which I assume IE is smart now, haven't used in years), what exactly do you have to look out for? Javascript hacks? I doubt anything this website can do can affect the end user (short of prompting a file download and end user being dumb and opening it)...
     
  16. rutix

    rutix Junior Member

    Joined:
    Sep 6, 2012
    Messages:
    102
    Likes Received:
    12
    did you ask the other website owners on the same host for the same issues? Maybe the whole server is exploited...
     
  17. BlueZero

    BlueZero Power Member

    Joined:
    Jul 6, 2011
    Messages:
    506
    Likes Received:
    261
    Occupation:
    Webdeveloper, Project Manager
    Location:
    Byte in the Net
    Home Page:
    Its because wordpress allows the use of eval function.
    The only solution for that is installing php suhosin on the server and disabling the eval function with that.
     
  18. rodvan

    rodvan Jr. VIP Jr. VIP

    Joined:
    Jul 27, 2010
    Messages:
    1,313
    Likes Received:
    495
    Occupation:
    developer, marketing, automation, machine learning
    Location:
    Wizard of Bots
    Home Page:
    Stop using nulled scripts. Get legit.watchout for freebies.
     
  19. AnotherOne

    AnotherOne Senior Member

    Joined:
    Nov 28, 2011
    Messages:
    950
    Likes Received:
    189
    Occupation:
    SQA
    Location:
    JMeter & Selenium
    WordPress Firewall 2 was updated two years ago and WordPress shows a warning message whenever you visit that plugin.
    Exploit Scanner with Wordfence is the best bet IMO.


     
  20. WPRipper

    WPRipper Supreme Member

    Joined:
    Mar 24, 2010
    Messages:
    1,402
    Likes Received:
    1,526
    Location:
    Proudly romanian
    I have my websites secured with Better WP Security. No issues at all. I think most of the problems are coming from themes not only from plugins. So be careful from where u dl.