[wp-hackers] WordPress security question (Dan Phiffer)
dan at phiffer.org
Tue Jun 5 19:22:58 UTC 2012
Thanks for all the replies. Just to follow up on some of your feedback...
On Jun 4, 2012, at 10:50 PM, Andrew Freeman wrote:
> Most hacks I've seen come from a vulnerable Timthumb hack,
This is good to know, but we weren't using Timthumb on the attacked site.
> Most hacks definitely add crazy base64_decode script to the header of
> important files - often index.php of site root or theme root. This one
> looks like it gets around base64_decode which makes it harder to detect. If
> you can, ssh into the server and grep for 'lqxizr' to find if it's been
> injected into any other files.
This was the only file that was changed, so $lqxizr doesn't make an appearance anywhere else. Instead of using base64_decode, this is using preg_replace("/.*/e", ...). The 'e' flag executes the resulting matches, which includes an obfuscated instance of base64_decode.
> code right instead of going the PHP route. I'd recommend checking your
> frontend scripts for anything strange, the time last updated in FTP may be
> of some help.
According to our diff's against backups nothing else was touched -- just that one file, wp-includes/kses.php.
> Also, if you can, check the raw access logs for anything suspicious. One
> time I thought my server was clear of shell-like scripts, but after another
> hack that day the raw access logs showed that one actually just signed in
> and used the WordPress editor to make the changes.
Yeah, one thing I still need to do is to see if I can find any instances of access to 'wp-admin/theme-editor.php'. We skipped one privilege escalation security release on this site, which might be something to look into more. Are most privilege escalation attacks designed so the user changes their roles/capabilities in the database, or is it more that they trick WP into ignoring the lower capabilities?
We try to keep our sites up-to-date fairly aggressively. This one had a 12 day lag time from when 3.3.2 came out (upgrading from 3.2.1) due to some compatibility issues with plugins. IMO, not doing due diligence in upgrading your core files is maybe an indication you shouldn't be responsible for hosting your own website.
More information about the wp-hackers