WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#6780 closed defect (bug) (invalid)

WP site got hacked: log files + db dump + worm file

Reported by: Denis-de-Bernardy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Not sure exactly how they got in, but they definitely got in... (I've changed the domain name in the attached files to www.domain.com.)

I was nearly done uploading WP 2.5 when I noticed the train wreck, and I cannot recall which version was running exactly; it was last updated a few months ago.

Of interest in hack.log:

  • 78.109.21.80 got in (the worm file had the same date), straight into /wp-admin/options.php
  • 87.118.112.44 tried to get in and failed, but certainly attempted an sql injection -- which is fixed in WP 2.5, best I know
  • 87.118.116.150 sought to use the worm, and failed since I had deleted it by then

The uploads folder had been changed to something that points to /tmp, where Apache could write.

Of interest in dbdump.sql:

  • the only static page on the site got turned into a post
  • a robot proceeded to attach a file to that post; I'm guessing via xmlrpc
  • notice the _wp_attached_file attached to the third post

I've also attached the worm for reference. It was a txt file, in /tmp. It lets you run arbitrary shell commands, upload files, and evaluate php.

I'm afraid I've no trace of the POST variables that were used to do this dirty work.

Anyway, I'm uploading all of this for reference. and in case the following points need to be investigated:

  • why did the _wp_attached_file, a txt file, get evaluated by php, rather than merely returned? might there be a security issue that is worth looking into here that is related to file uploads? or would this rather be server config-related (the system admin who helped me is quite certain it isn't)?
  • why is it that the file was messing up background images in the post? (this, rather than the fact a page turned into a post, which is a frequent upgrade bug, is what got me looking deeper into this)

Thanks for giving it a look!

D.

Attachments (1)

hacked.zip (10.4 KB) - added by Denis-de-Bernardy 7 years ago.

Download all attachments as: .zip

Change History (2)

@Denis-de-Bernardy7 years ago

comment:1 @DD327 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Chances are, It was an exploit of a known vulnerability in a previous version of WordPress, Given < 2.5 is no longer supported Closing as invalid..

  • the only static page on the site got turned into a post

That rings a bell for a previous vulnerability too.. that was fixed in a later version.

Note: See TracTickets for help on using tickets.