When I got to work and viewed this blog I noticed that Sidebar Widgets was disabled. I thought "That’s weird!"
When I tried to login to the administration interface I was told that my WordPress database needed upgrading. I thought "That’s weird!"
Some further investigation revealed that someone managed to upload a PHP script called ro8kfbsmag.txt (MD5 sum df3b74cd38c717d9d7bbf0cd1910baa1) to my /tmp directory. It starts like this:
/*Magic Include Shell by Mag icq 884888*/
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!)
This gave me enough information too start googling. A must-read is Detailed Post-Mortem of a Website Hack Through WordPress & How To Protect Your WordPress Blog From Hacking, as it describes a very similar attack. There is also a support thread at wordpress.org: Weird and Dangerous : ro8kfbsmag.txt.
The attack vector on my server looked like this, originating from 188.8.131.52 with HTTP/1.0 as protocol version and "Opera" as User-Agent. I wish I logged POST data!
Needless to say, I have restored a backup and taken certain precautions to prevent this from happening again.
2 Replies to “WordPress crack attempt this morning!”
I had the same thing happen today to a non-upgraded blog from the same IP — check your logs for IP 184.108.40.206 somewhat afterwards as well — it was clear that the hacker tried to edit one of my themes.
Thanks for the tip! For some reason there is nothing like that in my logs.
On the other hand, the same IP tried to access the (non-existant) path /forum.asp?show=6 on another of my virtual servers on multiple occasions in late November and early December!