Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Wordpress hacked through vulnerability in Wysija (Mail Poet)
Sunday - Nov 9th 2014 - by - (0 comments)

A few days ago, I discovered a hacked website which was sending thousands of spams. As I always (or mostly) do, I try to find the entry point of the hack. I do that a lot and usually that doesn't deserve a new blog entry, but in this case I had to follow the traces back for several months - which is rare.

It all started with tons of spams being sent out. I was able to pin it down to a php script:

mail() on [/var/www/customer/html/wordpress/wp-content/uploads/wysija/bookmarks/small/02/options.php:1]: To: my@hotmai.com -- Headers: From: "Ebony Beasley" <ebony_beasley@example.com>  Reply-To:"Ebony Beasley" <ebony_beasley@example.com>  X-Priority: 3 (Normal)  MIME-Version: 1.0  Content-Type: text/html; charset="iso-8859-1"  Content-Transfer-Encoding: 8bit

This file was uploaded on November 6th:

-rw-r--r-- 1 www-data www-data 64680 Nov  6 22:33 /var/www/customer/html/wp-content/uploads/wysija/bookmarks/small/02/options.php

To upload the file, another file was used:

64.90.54.5 - - [06/Nov/2014:22:33:12 +0100] "POST /wordpress/wp-content/themes/Chameleon/sidebar.php HTTP/1.1" 200 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

-rwxrwxrwx 1 customer www-data 13928 Oct  7 19:17 /var/www/customer/html/wordpress/wp-content/themes/Chameleon/sidebar.php

 ... and this file was uploaded by yet another one:

93.103.21.231 - - [07/Oct/2014:19:17:06 +0200] "POST /wordpress/wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

-rw-r--r-- 1 www-data www-data 14155 Aug 25 22:18 /var/www/customer/html/wordpress/wp-content/uploads/wysija/themes/mailp/index.php

Now we are back in August and here the real hack happened. To upload the file "index.php", a security vulnerability in the "mail poet" plugin was used:

77.79.40.195 - - [25/Aug/2014:07:59:55 +0200] "POST /wordpress/wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:07:59:57 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:19:58:56 +0200] "POST /wordpress/wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:19:59:01 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:22:18:13 +0200] "POST /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"
77.79.40.195 - - [25/Aug/2014:22:18:14 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.1" 200 8 "-" "Mozilla/5.0 (Windows)"

This security vulnerability was discovered just a month before August by Sucuri (http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html).

There would have been two simple ways to prevent the hack:

1) Additional authentication on the wp-admin folder, for example a simple http basic authentication
2) Regularly update Wordpress and all plugins/themes (the hack happened at the end of August, so there was enough time to do the update)

 

Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7541 Days
until Death of Computers
Why?