WordPress compromise and security

Print Friendly, PDF & Email

Yesterday the offa blog was hacked. With some help today from Dom we have come to some conclusions about the attack vectors used to gain access to the OFFA site in order to place some malicious code in the uploads directory.

From looking at the Apache access and error logs it appears that there were in all 3 lines of attack which appear to be unrelated.

The first attack was made by a large number of sources attempting to exploit a vulnerability in the mygallery plugin http://secunia.com/advisories/25042/. There is evidence in the error log that successful attempts in execution of code were made by inclusion via the vulnerable plugin. However, the evidence of a successful compromise via any of these attempts is inconclusive. The attacks were from as far back as April 2007 but errors generated from midway through last year could possibly indicate that the problem had been blocked somehow from our end. Hits to this plugin continue today, but we have removed the plugin.

The second attack was we feel the most likeliest to have gained access. It potentially involved vulnerabilities in options-permalink.php and/or xmlrpc.php. The user registration was manual, then, armed with their account, they could use these exploits to upload fonction.php, which in turn later allowed them to replace it with wpcima.php. Both of these php scripts when executed provide login pages of which the purpose is unclear. They are both heavily obfuscated and we were unsuccessful in decoding them. The attack occurred on the 30th July ’09 and further traffic to the wpcima.php continued until November. There was a security release of wordpress 2.8.3 installed on the 5th of August.

The third attack is possibly related to the previous one in that we cannot find a starting point for the existence of files placed in the /photos and uploads directories and there is a reference to the wpcima.php in the logs from the same client IP addresses. We suspect that these attacks are possibly simply reusing the previous compromise.

In order to protect the site (and others) further I’d recommend that we:

  1. remove the mygallery plugin, review the installation of other plugins in use and issue a strong recommendation to monitor usage of 3rd party plugins in the future.
  2. disable the ability to register new users unless it’s absolutely necessary.
  3. add IP based restrictions to /wp-admin if possible.
  4. install wordpress firewall plugin http://www.seoegghead.com/software/wordpress-firewall.seo.
  5. disable php execution in file upload locations centrally to apache (done for offa).
  6. migrate all php apps on scarab to a new lenny based VM.
  7. look into more restrictions via the php suhosin patches after migration.

About this entry