WordPress Attack on UK Systems 24th August 2014

We are sorry to have to report that on the 24th August there was a significant security event on our UK based shared hosting systems.

As at the time of writing I have already personally spent over 20 hours straight tracking, blocking and shutting down this attack.

Unfortunately, this is another example of why it is so important to keep your installed WordPress version up to date at all times, and this includes all plugins and theme code (both of which are often neglected and as such become a significant security risk in their own right – more on this below).

It is also incredibly important to maintain strong secure passwords on your WordPress site as with everything. More valuable reading on password security can be found here:
http://www.ecologicalhosting.com/news/password-security-17-05-2013

What follows are significant details of how this attacked was perpetrated.

Anatomy of an Attack:

Hackers utilised multiple vulnerabilities in WordPress software and plugins to take control of one of our client’s websites, and once they had this they then installed shell scripts and started to hack further from within the system.

When the main hack occurred, they arrived seemingly at random from a Google search looking for sites utilising a plugin called “revslider” which they knew had a particular vulnerability.

Here is the sanitised entry from our server logs:

Source IP: 41.142.160.40
Timestamp: 23/Aug/2014:20:41:34 +0100
Request: GET /wp-content/plugins/revslider/
Referrer: http://www.google.fr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=258&cad=rja&uact=8&ved=0CEIQFjAGOPsB&url=http%3A%2F%2Fwww.targetsite.org%2Fwp-content%2Fplugins%2Frevslider%2F&ei=kO34U4HCMdTbaqTUgoAP&usg=AFQjCNHfaDfLSba6uHWGEZshIdd7isCrww
Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0

They then tested the vulnerability to see if it worked on this site and managed to obtained the site’s wp-config.php file with one simple request:

Source: 41.142.160.40
Timestamp: 23/Aug/2014:20:41:46 +0100
Request: GET /wp-admin/admin-ajax.php?action=revslidershowimage&img=../wp-config.php

Looking much further back, the logs revealed this had been done against this site many times in the past also from dozens of different source IP addresses. The site owners completely unaware of this.

Your wp-config.php file contains your database server name, username and password in plain text format (i.e. not encrypted at all).

It would appear that an upload vulnerability (possibly a zero day attack) has also been used to enable the attackers to upload scripts allowing them to run changes against the website code and also importantly giving them access to the database system, which cannot be accessed from the outside.

With internal access to the database system and armed with the users database username and password, they could then login and change the WordPress admin username and password directly in the database.

This then gave them full access to the attacked WordPress site as an admin user, which they then logged in with and used the WordPress plugin editor to alter a plugin that comes with WordPress called Hello Dolly. They changed the code in that script to give them shell access to the server.

With shell user access to the server, they could now go ahead and hack even deeper into the system.

They used the shell access to create a link (like a shortcut) to the web server’s main root folder (if you use Windows, think C:\) so they could try and view the entire system file structure.

Critical system files are completely out of bounds to all except the core system and superuser (i.e. FTP user encrypted passwords storage etc), however there is a lot can be gained from scouting around a system in this manner. In particular, you can obtain a full list of all users and the location of their home directory. The file that contains this information has to be readable by all system users as it forms part of the Unix user login process.

Armed with the file system structure and their shell program, they could then go ahead and create a series of temporary links through which to read other peoples wp-login.php files via the web service and obtain further database username and password credentials.

With these they then went on to attack a further 35 WordPress sites in a similar manner, but now it was easier because they could just login to the database, change the usernames and passwords, login through the attacked site’s front door (i.e. the main WordPress login), at which point they installed a plugin called wp-filemanager, to upload the following file:
/www.targetsite.org/wp-admin/css/css.php

This css.php file has a payload that appears to then change mainly the following files on any website found in the same FTP area as the attacked website (it is limited to that one area by the system security):

.htaccess
index.php
wp-admin/index.php

Each of these files was replaced with directives creating a 301 Moved Permanently redirect to “www.indoforextrading.com”.

What to do if you were compromised:

We will email clients identified as being caught by this so you are made aware of the situation and the email will include details of which of your websites were compromised.

You will need to restore and repair any damaged files, or preferably your entire site / FTP area and database(s) from clean backups prior to 23rd August 2014.

If you do not have backups, please contact us and we should be able to assist by restoring from our internal disaster recover backups.

Please note: there will be a charge for this service though to cover the time take to do this for you – usually around £30 plus VAT for one or two sites if all goes well.

We would also recommend implementation of as many suggestions as you can from the following news item regarding the ever present and still ongoing wp-login brute force attacks:
http://www.ecologicalhosting.com/news/wordpress-wp-login-attacks-23-05-2013

If you would prefer to have WordPress and security experts take care of your site on your behalf, including response and cleanup for hacks, you may wish to consider contacting our friends over at Skye Websites who offer pay monthly packages covering backups, updates, security, monitoring and more:
http://www.nurturewp.com

What we have already done:

The main site that they staged this attack from was obviously pulled off the air. This will not be allowed back online until a major cleanup has been performed and the attack vectors mitigated.

We also identified and blocked three IP addresses that did 99.9% of the hacking in this event. We will also be contacting the abuse department of the host who manages these IP addresses.

All sites found affected were also taken off the air so as to minimise damage to their online reputation and SEO (the 301 redirect means your site’s search engine data would effectively be replaced by the new target site’s data).

If you find your site offline and labelled targetsite.org-offline-hacked/ in your FTP area at this time, this is more than likely because you are part of this event.

Our apologies if this includes you, these things unfortunately happen in spite of our best efforts as a hosting provider.

As the host there is only so much we can do, much of the security is with the code our client’s choose to upload to their websites, and on a shared system, this can (as here) have a knock on effect on others sharing that same system.

Wishing everyone a happy Bank Holiday Monday regardless of this and the typically wet bank holiday weather in the UK!

This entry was posted in News, Security News. Bookmark the permalink.

Comments are closed.