Wordpress hacked through vulnerability in Wysija (Mail Poet)

Written by - 0 comments

Published on - Listed in Internet Hacks PHP


A few days ago, I discovered a hacked website which was sending thousands of spams. As I always (or mostly) do, I try to find the entry point of the hack. I do that a lot and usually that doesn't deserve a new blog entry, but in this case I had to follow the traces back for several months - which is rare.

It all started with tons of spams being sent out. I was able to pin it down to a php script:

mail() on [/var/www/customer/html/wordpress/wp-content/uploads/wysija/bookmarks/small/02/options.php:1]: To: my@hotmai.com -- Headers: From: "Ebony Beasley" <ebony_beasley@example.com>  Reply-To:"Ebony Beasley" <ebony_beasley@example.com>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit

This file was uploaded on November 6th:

-rw-r--r-- 1 www-data www-data 64680 Nov  6 22:33 /var/www/customer/html/wp-content/uploads/wysija/bookmarks/small/02/options.php

To upload the file, another file was used:

64.90.54.5 - - [06/Nov/2014:22:33:12 +0100] "POST /wordpress/wp-content/themes/Chameleon/sidebar.php HTTP/1.1" 200 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

-rwxrwxrwx 1 customer www-data 13928 Oct  7 19:17 /var/www/customer/html/wordpress/wp-content/themes/Chameleon/sidebar.php

 ... and this file was uploaded by yet another one:

93.103.21.231 - - [07/Oct/2014:19:17:06 +0200] "POST /wordpress/wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

-rw-r--r-- 1 www-data www-data 14155 Aug 25 22:18 /var/www/customer/html/wordpress/wp-content/uploads/wysija/themes/mailp/index.php

Now we are back in August and here the real hack happened. To upload the file "index.php", a security vulnerability in the "mail poet" plugin was used:

77.79.40.195 - - [25/Aug/2014:07:59:55 +0200] "POST /wordpress/wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:07:59:57 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:19:58:56 +0200] "POST /wordpress/wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:19:59:01 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:22:18:13 +0200] "POST /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"
77.79.40.195 - - [25/Aug/2014:22:18:14 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.1" 200 8 "-" "Mozilla/5.0 (Windows)"

This security vulnerability was discovered just a month before August by Sucuri (http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html).

There would have been two simple ways to prevent the hack:

1) Additional authentication on the wp-admin folder, for example a simple http basic authentication
2) Regularly update Wordpress and all plugins/themes (the hack happened at the end of August, so there was enough time to do the update)


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.