This WordPress blog was hacked for few hours on 24th December (nice Christmas present!) from Russia.這WordPress所博客被侵,為幾個小時,就12月24日(尼斯的聖誕禮物! )來自俄羅斯。 The hacker exploited several WordPress vulnerabilities in administrative scripts to gain full access to the website (as permitted to apache user), including the ability to upload & run scripts, delete any file owned by apache user, view the file and directories etc. This is a full disclosure on the how the site was hacked and how I detected and removed the hack along with few comments on the state of WordPress security.黑客利用數的WordPress的弱點行政腳本要獲得完全訪問網站(如允許Apache用戶) ,包括能力上載&運行腳本,刪除任何文件所擁有的Apache用戶,查看文件和目錄等,這是一,充分披露就如何網站被侵,和我如何檢測並刪除該哈克隨著一些意見,對國家WordPress的安全。 I added a WordPress plugin and made modifications to prevent any such hacking attempts in future using WordPress.我已將1 wordpress插件和作出修改,以防止任何這類黑客企圖在未來使用的WordPress 。 This is a must read for WordPress bloggers.這是一個必須讀的WordPress博客。


How the site hacking was detected?如何網站被黑客入侵檢測?

The website was normal.該網站是正常的。 However when I tried to publish or even save a post, it simply showed a blank page.但是當我嘗試發布或什至保存後,它只是顯示一個空白頁。 The post was never published or even saved.郵政從來沒有出版或什至保存。 I knew something was wrong.我知道的東西是錯誤的。

My first suspect were couple of plugins which contacted external servers after a publish.我的第一嫌疑人被幾個插件,其中接觸外部服務器後發布。 I disabled them. i殘疾人士。 I also disabled the ping sites as they were sometimes known to cause problems.我也殘疾人士平的網站,因為他們有時也被稱為會造成很多問題。 None of that helped.沒有任何幫助。 I progressively disabled all of the plugins. i逐步停用所有的插件。 Even with all the plugins disabled, the post wouldn’t publish.即使所有的插件殘疾人士,郵政將不會發布。 I was left with only one option.我只剩下只有一個選項。

I decided to trace WordPress code to find out the cause of error.我決定到微量的WordPress代碼,找出原因的錯誤。 I started with the file for post submission - post.php.我開始與該文件後提交-p ost.php。 I found something startling with WordPress code which seriously undermines its security, a flawed design choice but more on it later.我發現一些驚人的WordPress與代碼,其中,嚴重損害其安全,一個有缺陷的設計選擇,但更多的後來。 post.php calls admin.php which calls wp-config.php which in turn calls wp-settings.php. post.php呼籲admin.php要求可濕性粉劑- config.php這反過來又要求可濕性粉劑- settings.php 。 wp-settings is an interesting file.可濕性粉劑-設置是一個有趣的文件。 This file isn’t just about settings.這個檔案是不只是設置。 It loads tons of files, loads and executes the plugins and more.它加載噸的文件,加載和執行的插件和更多。 The problem was, as I originally suspected, in the plugins but which one?問題是,正如我原本懷疑,在該插件,但哪一個? The code which loads the plugins in WordPress is:守則加載插件在WordPress是: 

 if ( get_option('active_plugins') ) {  $current_plugins = get_option('active_plugins');  if ( is_array($current_plugins) ) {   foreach ($current_plugins as $plugin) { if (” != $plugin && file_exists(ABSPATH . PLUGINDIR . ‘/’ . $plugin))     include_once(ABSPATH . PLUGINDIR . ‘/’ . $plugin); }  } } 如果( get_option ( ' active_plugins ' ) ) (元current_plugins = get_option ( ' active_plugins ' ) ;如果( is_array ( $ current_plugins ) ) ( foreach ( $ current_plugins美元插件) ( 如果( “ ! = $插件& & file_exists ( abspath 。 plugindir 。 ' / ' 。元的plugin ) ) include_once ( abspath 。 plugindir 。 ' / ' 。元插件) ; ) ) )

