Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#44554 closed defect (bug) (invalid)

Multiple sites hacked

Reported by: tkalfaoglu's profile tkalfaoglu Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.7
Component: General Keywords:
Focuses: Cc:

Description

Our server's many wordpress installations are getting hacked..
All latest version code -- many of them freshly updated..
The hacker's IP is 178.137.85.118 and here is a log that shows what he did on our server:

178.137.85.118 - - [09/Jul/2018:21:41:19 +0300] "GET /wp-login.php HTTP/1.0" 200 4080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:20 +0300] "GET /wp-login.php HTTP/1.0" 200 4080 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

178.137.85.118 - - [09/Jul/2018:21:41:22 +0300] "POST /wp-login.php HTTP/1.0" 302 1074 "http://mythos.com.tr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:26 +0300] "GET /wp-admin/ HTTP/1.0" 200 171112 "http://mythos.com.tr/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:35 +0300] "GET /wp-admin/theme-editor.php HTTP/1.0" 200 197957 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:37 +0300] "GET /wp-admin/theme-editor.php?file=404.php&theme=cuisine HTTP/1.0" 200 174019 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:39 +0300] "GET /wp-admin/theme-install.php?upload HTTP/1.0" 200 152843 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:41 +0300] "POST /wp-admin/update.php?action=upload-theme HTTP/1.0" 500 3185 "http://mythos.com.tr/wp-admin/theme-install.php?upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:43 +0300] "GET /wp-content/themes/all1/db.php HTTP/1.0" 302 450 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:44 +0300] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 142307 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:45 +0300] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 500 3185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:47 +0300] "GET /wp-content/plugins/stop-referrer-spam/db.php HTTP/1.0" 302 450 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
178.137.85.118 - - [09/Jul/2018:21:41:48 +0300] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 500 3185 "http://mythos.com.tr/wp-admin/theme-install.php?tab=upload" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"

etc.. let me know if you need more lines.

Change History (2)

#1 @tkalfaoglu
6 years ago

The common things that this hacker does:

  • Changes admin username from admin to AnonymousFox
  • in the root folder, creates a file called w_0.php
  • removes index.php

#2 @swissspidy
6 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi there and Welcome to WordPress Trac!

This place is for fixing bugs in WordPress itself. Unfortunately we can't help you with your hacked site here.

For this we have https://wordpress.org/support/ and also https://codex.wordpress.org/FAQ_My_site_was_hacked to help you get started with cleaning up your site and getting back to normal.

When looking at your log excerpt, it reads as if someone logged in regularly via wp-login.php and then edited some files and uploaded plugins.

Note: if you do think you have found a security vulnerability in WordPress core, please report them on HackerOne: http://hackerone.com/wordpress

Note: See TracTickets for help on using tickets.