The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress hack

Discussion in 'General Discussion' started by BigLebowski, Jun 13, 2011.

  1. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Just had 20 or so accounts hacked by a Tunisian gang. All on Wordpress 3.1. Index pages defaced and hello.php plugin raped.

    I checked and all the wp-config.php files were set 644. ie read access for everyone. I suspect one account was compromised and a shell run to graze each file. The hack also involved modification of hello.php and the WP username of some of the accounts was changed to "r00t"

    Do you guys agree that the most likely way in was a shell to graze wp-config files?

    Once the main WP database user password was obtained, a connection made to get the admin un and pw then that leveraged via web access to deface the pages and plugin?

    Any thoughts?

    Best
    Dude
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    #3 BigLebowski, Jun 13, 2011
    Last edited: Jun 13, 2011
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    At the link I posted it does state that it contains security fixes. You'd have to ask them about 3.1.1

    How did they get into other accounts with SuPHP? I can't find much on problems with hello.php but there is this old article:
    /http://dev-tips.com/featured/wordpress-security-tip-get-rid-of-hellophp

    I also came across this link with some tips: FAQ My site was hacked « WordPress Codex
     
  5. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I have to say I'm almost certain it was due to all wp-config.php files being world-readable. This is specifically recommended against on a suphp/suexec server as follows:

    Changing File Permissions « WordPress Codex

    I don't know how they got into the initial account but I found it, along with all the usual hacking paraphenalia, shell scripts and database tools etc. Getting into one account is quite easy I think using sniffers on pop3 and ftp traffic or via a trojan on the user's PC.

    Best
    Dude
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Agreed. But multiple accounts? Were these accounts all owned by the same user?
     
  7. BigLebowski

    BigLebowski Well-Known Member

    Joined:
    Dec 24, 2007
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    All different users. It doesn't matter if they're multiple accounts owned by different users. If all the wp-config.php files are world-readable then you can write a simple script to read the password and database name out of each and use it to connect MySQL and alter the contents of each database. It's simple!

    Any one particular user can browse anyone else's wp-config.php if it's world-readable.

    Best
    Dude
     
Loading...

Share This Page