[wp-hackers] attack on wp-admin/install.php

Konrad Karpieszuk kkarpieszuk at gmail.com
Wed Oct 9 16:58:45 UTC 2013 

ok, but why? server admin told me (and i have to trust him) that everything
was ok with connection to DB. or even if it wasnt... why somebody tried to
connect to file /wp-admin/install.php (i still belive that this was not
accident).

what do i think.

i think that somebody in purpose made ddos attack because somehow (maybe he
tested this before) he knewed that during huge ddos attack wordpress will
'lost its mind'. during huge ddos attack server as hardware stops to play
correctly and sometimes for php command like "if
(!file_exists('wp-config.php'))" will not be able to check if file really
exists, will return true (there is now file wp-config.php) and php will
delegate chain of command to installation file. and then hacker will be
able to reinstall my wordpress with his credential



--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski



On Wed, Oct 9, 2013 at 6:39 PM, Mika A Epstein <ipstenu at ipstenu.org> wrote:

> It's not the next attack. It's your WP site not seeing it's installed.
> This means that the DB tables weren't accessible for some reason OR the
> wp-config.php was unreadable.
>
>
> Konrad Karpieszuk wrote:
>
>>
>> hello Mika
>>
>> i dont know if i understand you. I saw you logs in first email. Also i
>> asked server admin if something wrong was with server in time of this
>> problem. He said that this was day like every other, only on my server
>> they
>> saw huge amount of i/o operations, They know that from 3 months somebody
>> attacks my wp-login.php and it looked like next attack (but this time on
>> install.php)
>>
>>
>> --
>> (en) regards / (pl) pozdrawiam
>> Konrad Karpieszuk
>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>> klientów z Polski
>>
>>
>>
>> On Wed, Oct 9, 2013 at 3:29 PM, Mika Epstein<ipstenu at ipstenu.org> wrote:
>>
>>
>>> Block it in your htacess first, actually. That's way easier.
>>>
>>> Based on what info you gave us, we can't diagnosis anything. Check your
>>> SERVER logs. Did a file get edited or go missing? The problem is not that
>>> the file was being hit by millions of people, the problem is why did WP
>>> not
>>> know it was installed? Check your logs to see if anything happened to the
>>> DB. Was it unreadable? Did you add/remove a plugin recently? Did you
>>> upgrade?
>>>
>>> Your mentioned changes to login and admin shouldn't cause anything like
>>> this, it's purely WP no longer thinking it was installed. So what have
>>> you
>>> done to diagnosis THAT? :)
>>>
>>>
>>>> On Oct 9, 2013, at 2:19 AM, Konrad Karpieszuk<kkarpieszuk at gmail.**com<kkarpieszuk at gmail.com>
>>>> >
>>>>
>>>
>>> wrote:
>>>
>>>>
>>>> first of all i want to know *why*. :) i;ve got tens of wordpress sites
>>>>
>>>
>>> and
>>>
>>>>
>>>> i will have more. i dont want to delete install.php every time (and
>>>> after
>>>> every wordpress upgrade). also maybe we have totally new way to hack
>>>> wordpress sites (as you can see it is somehow working, because intruded
>>>> broke my site)
>>>>
>>>>
>>>> --
>>>> (en) regards / (pl) pozdrawiam
>>>> Konrad Karpieszuk
>>>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>>>> klientów z Polski
>>>>
>>>>
>>>>
>>>> On Wed, Oct 9, 2013 at 9:54 AM, Abdussamad Abdurrazzaq<
>>>> abdussamad at abdussamad.com> wrote:
>>>>
>>>>
>>>>> If you are this worried you can always delete install.php.
>>>>>
>>>>>
>>>>>
>>>>>> On 10/09/2013 12:35 PM, Konrad Karpieszuk wrote:
>>>>>>
>>>>>> ok, one more info which i thought isn't relative to this problem, but
>>>>>> maybe.
>>>>>>
>>>>>> three months ago somebody start this famous ddos attack to
>>>>>>
>>>>>
>>>>>
>>>>
>>> wp-login.php at
>>>
>>>>
>>>>
>>>>>
>>>>>> those websites. tens of times per second somebody tried to login into
>>>>>> dashboard using random passwords. at beginning i resolved this in
>>>>>> .htaccess
>>>>>> by adding rules that nobody except from my ip address can acces to
>>>>>> wp-login.php. but beacouse i have cowriter without permamnent IP
>>>>>>
>>>>>
>>>>>
>>>>
>>> address,
>>>
>>>>
>>>>
>>>>>
>>>>>> this was not good solution
>>>>>>
>>>>>> so few days ago i changed in files:
>>>>>> wp-login.php
>>>>>> wp-admin/index.php
>>>>>>
>>>>>> first line from:
>>>>>>
>>>>>> <?php
>>>>>>
>>>>>> to
>>>>>>
>>>>>> <?php if ($_COOKIE["superauth"] != "yep") exit("dostep zabroniony");
>>>>>> //
>>>>>>
>>>>>>
>>>>>> it check if we got some 'secret' cookie and if cookie is absent it
>>>>>> immadietly execute die().
>>>>>>
>>>>>> It looks like good solution: wordpress core isnt started at all,
>>>>>>
>>>>>
>>>>>
>>>>
>>> server is
>>>
>>>>
>>>>
>>>>>
>>>>>> happy.
>>>>>> Can it be somehow related to this attack on wp-admin/install.php? i
>>>>>>
>>>>>
>>>>>
>>>>
>>> dont
>>>
>>>>
>>>>
>>>>>
>>>>>> belive that this kind of change has something common with install
>>>>>>
>>>>>
>>>>>
>>>>
>>> script,
>>>
>>>>
>>>>
>>>>>
>>>>>> but maybe i dont know wordpress core very good. Or maybe this attacker
>>>>>> when
>>>>>> saw that wp-login.php and wp-admin/index.php are secured started new
>>>>>>
>>>>>
>>>>>
>>>>
>>> way
>>>
>>>>
>>>>
>>>>>
>>>>>> to
>>>>>> attack? )or he or she started this long time ago but htaccess
>>>>>> prevented
>>>>>> from this)? all ip's from log are outside of Poland, but my regular
>>>>>> visitors are almost only from Poland
>>>>>>
>>>>>>
>>>>>> --
>>>>>> (en) regards / (pl) pozdrawiam
>>>>>> Konrad Karpieszuk
>>>>>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>>>>>> klientów z Polski
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Oct 9, 2013 at 8:55 AM, Bryan Petty<bryan at ibaku.net> wrote:
>>>>>>
>>>>>> On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk
>>>>>>
>>>>>>>
>>>>>>> <kkarpieszuk at gmail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>> two things:
>>>>>>>>
>>>>>>>> 1. my website is not so popular that in one second 20 person try to
>>>>>>>>
>>>>>>>
>>>>>>> connect
>>>>>>>
>>>>>>>
>>>>>>>> 2. as you can see in log, /wp-admin/install.php is added not always
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>> to
>>>
>>>>
>>>>
>>>>>
>>>>>>
>>>>>>> main
>>>>>>>
>>>>>>>
>>>>>>>> domain but sometimes to single post urls (ie
>>>>>>>>
>>>>>>>> /2013/10/wdrozenie-****zakupionego-szablonu-**
>>>>>>>> wordpress/wp-admin/install.php
>>>>>>>> ) This is not url which somebody type in address bar without reason
>>>>>>>>
>>>>>>>
>>>>>>> It's actually fairly likely that in the event that your DB has
>>>>>>> dropped
>>>>>>> as Mika was suggesting, that one of your plugins or server
>>>>>>> configuration was causing a redirect loop back to install.php itself
>>>>>>> as well.
>>>>>>>
>>>>>>> Most hack attempts don't intentionally claim a user agent as
>>>>>>> "Feedfetcher-Google" (which was also seeing that install.php redirect
>>>>>>> loop).
>>>>>>>
>>>>>>> --
>>>>>>> Regards,
>>>>>>> Bryan Petty
>>>>>>> ______________________________****_________________
>>>>>>> wp-hackers mailing list
>>>>>>> wp-hackers at lists.automattic.****com<wp-hackers at lists.**
>>>>>>> automattic.com <wp-hackers at lists.automattic.com>>
>>>>>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>>>> <
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> >
>>>
>>>>
>>>>
>>>>>
>>>>>>
>>>>>>> ______________________________****_________________
>>>>>>>
>>>>>>
>>>>>> wp-hackers mailing list
>>>>>> wp-hackers at lists.automattic.****com<wp-hackers at lists.**automattic.com<wp-hackers at lists.automattic.com>
>>>>>> >
>>>>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>>> <
>>>>>>
>>>>>
>>>>>
>>>>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> >
>>>
>>>>
>>>>
>>>>>
>>>>>> ______________________________****_________________
>>>>>>
>>>>>
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.****com<wp-hackers at lists.**automattic.com<wp-hackers at lists.automattic.com>
>>>>> >
>>>>> http://lists.automattic.com/****mailman/listinfo/wp-hackers<http://lists.automattic.com/**mailman/listinfo/wp-hackers>
>>>>> <
>>>>>
>>>>
>>>>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> >
>>>
>>>>
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>
>>>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>

More information about the wp-hackers mailing list