in MT.Net

MT.Net recovers from another hack

MT.Net has been down for about 28 hours due to my WordPress installation being hacked. Fortunately, I had a copy of the database from the day before (yay, backups!). I am still not sure how it happened as my code was all up-to-date but the WordPress folks are now checking into it. I suspect an xmlrpc.php attack but do not know for sure.

Yesterday morning, my friend Scott reported that my comments links were simply refreshing the main page rather than taking him to the comments. I studied the links my WP site was now spitting out:

http://www.markturner.net/2009/05/?y%/credit-cards/#more-6422

There was a “?y%” now in the URL. It looks like the attacker attempted to modify the “permalink_structure” option in the wp_options table. This option normally has the value “/%year%/%monthnum%/%day%/%post_name%/”. I figure this is an attempt to steal my Google-generated traffic as has been done in the past. Every few days, the site gets a new user registering from a Russian free email services (“user”@list.ru, etc.) and I while I do my best to delete the unused accounts but I never could get them all.

I seemed to have caught the problem a few hours after it appeared. I noticed in my logs that a “user” from a particular IP was apparently responsible for the hack. I went back and grepped his IP from my logs. I’ve highlighted the xmlrpc.php lines (and clipped the hex-encoded text that was sent to it for brevity’s sake:

66.36.243.182 – – [12/May/2009:11:13:01 -0400] “POST / HTTP/1.1” 200 33270 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
66.36.243.182 – – [12/May/2009:11:13:01 -0400] “POST /?s=google HTTP/1.1” 200 22453 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
66.36.243.182 – – [12/May/2009:11:13:02 -0400] “POST /wp-atom.php HTTP/1.1” 301 – “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
66.36.243.182 – – [12/May/2009:11:13:02 -0400] “GET /feed/atom/ HTTP/1.1” 200 23571 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
66.36.243.182 – – [12/May/2009:11:13:03 -0400] “POST /wp-login.php HTTP/1.1” 200 1985 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3”
66.36.243.182 – – [21/May/2009:18:00:34 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 1835 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [21/May/2009:19:11:23 -0400] “POST /wp-login.php?action=register HTTP/1.1” 302 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [21/May/2009:20:26:22 -0400] “POST /wp-login.php?action=register HTTP/1.1” 200 2073 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [21/May/2009:20:40:38 -0400] “POST /wp-login.php?action=register HTTP/1.1” 200 2073 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [21/May/2009:21:01:09 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 1835 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [21/May/2009:22:01:57 -0400] “POST /wp-login.php?action=register HTTP/1.1” 200 2073 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [21/May/2009:23:10:38 -0400] “GET /wp-login.php?action=register HTTP/1.1” 200 1835 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”

Up until now, he (or more likely the bot, as the browser string keeps changing) simply registered accounts. Then this occurred yesterday morning (full logfile filtered on his IP is attached):

66.36.243.182 – – [26/May/2009:05:06:22 -0400] “POST /wp-login.php HTTP/1.0” 302 – “http://www.markturner.net/wp-login.php” “Opera”
66.36.243.182 – – [26/May/2009:05:06:24 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10046 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:05:06:26 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200
10208 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:05:06:28 -0400] “POST /xmlrpc.php HTTP/1.0” 200 22 “cHJpbnQgJzxtYWdpY19zZW9fdG9vbHo …
66.36.243.182 – – [26/May/2009:05:06:31 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10106 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:06:38:15 -0400] “GET /wp-xmlrpc.php HTTP/1.1” 404 14765 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [26/May/2009:06:52:59 -0400] “GET /wp-xmlrpc.php HTTP/1.1” 404 14765 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [26/May/2009:07:05:49 -0400] “POST /wp-login.php HTTP/1.0” 302 – “http://www.markturner.net/wp-login.php” “Opera”
66.36.243.182 – – [26/May/2009:07:05:50 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10050 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:07:05:53 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10208 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:07:05:54 -0400] “POST /xmlrpc.php HTTP/1.0” 200 22 “cHJpbnQgJzxtYWdpY19zZW9fd …
66.36.243.182 – – [26/May/2009:07:05:57 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10140 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:07:20:01 -0400] “GET /wp-xmlrpc.php HTTP/1.1” 404 14765 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [26/May/2009:07:35:26 -0400] “POST /wp-login.php HTTP/1.0” 302 – “http://www.markturner.net/wp-login.php” “Opera”
66.36.243.182 – – [26/May/2009:07:35:27 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10050 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:07:35:30 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10208 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:07:35:32 -0400] “POST /xmlrpc.php HTTP/1.0” 200 22 “cHJpbnQgJzxtYWdp …
66.36.243.182 – – [26/May/2009:07:35:35 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10140 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:07:52:30 -0400] “GET /wp-content/wp-xmlrpc.php HTTP/1.1” 404 14765 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”
66.36.243.182 – – [26/May/2009:08:17:43 -0400] “POST /wp-login.php HTTP/1.0” 302 – “http://www.markturner.net/wp-login.php” “Opera”
66.36.243.182 – – [26/May/2009:08:17:44 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10050 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:08:17:46 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10208 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:08:17:47 -0400] “POST /xmlrpc.php HTTP/1.0” 200 25 “cHJpbnQgJzxtYWdp …
66.36.243.182 – – [26/May/2009:08:17:50 -0400] “POST /wp-admin//options-permalink.php HTTP/1.0” 200 10140 “http://www.markturner.net/wp-admin//options-permalink.php” “Opera”
66.36.243.182 – – [26/May/2009:08:28:29 -0400] “GET /wp-content/uploads/wp-xmlrpc.php HTTP/1.1” 200 – “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 9.26”

The attacker installed r57shell.php, which is basically a rootkit for webservers. It showed up as wp-xmlrpc.php in my uploads directory.

I’ve since deleted all the users who registered on MT.Net but never participated. I’ve also changed the passwords of existing users for safety’s sake. In addition, new users will have to go through my sabre plugin to prove they’re not a bot. And I’m not trusting any other anti-spam plugins, as I still think Bad Behavior burned me last year.

Hopefully things will settle down for a while here.

Comments are closed.