The active plugins, as you can see, are loaded directly with include_once.積極插件,你可以看到,加載直接與include_once 。 How do I find the plugin which while loading is causing the script to die?我要如何找到插件,而其中裝載是造成腳本來死呢?
I added simple syslog() statements before and after the plugin.我已將簡單的系統記錄( )聲明之前和之後的插件。 However it generated copious output from all the traffic.但它產生的大量輸出,從所有的交通。
Remember I was debugging on a heavily trafficked live site.記得我當時就調試一繁忙的生活網站。 So I added a define in post.php which I was checking before doing a syslog.所以我增加了一個界定在post.php ,我被檢查之前,做了系統記錄。 The debugging code was:調試代碼是:
if (” != $plugin && file_exists(ABSPATH . ‘wp-content/plugins/’ . $plugin)) {如果( “ ! = $插件& & file_exists ( abspath 。 wp-content/plugins / ' 。元插件) ) (
if(defined(’TG_ADMIN’)) syslog(LOG_ALERT, “Loading $plugin…”);如果(定義( ' tg_admin ' ) )系統記錄( log_alert , “插件加載元… … ” ) ;
include_once(ABSPATH . ‘wp-content/plugins/’ . $plugin); include_once ( abspath 。 wp-content/plugins / ' 。元插件) ;
if(defined(’TG_ADMIN’)) syslog(LOG_ALERT, “Loaded $plugin…”);如果(定義( ' tg_admin ' ) )系統記錄( log_alert , “插件加載元… … ” ) ;
}

The result was surprising.結果是令人吃驚的。 The first plugin loaded was not even a plugin I knew existed, let alone use it.第一插件加載是甚至不是一個插件,我知道存在,更遑論使用它。 It was named ro8kbsmawge.txt.它被命名ro8kbsmawge.txt 。 The full path to the plugin was /../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt完整路徑插件是/../../../../../../../../../../../../../../ ../../../../tmp/ro8kbsmawge.txt
Effectively the file path was /tmp/ro8kbsmawge.txt.有效的文件路徑是/ tmp/ro8kbsmawge.txt 。 A telltale sign of this hacker is the presence of the file ro8kbsmawge.txt in your tmp directory. 1 telltale的跡象,這是黑客的存在,該文件的ro8kbsmawge.txt在您的tmp的目錄。

I renamed the file and the problem was solved for now. i更名文件和解決的問題是現在。 I could publish posts finally.我可以公佈職位,最後。 However my site was still not secure against future attacks.不過我的網站仍然沒有對未來的安全攻擊。 I will detail next at how I secured my site and provide more information on the perpetrator and how the site was hacked in the first place.我稍後會詳細闡述未來在我如何擔保我的網站和提供更多資料,對犯罪行為人,以及如何網站被侵,擺在首位。

How the site was hacked using WordPress?如何網站被黑客入侵使用的WordPress ?

The site exploited a vulnerability in /wp-admin/options.php which allowed it to get the authentication cookies it required to upload the file ro8kbsmawge.txt to my /tmp directory using /wp-admin/inline-uploading.php.該網站利用的一個漏洞/ wp-admin/options.php允許它獲得認證的Cookie ,它需要上傳文件ro8kbsmawge.txt我/ tmp的目錄使用/ wp-admin/inline-uploading.php 。 It then used /wp-admin/plugins.php to activate the ro8kbsmawge.txt as a plugin while using options-misc along the way.它然後用/ wp-admin/plugins.php啟動ro8kbsmawge.txt作為一個插件,而使用選項-雜項在前進的道路上。

