[Nottingham] We've been hacked/cracked! THREE times!!!

Martin martin at ml1.co.uk
Wed Jan 29 23:18:20 UTC 2014

On 29/01/14 20:58, James Green wrote:
> On 29 January 2014 08:59, Martin <martin at ml1.co.uk> wrote:
>> Folks,
>> FYI:
>> OK, so our WordPress site has been attacked, from what looks to be three
>> attempts! All on 21/01/2014 and 28/01/2014.
>> The unexplained part is for how a number of ".php" files were uploaded.
>> However, despite a few thousand hits from various (soon blacklisted) IP
>> addresses, their logged attempts to access the rogue php returned
>> nothing more than a "403"...
> Hi Martin
> It's Moveable Type rather than Wordpress, but you might find some
> similarities between your case and what happened to
> http://blogs.perl.org/ last week. Limited details are at
> http://blogs.perl.org/users/meta/2014/01/security-breach.html but
> essentially from speaking to people closer to the issue, a flaw in MT
> allowed the attacker to upload some PHP files, execute them, and
> extract the contents of the database -- specifically, the user table.
> Whoops.

Thanks for that. Possibly.

There does look to be three distinct vectors even if they all may well
have utilised the same exploit.

WordPress has now had a few more restrictions imposed upon it to make
the same break-in inert. All successful "200" responses ceased as of
this morning even with the mal-php files still in place. They're now
moved out of the way elsewhere also.

So far, can't find anything that has changed (other than the added
mal-php files). And I've not found any downloads listed in the logs, but
then that wouldn't list any downloads made directly by starting up
sockets/connections from the php to the outside. The largest output
listed is for some repeated looks at a phpinfo.php that had been inserted.

I'll be forcing everyone to update their passwords on the site soon
enough when updated to 3.8.1.

> Is your Wordpress fully updated? I noticed mine just auto-upgraded
> (nifty feature!) to 3.8.1, so it might be worth making sure...
> Hopefully the route by which the files were uploaded is closed in the
> latest release.

Nope. I leave such updates for a day or two to see first if there are
any howls of pain from the early updaters!

I've held off now further for the moment to check what might have
changed against the backups, and when. The one difficult bit is to check
if there is anything lurking in the database...

> Someone recently described WP as "a remote shell with a convenient
> blog engine plugged in" -- but the auto-updater makes me a little less
> nervous about mine!

Yes, all this cloudy stuff is rather scary for the very large surface of
attack. It's almost going the way of a certain insecure-by-design
Marketing compromised system... :-(

Don't know how far this one can be trusted but:


gives an all-clear for our site.

The real test and bondoogle is whether the Google site checks lists us
as clear...

Update to 3.8.1 after a few more checks/compares...

Comments welcomed.


- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list