WordPress Basic Uploader

In the past two weeks or so I have seen a large amount of basic PHP uploaders that are being found on WordPress sites. The common theme in each of the hacks I have seen is that the admin password has either been reset or stolen. The admin password is used to access the theme editor, an existing file is selected or a new file created and then the following PHP script is uploaded:

The uploader is then used to upload various shells and other scripts. The access logs for the site looked like this:

The attacker also installed a malicous plugin which was just a bunch of PHP shells as well as a genuine plugin file and xml file.

If you find the upload above on your website it is best to reupload a clean copy of WordPress if possible – if you cannot do this reset all passwords (including for the database used, assume they have taken the details out of your WordPress configuration file) and check through all files for ones that should not be there. Check for plugins that you have not installed (inside the wp-content/plugins/ directory). If you have shell access you can use something like ‘find /path/to/wordpress -mtime -30’ to find all files/directories modified in the last 30 days. This will not work if the attacker changes the file modification times although in most cases they do not.

I highly recommend you use a .htaccess file to protect the wp-admin directory – restrict it to your IP address if possible. This way if the attacker steals or uses an exploit to get your WordPress admin password it cannot be used to access the admin area.

If you are using mod_security you can block this uploader using the rule below. This may break features of your website, use at your own risk.

Posted in Web and tagged .

Leave a Reply

Your email address will not be published.