[wp-trac] [WordPress Trac] #6780: WP site got hacked: log files + db dump + worm file

WordPress Trac wp-trac at lists.automattic.com
Sat Apr 19 14:37:53 GMT 2008 

#6780: WP site got hacked: log files + db dump + worm file
-------------------------------+--------------------------------------------
 Reporter:  Denis-de-Bernardy  |       Owner:  anonymous
     Type:  defect             |      Status:  new      
 Priority:  normal             |   Milestone:           
Component:  Security           |     Version:           
 Severity:  normal             |    Keywords:           
-------------------------------+--------------------------------------------
 Not sure exactly how they got in, but they definitely got in... (I've
 changed the domain name in the attached files to www.domain.com.)

 I was nearly done uploading WP 2.5 when I noticed the train wreck, and I
 cannot recall which version was running exactly; it was last updated a few
 months ago.

 Of interest in hack.log:

 - 78.109.21.80 got in (the worm file had the same date), straight into
 /wp-admin/options.php

 - 87.118.112.44 tried to get in and failed, but certainly attempted an sql
 injection -- which is fixed in WP 2.5, best I know

 - 87.118.116.150 sought to use the worm, and failed since I had deleted it
 by then

 The uploads folder had been changed to something that points to /tmp,
 where Apache could write.

 Of interest in dbdump.sql:

 - the only static page on the site got turned into a post

 - a robot proceeded to attach a file to that post; I'm guessing via xmlrpc

 - notice the _wp_attached_file attached to the third post

 I've also attached the worm for reference. It was a txt file, in /tmp. It
 lets you run arbitrary shell commands, upload files, and evaluate php.

 I'm afraid I've no trace of the POST variables that were used to do this
 dirty work.

 Anyway, I'm uploading all of this for reference. and in case the following
 points need to be investigated:

 - why did the _wp_attached_file, a txt file, get evaluated by php, rather
 than merely returned? might there be a security issue that is worth
 looking into here that is related to file uploads? or would this rather be
 server config-related (the system admin who helped me is quite certain it
 isn't)?

 - why is it that the file was messing up background images in the post?
 (this, rather than the fact a page turned into a post, which is a frequent
 upgrade bug, is what got me looking deeper into this)

 Thanks for giving it a look!

 D.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6780>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list