drpacker

Did I mention I was a Unix admin? And security specialist for a number of stock brokerage firms? 🙂 All the basics were in place, which is why I’m a little flummoxed.

All I can think off is that the nexGengallery plugin was reported somewhere to have a sql injection flaw. but…i’m not sure that would have led to what shows in the log above.

But I’ve also been out of the loop for about 5 years, so…enlighten me?

Uhm, yeah, thanks I already did a search and read those before I posted.

Did I mention this is a wordpress 3.0 site? And everything, as far as I know, was updated.

I’ve since cleaned the site, but here’s the log of the attack Godaddy provided. I should note that we, as far as I know, only have 5 users on the site, and everyone uses good password methods.

—————————–
Our support staff has responded to your request, details of which are described below:

Discussion Notes
Support Staff Response
Dear Sir/Madam,

Thank you for contacting Hosting Support.

We did review your site and found that your was compromised on 11JUL2010 via wordpress. It appears that the attacker may have logged into their wp-admin and modified the hello.php. The hello.php that was modified was not within the snapshots, so we could not verify the content. Here are a copy of the logs we found for the attack:

HTTP Logs showing malicious user posting to hello.php:

41.230.192.28 – – [11/Jul/2010:11:37:06 -0700] “POST boxwrestlefence.com/wp-login.php HTTP/1.1” 302 5 “http://boxwrestlefence.com/wp-login.php?redirect_to=http%3A%2F%2Fboxwrestlefence.com%2F%2Fwp-admin%2F&reauth=1” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:43:18 -0700] “POST boxwrestlefence.com/wp-login.php HTTP/1.1” 302 5 “http://boxwrestlefence.com/wp-login.php?redirect_to=http%3A%2F%2Fboxwrestlefence.com%2Fwp-admin%2Fplugin-editor.php%3Ffile%3Dakismet%2Fakismet.php&reauth=1” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9)Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:45:56 -0700] “POST boxwrestlefence.com/wp-admin/plugin-editor.php HTTP/1.1” 302 5 “http://boxwrestlefence.com/wp-admin/plugin-editor.php?file=akismet/akismet.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:50:45 -0700] “POST boxwrestlefence.com/wp-login.php HTTP/1.1” 302 5 “http://boxwrestlefence.com/wp-login.php?redirect_to=http%3A%2F%2Fboxwrestlefence.com%2Fwp-admin%2Fplugin-editor.php%3Ffile%3Dakismet%2Fakismet.php&reauth=1” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9)Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:51:54 -0700] “POST boxwrestlefence.com/wp-admin/plugin-editor.php HTTP/1.1” 302 5 “http://boxwrestlefence.com/wp-admin/plugin-editor.php?file=hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:52:06 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 5902 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:52:13 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 4977 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:52:29 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 5902 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:52:37 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 3515 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:52:56 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 6411 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:53:47 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 5900 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:53:54 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 38075 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

41.230.192.28 – – [11/Jul/2010:11:54:07 -0700] “POST boxwrestlefence.com//wp-content/plugins/hello.php HTTP/1.1” 200 4378 “http://boxwrestlefence.com/wp-content/plugins/hello.php” “Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.1.9) Gecko/20100401 Ubuntu/9.10 (karmic) Firefox/3.5.9”

———-

So, again, not panicking, but wanting to know if anyone has a reasonable idea of how this was pulled off. I am a former unix network admin, but a little behind the times. I’m looking for technical answers and discussion on a security issue, and possible new habits to apply in future. I would like to know where I went wrong, and what to do in future. My setup was more secure than average, but not perfect, and we had policies in place to prevent this…but it still happened.

Help?