WP site got hacked: log files + db dump + worm file
|Reported by:||Denis-de-Bernardy||Owned by:||anonymous|
Not sure exactly how they got in, but they definitely got in... (I've changed the domain name in the attached files to www.domain.com.)
I was nearly done uploading WP 2.5 when I noticed the train wreck, and I cannot recall which version was running exactly; it was last updated a few months ago.
Of interest in hack.log:
- 184.108.40.206 got in (the worm file had the same date), straight into /wp-admin/options.php
- 220.127.116.11 tried to get in and failed, but certainly attempted an sql injection -- which is fixed in WP 2.5, best I know
- 18.104.22.168 sought to use the worm, and failed since I had deleted it by then
The uploads folder had been changed to something that points to /tmp, where Apache could write.
Of interest in dbdump.sql:
- the only static page on the site got turned into a post
- a robot proceeded to attach a file to that post; I'm guessing via xmlrpc
- notice the _wp_attached_file attached to the third post
I've also attached the worm for reference. It was a txt file, in /tmp. It lets you run arbitrary shell commands, upload files, and evaluate php.
I'm afraid I've no trace of the POST variables that were used to do this dirty work.
Anyway, I'm uploading all of this for reference. and in case the following points need to be investigated:
- why did the _wp_attached_file, a txt file, get evaluated by php, rather than merely returned? might there be a security issue that is worth looking into here that is related to file uploads? or would this rather be server config-related (the system admin who helped me is quite certain it isn't)?
- why is it that the file was messing up background images in the post? (this, rather than the fact a page turned into a post, which is a frequent upgrade bug, is what got me looking deeper into this)
Thanks for giving it a look!