Finally the hacker accessed the site using his magic word piska233 and browsed few directories on my server before retiring for the day.最後,黑客進入該網站用他的魔術語piska233和瀏覽數的目錄在我的伺服器上退休前為天。 All of these was done within a span of 3 minutes which leads to the conclusion that a script was used to exploit the holes and orchestrate the hacking.所有這些是做了一個大跨度的3分鐘,從而導致的結論是,一個腳本是用來利用這些漏洞和協調黑客。

The full log, except the IP address 217.74.245.85 which was removed for redundancy, of hackers action on my site is:充分日誌,除IP地址217.74.245.85 ,其中被刪除冗餘,黑客的行動對我的網站是:

[24/Dec/2007:07:40:22 -0600] “POST /wp-admin/options.php HTTP/1.0″ 200 1713 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7時40分22秒-0600 ] “郵政/ wp-admin/options.php http/1.0 ”二○○一七一三“ http://blog.taragana.com/wp-admin/options.php ” “歌劇”
[24/Dec/2007:07:40:24 -0600] “POST /wp-admin/options.php HTTP/1.0″ 302 471 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7時40分24秒-0600 ] “郵政/ wp-admin/options.php http/1.0 ”三○二四七一“ http://blog.taragana.com/wp-admin/options.php ” “歌劇”
[24/Dec/2007:07:40:26 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 200 1645 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7時40分26秒-0600 ] “郵政/ wp-admin/inline-uploading.php ?郵政=- 1 &行動=上傳http/1.0 ”二〇 〇一六四五“ http://blog.taragana.com /內插- uploading.php ?郵政=- 1 &行動=上傳“ , ”戲曲“
[24/Dec/2007:07:40:29 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 200 142 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7時40分29秒-0600 ] “郵政/ wp-admin/inline-uploading.php ?郵政=- 1 &行動=上傳http/1.0 ” 200 142 “ http://blog.taragana.com /內插- uploading.php ?郵政=- 1 &行動=上傳“ , ”戲曲“
[24/Dec/2007:07:40:52 -0600] “POST /wp-admin/options.php HTTP/1.0″ 200 1713 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7時40分52秒-0600 ] “郵政/ wp-admin/options.php http/1.0 ”二○○一七一三“ http://blog.taragana.com/wp-admin/options.php ” “歌劇”
[24/Dec/2007:07:40:54 -0600] “POST /wp-admin/options.php HTTP/1.0″ 302 471 “http://blog.taragana.com/wp-admin/options.php” “Opera” [ 24/dec/2007 : 7時40分54秒-0600 ] “郵政/ wp-admin/options.php http/1.0 ”三○二四七一“ http://blog.taragana.com/wp-admin/options.php ” “歌劇”
[24/Dec/2007:07:40:57 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 200 1645 “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7時40分57秒-0600 ] “郵政/ wp-admin/inline-uploading.php ?郵政=- 1 &行動=上傳http/1.0 ”二〇 〇一六四五“ http://blog.taragana.com /內插- uploading.php ?郵政=- 1 &行動=上傳“ , ”戲曲“
[24/Dec/2007:07:41:11 -0600] “GET /wp-admin/options-misc.php HTTP/1.1″ 200 7764 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分11秒-0600 ] “獲取/ wp-admin/options-misc.php http/1.1 ”二〇 〇七七六四“ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:41:15 -0600] “GET /wp-admin/wp-admin.css?version=2.0.7 HTTP/1.1″ 304 - “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分15秒-0600 ] “獲取/ wp-admin/wp-admin.css ?版本= 2.0.7 http/1.1 ” 304 -“ h ttp://blog.taragana.com/ wp-admin/options-misc.php “ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:15 -0600] “GET /wp-includes/js/fat.js HTTP/1.1″ 304 - “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分15秒-0600 ] “獲取/ wp-includes/js/fat.js http/1.1 ” 304 -“ h ttp://blog.taragana.com/wp-admin/options- misc.php “ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:12 -0600] “POST /wp-admin/inline-uploading.php?post=-1&action=upload HTTP/1.0″ 302 - “http://blog.taragana.com/inline-uploading.php?post=-1&action=upload” “Opera” [ 24/dec/2007 : 7時41分12秒-0600 ] “郵政/ wp-admin/inline-uploading.php ?郵政=- 1 &行動=上傳http/1.0 ” 302 -“ h ttp://blog.taragana.com /內插- uploading.php ?郵政=- 1 &行動=上傳“ , ”戲曲“
[24/Dec/2007:07:41:21 -0600] “GET /wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt&_wpnonce= HTTP/1.1″ 200 1474 “http://blog.taragana.com/wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt” “Opera” [ 24/dec/2007 : 7時41分21秒-0600 ] “獲取/ wp-admin/plugins.php ?行動=激活&插件=/../../../../../../. ./../../../../../../../../../../../tmp/ro8kbsmawge.txt & _wpnonce = http/1.1 “二〇 〇一四七四的” HTTP : / / blog.taragana.com /可濕性粉劑-政府當局/ plugins.php ?行動=激活&插件=/../../../../../../../../../.. /../../../../../../../../ tmp/ro8kbsmawge.txt “ , ”戲曲“
