Remote code execution

[mrjasongorman]

This isn't related to Processwire, but just so the PW community is aware, today we discovered several malicious files in our server (Wordpress environment). The code in the files ultimately allows for the same thing, remote code execution.

I'm guessing some security hole allowed an attacker to execute code via a plugin, which wrote a file to www.example.com/dump.php

This file contained the following code: http://pastebin.com/dsLZnbCW

After deciphering it slightly: http://pastebin.com/NiCe9ftn

I then realised it was looking for a post request variable "n59a097"

Malicious code was then being sent base64 encoded to this post variable, where it was then being decoded and run through the eval() function.

Digital Ocean alerted us of the issue, after our server had been reported to them for sending out spam email.

Just a heads up really as to the possibility of security holes allowing simple files to be written, that then allow for remote code execution.

I'm sure Processwire is far less a target than Wordpress for these types of exploits but keep an eye out.

[pwired]

After so many times for so long, being in the news being compromised makes you wonder if wordpress is still worth anyones time and effort.

[DaveP]

Quite a clever bit of code, that, obfuscating base64_decode in the hope of avoiding security scanners. Can't hide eval(), though.

[dragan]

Yup... On a sidenote: The wp-admin Wordpress template / code / PHP editor is by itself a huge security-risk. I would immediately uninstall it.

[Jonathan Lahijani]

I read this article from WordFence recently.  It gives you an idea as to how these attacks are done in detail.  Worth a read/watch:

https://www.wordfence.com/blog/2016/02/wordpress-security-attack-platform/

[bernhard]

hi mrjasongorman,

thanks for sharing! could you please also share some details on how you deciphered the code?

thank you

[mrjasongorman]

Hi all, worked it out using a pen and paper haha, followed the code and wrote down the word it seemed to be spelling out from the random string at the top.

The random string turned out to be not so random spelling out base64_decode.

[bernhard]

found this one today by coincidence: http://www.unphp.net/decode/d12d16b2fd7b1e49d2a9d3a7d26fe948/

seems to return a good result at least in this case...

[matjazp]

"breaking into a wordpress site without knowing wordpress/php or infosec at all" -> https://notehub.org/5zo2v

[Yannick Albert]

Who needs eval?
 

@extract($_REQUEST);
@die($foo($bar));

...or, if allow_url_include is enabled:

isset($_REQUEST['file']) && include($_REQUEST['file']);