WordPress hack post-mortem

Yesterday morning we had a client who’s got a site on a virtual server email to say:

Hi Oban –

I just had a business colleague say that he went to my site, got a malware warning, and his entire hard drive was wiped out instantly.
Hard drive instantly wiped out instantly?!?  Pa-leeease!
Nonetheless, this is a WordPress site so Dave looked through the code and didn’t see anything immediately out of line.  We both visited the customer’s site and neither of our hard drives were instantly wiped out (we are craaazy risk takers!)   I also looked at what Google’s Safe Browsing site currently thought of our network – which was that everyone was clean a whistle.
Dave emailed the client to say that this sounded like a false alarm but to keep us posted.   I decided to run the site through Sucuri.net’s free site scan and bingo! a javascript exploit was found.
Dave then went to work with the leads that he gained from the Sucuri scan (good service that!) and found that a bad guy from Russia had broken into the site using an easy-to-guess password and installed the malware and backdoor by uploading a custom WordPress theme.  From the log files:

37.9.61.64 – – [13/May/2012:02:31:52 -0600] “POST /wp-login.php HTTP/1.1” 302 – “http://www.customersite.com/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)”
37.9.61.64 – – [13/May/2012:02:31:53 -0600] “GET /wp-admin/ HTTP/1.1” 200 58813 “http://www.customersite.com/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)”
37.9.61.64 – – [13/May/2012:02:31:55 -0600] “GET /wp-admin/theme-install.php?tab=upload HTTP/1.1” 200 23486 “http://www.customersite.com/wp-login.php” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)”
37.9.61.64 – – [13/May/2012:02:31:56 -0600] “POST /wp-admin/update.php?action=upload-theme HTTP/1.1” 200 21931 “http://www.customersite.com/wp-admin/theme-install.php?tab=upload” “Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)”


They were then able to come and go via their backdoor as well as inject malware into users browser when a vulnerable browser came along – presumably Internet Explorer.
You can see a discussion of this javascript malware discussion here.
Dave cleaned the theme and site and the WordPress users all changed their passwords.  No more instant hard drive wipe-outs!
Good times!
~ Oban

 

Leave a Reply

Your email address will not be published. Required fields are marked *