[24/Dec/2007:07:41:23 -0600] “GET /wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt&_wpnonce=7b4c8019bd HTTP/1.1″ 302 - “http://blog.taragana.com/wp-admin/plugins.php?action=activate&plugin=/../../../../../../../../../../../../../../../../../../tmp/ro8kbsmawge.txt” “Opera” [ 24/dec/2007 : 7時41分23秒-0600 ] “獲取/ wp-admin/plugins.php ?行動=激活&插件=/../../../../../../. ./../../../../../../../../../../../tmp/ro8kbsmawge.txt & _wpnonce = 7b4c8019bd http/1.1 “ 302 -”的H TTP : / / blog.taragana.com /可濕性粉劑-政府當局/ plugins.php ?行動=激活&插件=/../../../../../../../../../. ./../../../../../../../../tmp/ro8kbsmawge.txt “ , ”戲曲“
[24/Dec/2007:07:41:30 -0600] “GET /?piska23 HTTP/1.1″ 200 95716 “http://lamer/mwpep/?mode=shell&what=20″ “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分30秒-0600 ] “ / ? piska23 http/1.1 ”二〇 〇九五七一六“ http://lamer/mwpep/?mode=shell&what=20 ” , “ opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:36 -0600] “GET /?piska233 HTTP/1.1″ 200 15840 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分36秒-0600 ] “ / ? piska233 http/1.1 ” 200 1.584萬“ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:41:44 -0600] “POST /wp-admin/options.php HTTP/1.1″ 302 471 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分44秒-0600 ] “郵政/ wp-admin/options.php http/1.1 ”三○二四七一“ http://blog.taragana.com/wp-admin/options-misc 。 PHP的“ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:47 -0600] “POST /wp-admin/options.php HTTP/1.1″ 302 471 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分47秒-0600 ] “郵政/ wp-admin/options.php http/1.1 ”三○二四七一“ http://blog.taragana.com/wp-admin/options-misc 。 PHP的“ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:41:55 -0600] “GET /?piska233&dira=/tmp HTTP/1.1″ 200 9930 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分55秒-0600 ] “ / ? piska233 & dira = / tmp的http/1.1 ”二〇 〇九九三〇 “ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:41:54 -0600] “GET /wp-admin/options-misc.php?updated=true HTTP/1.1″ 200 7842 “http://blog.taragana.com/wp-admin/options-misc.php” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時41分54秒-0600 ] “獲取/ wp-admin/options-misc.php ?更新=真正的http/1.1 ”二○○七八四二“ http://blog.taragana.com/wp-政府當局/選項- misc.php “ , ” opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:42:36 -0600] “POST /index.php?piska233&dira=./ HTTP/1.1″ 200 36721 “http://blog.taragana.com/?piska233″ “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時42分36秒-0600 ] “郵政/的index.php ? piska233 & dira =. / http/1.1 ”二零零三六七二一“ http://blog.taragana.com/?piska233 ” , “ opera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:43:23 -0600] “GET /index.php?piska233&dira=./wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images HTTP/1.1″ 200 6506 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時43分23秒-0600 ] “ /的index.php ? piska233 & dira =. / wp-content/plugins/wysi-wordpress/themes/advanced/docs/es/images http/1.1 ” 200 6506 “ -” “ o pera/9.24(在W indowsN T5 .1; u ;茹) ”
[24/Dec/2007:07:43:38 -0600] “GET /wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images HTTP/1.1″ 301 298 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時43分38秒-0600 ] “獲取/ wp-content/plugins/wysi-wordpress/themes/advanced/docs/es/images http/1.1 ”三〇一二九八“ -” “ o pera/9.24 (在Windows NT 5.1 ; u ;茹) “
[24/Dec/2007:07:43:40 -0600] “GET /wp-content/plugins/Wysi-Wordpress/themes/advanced/docs/es/images/ HTTP/1.1″ 200 604 “-” “Opera/9.24 (Windows NT 5.1; U; ru)” [ 24/dec/2007 : 7時43分40秒-0600 ] “獲取/ wp-content/plugins/wysi-wordpress/themes/advanced/docs/es/images / http/1.1 ”二〇 〇六〇四“ -” , “歌劇/ 9月24日(在Windows NT 5.1 ; u ;茹) “

