Urgent Headsup: Wordpress Exploit via Modified PHP files

Just a heads up, I suddenly had a mad rush of emails being sent from my dedicated server (I had a warning from my server) After digging into it and scanning lots of headers i narrowed it down to some rogue files.

They were:
a modified include.php in the wordpress root
a new file in the root called _empix.php (do not download this its a virus) it has the look of a gif if examined in an editor.
a file called bla.php has some base 64 and a gmail account listed in it.
a new/modified file called amd.php with the same date timestamp as the above files.

What it does is use the root / hosts admin email address to use to send or just the host (cpanel account) username example hostname@yourdomain.com to send emails.

I suggest doing a manual check, this one bypassed the security on server, wordpress security and wordfence didnt even pick it up.

Hope this helps someone else.

Cheers

  • Timothy Bowers

    The question in my mind is how did those rogue files get there in the first place?

    What is the exploit in WordPress, which file and code?

    Has it been reported to WordPress?

    Or was this perhaps uploaded via an insecure plugin/theme? Or even something else on the server, another script?

    Maybe the recent All In One SEO plugin exploit?

    I ask because it's ok mentioning a security threat but this kind of thing happens on a daily basis and not just for WordPress users but anyone that has an insecure setup or some ill-sanitised code.

    With that in mind if there is nothing specific with regards to an exploit in the core of WordPress then people should routinely check their site and files to be sure they're safe anyway.

    Most of the time when I've fixed issues like this for members here or when I use to take to clients in the past it was nearly always related to outdated and unsanitized code.

    I'm not saying there isn't an exploit in WordPress, but as you're claiming it's WordPress in general then I'd love to know where so that it can be fixed.

    Cheers.

    • Tom Eagles

      Hey Tim, all the files etc have been passed on including to securinet and wordfence, two files were in the main wordpress root directory some in a theme folder(theme author also notified its a commercial one), one was in the wp-includes.

      The wierd thing was that the server antivirus didnt pick it up, wordfence didnt pick up the modified files, the _empix.php file when looked at in an editor actually showed a gif file image header as in the code you would expect to see when using a hex or binary editor. there wasnt a single line of php code anywhere and this was one of the files in the wordpress root.

      I checked all the access logs for the time stamp to see if someone had got into the server external to wordpress and noting there. there were no plugin or theme updates that day either.

  • Jason

    "What were the owners on the files?"

    I've noticed a few insecurities in some of the older WMPMU Avatar plugins.
    I haven't looked in a long while because I just avoided them.

    At this point, I kinda doubt it's just "In Wordpress in General" or else everyone would be getting infected everywhere and we would all hear about it.

    The gif file was prolly just some base64 or rot13 encoded spam instructions.

    **I'M NOT CLAIMING IT'S FROM A SECURITY HOLE IN A WPMU PLUGIN**
    (Because honestly I know nothing about what's going on here)

    But Like I said I have found a couple of holes in them, and I've also found a lot of holes in various plugins from the official REPO.

    There's so many, you HAVE to do a brief code review before installing any plugin. Time consuming yes, but man I feel for ya Tom!

    Any updates on this?

  • Vaughan

    @jason,

    I haven't heard of any further incidents of this myself.

    However with regards to our plugins, we do try to review all plugins, but as you probably know, it's time consuming and sometimes issues slip in at various stages or get overlooked, it's the same with many projects. But please if you do spot anything with our plugins/themes, do let us know straight away & we can then get the developer to correct these issues in their next release wherever possible.

    Thanks

  • Jason

    Thanks @Vaughan It's hard to make time, I'm very busy, but I do try to provide a heads up when I can.

    Basically from what I've noticed, anyplugin that allows to upload files into a subdir of it's own folder (Like the avatar plugin used to) is insecure because it's bypassing wordpresses filters.

    It was uploading all avatars to a folder like /avatars using simple regex to make sure there was a .gif .jpg or .png at the end of the filename. This isn't safe because while yes, you can't upload a .php file, you can upload a .gif with a comment (gif files can have comments inside them and it's valid) the script would resize the gif, but the comment would survive. Then you trick the webserver into executing the gif file as if it were a php file but sending a specially crafted request that makes the server include that gif file in the execution path.

    At that point you could upload php shells etc and other not-so-nice things to the server.

  • Jason

    Good call @Timothy Bowers

    http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html

    The only safe version is the 2.6.7, this was just released a few hours ago (2014-Jul-01).

    Why is it so dangerous?

    This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!

    ..
    Yet on the changelog http://wordpress.org/plugins/wysija-newsletters/changelog/ It's hidden in the middle of a long change long so it doesn't look bad and damage their reputation. This actually makes it less likely for some to update if they fear too many changes could cause an issue. I personally don't like it when people do things this way, but I get it.

    So what did they do wrong? Suprise suprise... they wrote their own custom file uploader.

    It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.

    However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.

    Pro-tip: If you are a developer, never use admin_init() (or is_admin()) as an authentication method.

    I'm not trying to rip on them, looks like a nice plugin, but I try to keep services like email subscribers out of my wordpress all together. If you are going to pay for a sending service like sendgrid, you might as well pay for mailchip instead. To me sendgrid is more for out bound notifications (like password resets, etc) instead of marketing.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.