[wp-hackers] WordPress security question (Dan Phiffer)

[Andrew Freeman]

Howdy Dan,

Having cleaned up about a half-dozen sites in the past two months or so, I
have some suggestions for things to look for in terms of
backdoors/potential vulnerabilities.

Most hacks I've seen come from a vulnerable Timthumb hack, an old image
thumbnail script which allowed an attacker to upload malicious code to the
server, giving them full shell access (or at least as much as Apache/PHP/WP
has). You can read technical details about it here:
http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/

You can use the Timthumb Vulnerability Scanner to quickly see if you have
any outdated versions of the script lying around:
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/ . Even
an unused theme with the old version of the script is vulnerable.

Most hacks definitely add crazy base64_decode script to the header of
important files - often index.php of site root or theme root. This one
looks like it gets around base64_decode which makes it harder to detect. If
you can, ssh into the server and grep for 'lqxizr' to find if it's been
injected into any other files. Also, checking wp-config.php is a good idea,
because I've seen old backdoors left inside the file (usually separated
above and below the malicious script by several thousand blank lines).

Other hacks I've seen append every front-facing JavaScript with malicious
code right instead of going the PHP route. I'd recommend checking your
frontend scripts for anything strange, the time last updated in FTP may be
of some help.

Also, if you can, check the raw access logs for anything suspicious. One
time I thought my server was clear of shell-like scripts, but after another
hack that day the raw access logs showed that one actually just signed in
and used the WordPress editor to make the changes.

I hope this can be of assistance and best of luck,
Andrew Freeman