The good news is that no harm was done.好消息是沒有壞處的事。

WordPress security issues & design flaw在WordPress的安全問題與設計缺陷

The basic design flaw is that loading WordPress configuration (required for database access for authentication checks) loads wp-settings which loads tons of other PHP files as well as all the WordPress plugins and any hacks.基本設計缺陷,是加載的WordPress配置(所需的數據庫訪問進行驗證檢查)荷載可濕性粉劑-設置負荷噸的其他PHP文件,以及所有wordpress插件和任何黑客攻擊。 All of these are done even before you have a chance to authenticate the user.所有這些都是做了,甚至之前,你有機會來驗證用戶。 This is extremely dangerous for administration scripts as it allows a hacker to pass arguments to and execute gazillions of WordPress files which may or may not have proper security checks in place.這是十分危險的,政府的腳本,因為它允許黑客通過的論據和執行gazillions WordPress的文件,這可能會或不會有適當的安全檢查,在地方。 User authentication and entitlement should be done at the very beginning to prevent unauthenticated scripts from proceeding any further.用戶認證和權利,應該做的事在一開始,以防止未經腳本,從程序的任何進一步。 To do that wp-config must be modified to not include wp-settings.這樣做,可濕性粉劑-配置必須修改,以不包括可濕性粉劑-設置。 It should be separately included where required, even at the cost of redundancy.它應另行包括在有需要時,甚至不惜裁員。 Administration scripts (under wp-admin) requires only wp-config to get the database details to authenticate the user and identify its entitlements.政府當局腳本(下可濕性粉劑管理員) ,只需要可濕性粉劑-配置得到數據庫的細節,以驗證用戶,並確定其應享權利。 After authentication the rest should be loaded.身份驗證後,其餘的應載入。 This flaw was exploited to get the authentication cookie details which was subsequently used.此瑕疵利用得到驗證Cookie的細節,其後使用。 The exact exploit used in this case is hard to find from just server logs.確切的利用使用在這種情況下,是很難找到剛剛從服務器的日誌。 However it was caused by late authentication problem as described above.不過,這是造成後期驗證的問題,如上文所述。

There are were known issues with both options.php & upload script, some of which are detailed 被稱為問題都options.php &上傳腳本,其中有些詳細 here這裡 .

