A few days ago, I discovered a hacked website which was sending thousands of spams. As I always (or mostly) do, I try to find the entry point of the hack. I do that a lot and usually that doesn't deserve a new blog entry, but in this case I had to follow the traces back for several months - which is rare.
It all started with tons of spams being sent out. I was able to pin it down to a php script:
mail() on [/var/www/customer/html/wordpress/wp-content/uploads/wysija/bookmarks/small/02/options.php:1]: To: my@hotmai.com -- Headers: From: "Ebony Beasley" <ebony_beasley@example.com> Reply-To:"Ebony Beasley" <ebony_beasley@example.com> X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit
This file was uploaded on November 6th:
-rw-r--r-- 1 www-data www-data 64680 Nov 6 22:33 /var/www/customer/html/wp-content/uploads/wysija/bookmarks/small/02/options.php
To upload the file, another file was used:
64.90.54.5 - - [06/Nov/2014:22:33:12 +0100] "POST /wordpress/wp-content/themes/Chameleon/sidebar.php HTTP/1.1" 200 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
-rwxrwxrwx 1 customer www-data 13928 Oct 7 19:17 /var/www/customer/html/wordpress/wp-content/themes/Chameleon/sidebar.php
... and this file was uploaded by yet another one:
93.103.21.231 - - [07/Oct/2014:19:17:06 +0200] "POST /wordpress/wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
-rw-r--r-- 1 www-data www-data 14155 Aug 25 22:18 /var/www/customer/html/wordpress/wp-content/uploads/wysija/themes/mailp/index.php
Now we are back in August and here the real hack happened. To upload the file "index.php", a security vulnerability in the "mail poet" plugin was used:
77.79.40.195 - - [25/Aug/2014:07:59:55 +0200] "POST /wordpress/wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:07:59:57 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:19:58:56 +0200] "POST /wordpress/wp-admin/admin-post.php?page=wysija_campaigns&action=themes HTTP/1.0" 302 - "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:19:59:01 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.1" 200 12 "http://www.example.com/wordpress/wp-admin/admin.php?page=wysija_campaigns&id=1&action=editTemplate" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19"
77.79.40.195 - - [25/Aug/2014:22:18:13 +0200] "POST /wordpress/wp-content/uploads/wysija/themes/mailp/index.php HTTP/1.0" 200 12 "-" "Mozilla/5.0 (Windows)"
77.79.40.195 - - [25/Aug/2014:22:18:14 +0200] "GET /wordpress/wp-content/uploads/wysija/themes/mailp/index.php?cookie=1 HTTP/1.1" 200 8 "-" "Mozilla/5.0 (Windows)"
This security vulnerability was discovered just a month before August by Sucuri (http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html).
There would have been two simple ways to prevent the hack:
1) Additional authentication on the wp-admin folder, for example a simple http basic authentication
2) Regularly update Wordpress and all plugins/themes (the hack happened at the end of August, so there was enough time to do the update)
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder