12 {{ upvoteCount | shortNum }}
12 {{ upvoteCount | shortNum }}

Strange Wordpress Exploit POST alters encrypted php files

by WareTime
10 replies
For awhile now, I've been having and encrypted php file that is part of an ebay auction site generator I use get corrupted and break the site. I'd have to replace the file and the site would work again. I'd check the ftp and web logs at the time the file was modified, no luck.

I turned to the ISP for help. At first it was the usual change all your passwords. Did that, things were no better. So back with the ISP and what we finally found was I've got two Wordpress sites on my account that I host for others, but patch etc. So anyway, these two sites are seperate domains and seperate from the domains that the files are getting altered on.

Let's call the sites that the files are getting altered on domains 1, 2, and 3 and my home directory. We'll call the two wordpress domains 4 and 5.

What is happening so far as we've determined is that a single ip address is hitting the wordpress domains (4 and 5 ) with a POST call. At the same time to the second of that POST, the encrypted php file on domains 1,2,3 and my home directory is altered.

So far I've blocked the IP address, which if the person is any good at all, it will stop them the first time they try hitting it tonight and that is about it.

Anyone seen this type of attack before? In the POSTs for the last two months there has been no file specified in the http logs I can see, but the person at the isp found these form last night. So presumably these are the files the exploit is using. Though wp-atom is a redirect.

[18/May/2009:23:59:16 -0500] "POST /wp-atom.php HTTP/1.1" 302
[18/May/2009:23:59:17 -0500] "POST /wp-login.php HTTP/1.1" 200

I've checked those WP sites every way I know to see if they've been hacked, but see no external signs of that.

It's a weird one. Before it's all over I'll probably give the Wordpress sites the boot. Both of them are friends business sites and for $10 dollars a year can be hosted with their own domain at Wordpress.com and then the security isn't my headache.

So if you've got sites with encrypted php files that are breaking for no apparent reason check the http logs at the modifed time. I was doing this, but my mistake was I only checked the logs in the domains that were breaking. I needed to to check all the logs in my hosting account for all domains.

Hopefully this info will benefit someone that was banging their head against the wall as I was.
#alters #encrypted #exploit #files #php #post #strange #wordpress
  • Profile picture of the author Headfirst
    change the permissions of the encrypted file. See if it will run if you change the permissions to 705 or 604.
    Signature
    Golf Outing Sponsor Signs, Banners and Flags||Plymouth, MI Marketing || Plymouth Dentist
    {{ DiscussionBoard.errors[799575].message }}
    • Profile picture of the author WareTime
      Originally Posted by Headfirst View Post

      change the permissions of the encrypted file. See if it will run if you change the permissions to 705 or 604.
      I've tried taking all execute perms away. The file was 755 after being altered.
      {{ DiscussionBoard.errors[799695].message }}
  • Profile picture of the author MemberWing
    resolve IP that is hitting you and see if that might be developer's portal. He might try to remotely control licensing or something.

    Gleb
    Signature
    {{ DiscussionBoard.errors[799587].message }}
    • Profile picture of the author WareTime
      Originally Posted by MemberWing View Post

      resolve IP that is hitting you and see if that might be developer's portal. He might try to remotely control licensing or something.

      Gleb
      I contacted the developer when it first started to find out if the app might be doing it, or what might be. He said nothing in his app should do that. There is no phone home or remote license check according to him.
      {{ DiscussionBoard.errors[799702].message }}
  • Profile picture of the author TheRichJerksNet
    If any of your folders or files are running at 777 then change the permissions... There are many things you can do to secure wordpress..

    James
    {{ DiscussionBoard.errors[799603].message }}
    • Profile picture of the author WareTime
      Originally Posted by TheRichJerksNet View Post

      If any of your folders or files are running at 777 then change the permissions... There are many things you can do to secure wordpress..

      James
      Thanks but they are not. The host has a nice file perm checker that will tell you when you've left the barn door open.

      As far as securing it, it's not worth the time and effort and cost to me. I can have the two other sites go to wordpress.com. These aren't money makers for me. Between the both of them they pay the hosting bill. In fact right now they are costing me money because they've broken my money sites and I may have lost sales during those times. If these WP sites were making money I'd consider spending some dough to secure them.
      {{ DiscussionBoard.errors[799698].message }}
  • Profile picture of the author TheRichJerksNet
    Is the file 0644 and is the file owned by root or by the domain name (username) ???

    Edit: by the way what exactly is the encrypted file used for ???

    James
    {{ DiscussionBoard.errors[799703].message }}
    • Profile picture of the author WareTime
      Originally Posted by TheRichJerksNet View Post

      Is the file 0644 and is the file owned by root or by the domain name (username) ???

      Edit: by the way what exactly is the encrypted file used for ???

      James
      When I set them to not executable I made them 644. They are owned by the username of my hosting account, not per domain. After the files are altered they are also changed in permissions to 755.

      I didn't ask the develper what the encrypted file is used for so I'm not sure.
      {{ DiscussionBoard.errors[800117].message }}
  • Profile picture of the author TheRichJerksNet
    Sounds like to me it is a cheap script that is not secure and the developer probably knows very little about security. With the lack of support I would almost say he probably is not a real developer.

    In anycase ... If you think it is coming through wordpress at the login then test it to find out.

    Change the name of your wp-login.php file to anything you wish, such as reglogin.php. Grab yourself up a find and replace software (there are many and they are free). Then open up all wp files and find and replace the wp-login.php with reglogin.php.

    Doing this will stop anyone from knowing what the login file is called and as such if there is any attack through the login it will cease. If the problem still remains then you just found out it was not your login..

    You may not want to go through that trouble but if you really want to know what is going on it may be worth it...

    Edit: Yes the files should be owned by the username of the hosted domain, if they are owned by "root" then it is a security flaw in your server....

    James
    {{ DiscussionBoard.errors[800160].message }}
    • Profile picture of the author WareTime
      Thanks James. Undoubtedly it's not secure. If the site starts getting hacked again I'll try your renaming of the login file. Thanks

      Ryan
      {{ DiscussionBoard.errors[803222].message }}

Trending Topics