One of the challenges with WordPress is that security considerations was mostly an afterthought (feel free to disagree) which were latched on as WordPress became more and more popular.挑戰之一,與在WordPress是安全方面的考慮主要是一種事後的(請隨時同意) ,其中鎖存對作為在WordPress變得越來越受歡迎。 You have to continuously update your WordPress to keep up with the latest patches.你必須不斷更新您的WordPress ,以跟上最新的修補程序。

There are 71 reported security advisories in Secunia (22 reported in 2007) and 9 viruses based on WordPress (one from 2007).有71報導,安全警告在Secunia公司( 22報導,在2007年)和9病毒的基礎上的WordPress ( 1從2007年開始) 。

Most likely the site was hacked using the cookies authentication vulnerability as detailed最有可能的該網站被侵,使用Cookie的身份驗證漏洞詳細 here這裡 .

Several WordPress plugins and themes also have security advisories:幾個wordpress插件和主題也有安全警告:
- AdSense-Deluxe 0.x (plugin for WordPress) -A dSense的豪華0 .x(插件的W ordPress)
- AndyBlue 1.x (theme for WordPress) -a ndyblue1 .x(主題的W ordPress)
- Blix 0.x (theme for WordPress) -布利克斯0 .x(主題的W ordPress)
- Blixed 1.x (theme for WordPress) -b lixed1 .x(主題的W ordPress)
- BlixKrieg 2.x (theme for WordPress) -b lixkrieg2 .x的(主題的W ordPress)
- Blue Memories 1.x (theme for WordPress) -藍色的回憶, 1 .x(主題的W ordPress)
- myGallery 1.x (plugin for WordPress) -m ygallery1 .x(插件的W ordPress)
- PictPress 1.x (plugin for WordPress) -p ictpress1 .x(插件的W ordPress)
- Pool 1.x (theme for Wordpress) -泳池1 .x(主題的W ordPress)
- Redoable 1.x (theme for WordPress) -r edoable1 .x(主題的W ordPress)

You can read all the Secunia advisories on WordPress您可以閱讀所有Secunia公司警告,就在WordPress here這裡 .

Who was the hacker?誰是黑客?

The IP address of the user responsible for hacking my site is 217.74.245.85 . IP地址,該用戶負責黑客入侵我的網站是217.74.245.85 The IP address belongs to KUBANGSM-NET: IP地址是屬於kubangsm網: 

 % Information related to '217.74.245.0/24AS29497'  route:          217.74.245.0/24 descr:          KUBANGSM-NET origin:         AS29497 mnt-by:         KUBANGSM-MNT source:         RIPE # Filtered %相關信息'217 .74.245.0/24as29497 '路線: 217.74.245.0/24 descr : kubangsm網來源: as29497產婦和新生兒破傷風- : kubangsm -產婦和新生兒破傷風資料來源:成熟#過濾

It is owned by:這是所擁有的: 

 person:       Volkov Denis address:      61, Gimnazicheskaya str.人:沃可夫丹尼斯地址: 61 , gimnazicheskaya個STR 。 350000, Krasnodar, Russia phone:        +7 8612 660126 fax-no:       +7 8612 401505 e-mail:       d.volkov@kuban.mts.ru nic-hdl:      VD370-RIPE source:       RIPE # Filtered 350000 ,克拉斯諾達爾,俄羅斯電話:七八六一二六六零一二六傳真:七八六一二四〇一五〇五電子郵箱: d.volkov @ kuban.mts.ru的NIC -高密度脂蛋白: vd370 -成熟,資料來源:成熟#過濾

Their website is他們的網站是 http://www.kuban.mts.ru/ . They appear to be legitimate mobile & internet service provider.他們似乎是合法的手機與互聯網服務提供商。 Most likely their internet service is being abused by the spammer.最有可能他們的互聯網服務被濫用,由垃圾郵件發送者。 Nevertheless I decided to不過,我決定 ban this IP address from accessing my server禁止此IP地址訪問我的服務器 .

