In the past two weeks or so I have seen a large amount of basic PHP uploaders that are being found on WordPress sites. The common theme in each of the hacks I have seen is that the admin password has either been reset or stolen. The admin password is used to access the theme editor, an existing file is selected or a new file created and then the following PHP script is uploaded:
Done ==> $userfile_name";
}
}
else{
echo'
';
}
?>
The uploader is then used to upload various shells and other scripts. The access logs for the site looked like this:
82.146.xx.254 - - [24/Mar/2014:20:18:51 +0800] "GET /wp-login.php HTTP/1.0" 200 3143 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:18:53 +0800] "POST /wp-login.php HTTP/1.0" 302 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:18:55 +0800] "GET /?xauth=login&redirect_to=http%3A%2F%2Fwebsite.com2Fwp-admin%2F HTTP/1.0" 200 1792 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:18:56 +0800] "GET /wp-admin/ HTTP/1.0" 200 55552 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:18:59 +0800] "GET /wp-admin/theme-editor.php HTTP/1.0" 200 30348 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:02 +0800] "GET /wp-admin/theme-editor.php?file=acf%2Facf.php&theme=valerie HTTP/1.0" 200 77984 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:03 +0800] "POST /wp-admin/theme-editor.php HTTP/1.0" 500 4120 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:06 +0800] "POST /wp-content/themes/valerie/acf/acf.php HTTP/1.0" 406 30096 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:08 +0800] "GET /wp-content/themes/valerie/res.php HTTP/1.0" 404 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:09 +0800] "GET /wp-admin/theme-editor.php HTTP/1.0" 200 30348 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:11 +0800] "GET /wp-admin/theme-editor.php?file=acf%2Facf.php&theme=valerie HTTP/1.0" 200 77984 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:12 +0800] "POST /wp-admin/theme-editor.php HTTP/1.0" 302 - "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:14 +0800] "GET /theme-editor.php?file=acf/acf.php&theme=valerie&scrollto=0&updated=true HTTP/1.0" 200 151 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50" 82.146.xx.254 - - [24/Mar/2014:20:19:15 +0800] "POST /wp-content/themes// HTTP/1.0" 406 30096 "-" "Opera/9.80 (Windows NT 5.1); U) Presto/2.9.168 Version/11.50"
The attacker also installed a malicous plugin which was just a bunch of PHP shells as well as a genuine plugin file and xml file.
If you find the upload above on your website it is best to reupload a clean copy of WordPress if possible – if you cannot do this reset all passwords (including for the database used, assume they have taken the details out of your WordPress configuration file) and check through all files for ones that should not be there. Check for plugins that you have not installed (inside the wp-content/plugins/ directory). If you have shell access you can use something like ‘find /path/to/wordpress -mtime -30’ to find all files/directories modified in the last 30 days. This will not work if the attacker changes the file modification times although in most cases they do not.
I highly recommend you use a .htaccess file to protect the wp-admin directory – restrict it to your IP address if possible. This way if the attacker steals or uses an exploit to get your WordPress admin password it cannot be used to access the admin area.
If you are using mod_security you can block this uploader using the rule below. This may break features of your website, use at your own risk.
SecRule REQUEST_FILENAME "/wp-content/themes/.*\.php$" \
"phase:2,tag:'WORDPRESS/EXPLOIT',t:normalisePath,block,severity:'2',msg:'Wordpress - Basic PHP uploader POST',capture,id:'1110',chain"
SecRule REQUEST_METHOD "^POST$" "chain"
SecRule FILES_NAMES "^image$" "chain"
SecRule ARGS_POST:Submit "^Submit$"
SecRule RESPONSE_BODY "" \
"phase:4,tag:'SHELLS/UPLOADER',t:none,block,severity:'2',msg:'Basic uploader',capture,id:'1111'"