It happened - this site was hacked... partly.

veröffentlicht am : Mo, 15. 02. 2016 geändert am: Mo, 15. 02. 2016

Kategorie: Computer

Schlagworte:


you might have noticed, that this site was down for some days due to some hacking.This is a bit embarrassing, actually. Have to admit, that I did not really see this coming.

The system was not affected, but the wordpress installation here was. It was very strange... I keep wordpress installation up to date, always install the latest releases. Wordpress itself does not have write access to any of the installation directories except the upload dir.

And there were the first files, that should not be there...

 ./2014/09/odbc_cursor.php 
./2014/09/Morphium-Documentation-13964d.php 
./2014/09/odbc_cursor1525.php 
./2014/09/MorphiumDoku-147b.php 
./2014/09/odbc_cursor432.php 
./2013/02/mt_srand46419c.php 
./2013/02/mt_srand464.php 
./2013/02/mt_srand.php

These were in the upload dir of wordpress and there is actually no php allowed! should not be there at all! The content of those files look very similar, obfuscated php code,contained in some *eval code... easily to detect as malware... But that is not all... there was more.

Judging from the timestamp it seems like the first infection came using si-captcha-for-wordpress. Isn't that ironic! A captcha that actually should increase security now is the reason for being hacked it seems.

This plugin contained several additional files called like Readmy384.php. This contained again those obfuscated php crap.

I did not investigate further, disabled user registration for now (you can still comment though), did a clean re-install of wordpress, checked the database for infections of malicious code and removed the affected plugins...

it does not seem, there was any unauthorized access to the database, it also does not seem that there was some access to the system itself. All seems secure so far. I really hope, I fixed everything. If you have any suggestions regarding this - don't hesitate to contact me. Thanks in advance.

I also created some monitoring for wordpress. Usually there should never be a write access to the installation directory, only to uploads maybe, but nothing else. If some write access or change will happen, I will be informed. This should prevent those things to happen again unseen.

I did some hardening on the wordpress installation. Seems like I played a bit with permissions in order to get some things updated easier. Now, as before, no plugin (or the httpd) is allowed to write into the wordpress installation directory... this should help, hopefully...

It does also not seem like there was any malicious code broadcast through the webserver, it was also not used as a spam relay. My machine was only used for doing brute force attacks on other machines... well "only" is relative.

I think this is the worst thing about modern internet - everything is being misused if possible. There is a war going on, not only between countries, but actually between all and everybody - most of the users are just not aware of this.

See also removing malware from wordpress - interesting read...

erstellt Stephan Bösebeck (stephan)