The hacker was most likely using Opera 9.24 browser (almost latest version) on Windows XP (NT 5.1).黑客是最有可能使用Opera 9.24瀏覽器(幾乎是最新版本)的Windows XP (新台幣5.1 ) 。 While user agent can be faked, there is no reason to suspect so in this case.而用戶代理可以偽造,實在沒有理由懷疑,所以在這種情況下。 The user agent string also shows that he was using the russian language file of Opera.該用戶代理字符串也表明,他用俄語語言文件的歌劇。

魔術殼評論截圖

Anatomy of the hacking script解剖黑客腳本

The hacking script is a php script with aa nice comment and TODO line:黑客腳本是一個PHP腳本與機管局很好的意見和TODO的路線:
/*Magic Include Shell by Mag icq 884888*/ / *魔術包括殼評論的ICQ 884888 * /
//TODO: ñëèòü ôàéëî íà ñâîé ôòï (!) / /待辦事項: ñëèòü ôàéëî íà ñâîé ôòï ( ! )

Effectively it is a file manager, probably adapted from any of the free php file manager’s on the net.有效這是一個檔案管理員,可能是改編自任何免費的PHP文件經理人的就淨。 It allows you to:它可以讓您:

  • Browse directories and files瀏覽目錄和文件
  • Edit files編輯文件
  • Rename files重新命名檔案
  • Delete files刪除檔案
  • zip & unzip files郵編及解壓縮文件
  • Upload & download files & directories上傳及下載文件和目錄
  • Execute arbitrary PHP scripts執行任意PHP腳本
  • Execute arbitrary shell commands執行任意命令
  • Provides basic server, system & PHP information提供基本的服務器,系統& PHP的信息

The bulk of the code is executed when it receives a particular query string to a normal HTTP GET request.大部份的程式碼執行當它收到,尤其是查詢字符串到一個正常的HTTP GET請求。 So while http://blog.taragana.com/ will work as usual, http://blog.taragana.com/?piska233 will open with this magical hidden shell which will expose your entire website to an outside hacker.因此,雖然http://blog.taragana.com/將照常上班, http://blog.taragana.com/?piska233將打開這個魔法隱藏殼牌將揭露您的整個網站向外部黑客。
Note: There is nothing magical about piska233.注意:沒有什麼神奇的約piska233 。 It is a password which was most likely allowed to be chosen and given as input to the original script which injected this trojan horse on my site.這是一個密碼,這是最有可能允許選擇和考慮投入到原來的腳本注入這個特洛伊木馬在我的網站上。

A trojan which protects itself against worms…一種木馬程式,以保護自己免受蠕蟲…

The trojan takes steps to protect itself against worm!特洛伊木馬病毒採取措施,保護自己免受蠕蟲! The code at the end which is always executed is:該守則在去年底,這始終是執行的是:

$post_arr=implode('.',$_POST); 元post_arr = implode ('.',$_後) ;
$get_arr=implode('.',$_GET); 元get_arr = implode ('.',$_獲得) ;
$cook_arr=implode('.',$_COOKIE); 元cook_arr = implode ('.',$_的Cookie ) ;
$post_arr_key=implode('.',@array_flip($_POST)); 元post_arr_key = implode ('.',@ array_flip (全局變量$ _POST ) ) ;
$get_arr_key=implode('.',@array_flip($_GET)); 元get_arr_key = implode ('.',@ array_flip ( $ _get ) ) ;
$cook_arr_key=implode('.',@array_flip($_COOKIE)); 元cook_arr_key = implode ('.',@ array_flip ( $ _cookie ) ) ;
$other_shtuki=@file_get_contents('php://input'); 元other_shtuki = @ file_get_contents ( ' PHP中: / /輸入' ) ;
$cracktrack = strtolower($post_arr.$get_arr.$cook_arr.$post_arr_key.$get_arr_key.$cook_arr_key.$other_shtuki); 元cracktrack = strtolower ( $ post_arr 。元get_arr 。元cook_arr 。元post_arr_key 。元get_arr_key 。元cook_arr_key 。 other_shtuki元) ;
$wormprotector = array('base64','user_pass','union','select','substring','or id='); 元wormprotector =陣列( '的base64 ' , ' user_pass ' , '聯盟' , '選擇' , '子' , '或id = ' ) ;
$checkworm = str_replace($wormprotector, '*', $cracktrack); 元checkworm = str_replace ( $ wormprotector , ' * ' ,元cracktrack ) ;
if ($cracktrack != $checkworm) die(""); 如果美元( cracktrack ! = $ checkworm ) 模具("");

