Interesting writeup from an Admin that found an exploit installed in a WordPress blog installation. I have found these before, but beware – a lot of experienced crackers will upload this kind of stuff into an install folder of Phpmyadmin or WordPress so that you become convinced the culprit of your attack was a flaw in the popular software when, in reality, your server has more serious issues.
Today I spent many hours grepping logs, checking the file system for new/changed files to figure out how an old WordPress instance was hacked and what had the hacker done there.
Going through the changed files I stumbled upon a php file which had some code prepended. The script had a very long line that started like this:
Let’s see the functionality that it has to offer:
- Full blown file manager
- Quick menu for
- Finding all suid files
- Finding all sgid files
- Finding all .htaccess files
- Finding all writeable folders
- Interface for the UNIX tool find
- Input field for executing commands as webserver user
- Tools for installing a backdoor
- Perl/C flavored programs that are downloaded from a Singapore server
- Compiled/Interpreted – depending what is available
- Processes viewer
- FTP brute force cracker using users from /etc/passwd
- System info (CPU, Memory, installed binaries, passwd file, configuration files)
- SQL dump utility
- Interface for executing PHP code
- Self removal
- Adding a password for the script
- Fancy design!
I’m just amazed. This is way too easy. So this is how it works:
- Lets scan the internet for WordPress installations (automated)
- Look for vulnerable versions (automated)
- Exploit (in this case themes were filled with hidden links – semi automated)
- PROFIT! (automated)
Ohh and here’s the code for c99madshell. It is untested by us and may have it’s own exploits. Use at your own risk.
Related Posts: On this day...
- Clip of Dark Knight Rises filming today in NYC - 2011
- Avatar Collector's Edition on Blu-ray preorders for $25 shipped - 2010
- TSA official slipped white powder into fliers' bags, told them they'd been caught with coke and were under arrest - 2010
- $2K bounty for free/open Kinect drivers (Microsoft thinks this is illegal!) - 2010
- Botmasters include fake control interface to ensnare security researchers - 2010
- HOWTO: Build a home server in a whisky bottle - 2009
- Love of Shopping is Not a Gene: exposing junk science and ideology in Darwinian Psychology - 2009
- Capitalize on Call Avoidance - 2008
- Vector Magic - 2007