WordPress hacked and defended

Even more recent update.

I think my mate Berend has finally found the culprit.  A couple of file uploaders were vulnerable, and images folders had a php file in them which could be called by direct dial as soon as the buggers had uploaded it.  They had seeded various folders with folders full of email address snippets to randomize their deliveries, and there about 1/2m emails waiting to be delivered.  Luckily I had set my server to only allow 30 emails per hour per account.

An htaccess file in the images folder stopped it being run

SetHandler Do_Not_Remove_See
Options None
Options +FollowSymLinks

Gmail and Hotmail are already beginning to trust our mail agin

Update: Fantversion.php whicvh is created by Fantastico is apparently easily hackable.  That’s where the FilesMan script is injected, or it was yesterday anyway. The hackers made two attempts to make it work, but luckily my server ran out of memory both times

Watch your error logs for attempts access this file, and remove it.  You might not be able to use Fantastico to update your plugins from there on, but   you do your WordPress updates from it’s admin area anyway.

I’ve removed Fantastico from my Cpanels.

 

This is not a complete  guide to protecting your WordPress sites from hacking, but it’s a record of the steps I’ve taken since a back door invasion began a few weeks ago.

Conclusion:

If you are hosting a lot of WP sites, install a multiuser account and create all the other sites through that one, after locking it up, down and sideways.

For any WordPress site:

Install the “Better WP Security”  plugin the instant you set up the account. Set the backups to hourly while you do the rest of your set up, but do this first.  Hackers are actively scanning all sites all the time, and you will almost certainly be probed within the first 20 minutes, probably much sooner.

The story

I was on holiday, driving around some very remote corners of Utah and Nevada, well out of touch of  wifi except on the nights when we booked into an RV camp.  One one of the last nights I got an email warning about using a lot of my quota, but I was going to be home in 4 days so I filed and forgot it.  The Extraterrestrial Highway can do that to you.

On the last morning I got another message saying 80GB had been gone through in 5 days! This is only a few, low use sites.

The sudden drop is when I finally got a last-minute email to my server company (web24.com.au) asking them to shut down the server

 

12+hours in the air and a couple either side waiting for takeoff and getting through customs, and I was on the computer having a look at what they had done.  I was getting complaints about site links being broken, so I took a look at an htaccess file or two and found stuff like

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|vk)\.(.*) 
 RewriteRule ^(.*)$ http://2014reltimes.ru/tyorem?13 [R=301,L]

Which I thought was a little impolite, so I deleted the lines, failed to save it because they had also changed the permissions on the file from 0644 t0 0444.   There’s a good explanation of  permissions here and here

 

I worked through them all looking for similar.  Putty was a life saver with Unix commands like

find / -name .htaccess | xargs grep dogpile

to find crap like the above example.

It re-occurred!  Those little htaccess files kept on popping up and destroying site, and they got worse.  My security consultant took a look and found that my server was right up to date and hardened properly, and concluded that someone had found their way in through a WP login using something stoopid like admin/admin. WP out of the box is wide open, and with any amateur with Cpanel and Fantastico knows,  it only takes 42 seconds to set up a site.  Username is set to admin by default, and most people don’t change it, so a simple dictionary attack will find the simple passwords we all use on our simple little amateur sites that no-one will ever go to, so why worry about security, right??

Wrong, of course.  Any decent hacker will be scanning everything for sites with /wp-admin, and then running a quick check to see how easy it is to get into, writing a simple script at the top of a few files which will give them access to a file manager in that script to do whatever they like.  In this case some sort of file sharing activity until they got shut down, and then it was left as an annoying  operation to turn all our sites into phishing sites.

find / -name *.php | xargs grep FilesMan

Will find PHP files that are written like that,  and I used

find / -name *.php | xargs grep 36,112,61,64,36,

after I found a file called gimag.php , -index.php, and even wp-config.php

this string as part of a complex regex expression  in them. I had them by tracking files which had been changed in the previous day with

find /home/ -mtime -1 | grep '\.php'
 find /home/ -mtime -1 | grep '\.htaccess'

There’s a heap of good advice at http://25yearsofprogramming.com/blog/20070705.htm, along with a lookforbadguys php script which will hunt down stuff I could never imagine.

His first advice is  look in the logs for entries with htaccess in them, or for errors like

 PHP Warning:  Invalid argument supplied for foreach() in /.../public_html/md5.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code on line 31

Plugin Security

The best WP plugin I found is Better WP Security

Install it the instant you set up a new WP site and make the Dashboard look like this

I now use user names like =BIl1-{  because my uncle Bill had a moustache, with random passwords very strong passwords enforced at all levels, and I am receiving regular emails about brute force attacks, file changes and bulk 404 errors. The admin area is not at /wp-admin any more, the database tables do not have the standard wp_ prefix, and the wp-config.php and .htaccess files cannot be altered by any average hacker.

Conclusion (again)

The next stage is to set up one multiuser account, set it up as securely as I can and run all WP installations on my server through than one account, so that none of these nice but unskilled friends and clients can completely take up my time for weeks on end while I plug their holes.

 

If you have any other hints or tips about WP security, please comment and share.