It checks for certain keywords (in $wormprotector array) within GET, POST & COOKIE data.檢查某些關鍵字(在元wormprotector陣列)獲得,郵政& Cookie數據。 When they are present it simply aborts.當他們目前只是中止。 This is one of the means to detect the current version of the script.這是手段之一,檢測當前版本的腳本。 This is also the reason why it failed to submit a post.這亦是原因未能提交後。 An url such as this would also die - http://localhost/wordpress/?select as would http://localhost/wordpress/?base64.一網址,如這也將模具-h ttp://localhost/wordpress/?select作為將h ttp://localhost/wordpress/?base64。
However there is nothing to be happy about.但是有沒有什麼可高興的事情。 It will take less than a minute to modify the script and make it immune to detection in WordPress.它會採取不到一分鐘修改腳本,使免疫檢測在WordPress 。

How to protect your WordPress site from hacking?如何保護您的WordPress網站的黑客呢?

You can protect your administration scripts (scripts under wp-admin), where most attacks originate including this one, by restricting access to your admin scripts to specific IP address or IP address range.您可以保護您的政府當局腳本(腳本下可濕性粉劑管理員) ,其中大多數攻擊是源自包括本一,通過限制訪問您的政府當局腳本特定的IP地址或IP地址範圍。 You can also add a basic authentication on top of WordPress by using your httpd.conf file or .htaccess.您還可以添加一個基本的驗證,頂端WordPress的使用您的httpd.conf文件或。 htaccess的。 This adds a layer of security which any hacker will have to overcome before he gets to your WordPress vulnerabilities.這增加了一層的安全,其中的任何駭客,將要克服之前,他得到您的WordPress的脆弱性。

WordPress should be upgraded as regularly as possible. WordPress所應升格為定期盡可能。 However that is easier said than done.不過,說起來容易做起來。 Normally I prefer to wait a few versions before the new versions stabilize.通常我寧願等待幾個版本之前,新版本的穩定。

WordPress security vulnerabilities affects every one of us, WordPress based bloggers.在WordPress的安全漏洞影響到我們每個人,在WordPress基於博客。 While I was fully aware of the possibilities and even thought of writing a plugin to address these issues before, I decided to wait (and address more urgent issues or so I thought) relying on the law of probability to protect my sites; after all there are several million WordPress blogs out there, how much chance of being targeted by a hacker?雖然我充分認識到的可能性,甚至想過寫一插件,以解決這些問題之前,我決定等待(和地址,更迫切的問題或所以我以為) ,依靠法律的概率,以保護我的網站;畢竟有是幾百萬WordPress Blogs的,有多少機會被所針對的黑客? Well, as it turns out, I was wrong.那麼,作為原來,我是錯的。
To simplify securing WordPress, I have created a plugin, to be released soon, which leverages these ideas and more to secure your WordPress installations.為了簡化,確保在WordPress ,我創建了一個插件,被釋放不久,利用這些想法和更多的安全您的WordPress設施。 It works with your .htaccess but it also works even when .htaccess facility is not available.它與您的。 htaccess的但它也有工程,甚至當。 htaccess的設施無法使用。 I have already started using it on my blogs.我已開始使用,這對我的Blog 。