So I just finished cleaning up one of the WordPress sites that I manage from a hack. I was checking Google Analytics and noticed a few irregularities. The first was a number of hits from China, and then noticed some URLs in the site description that didn’t belong there.
I checked the first URL and yep, we have a hack. I logged into the WP dashboard and immediately found two admin users. I did not find the urls in posts or pages, which was odd, so I started scrubbing the site. I found that I was locked out of several administrator functions, such as updating WordPress or installing new plugins. Thankfully, I was able to deploy them through Infinite WordPress. I ran several scans to check for modifications to the wp-admin directories, and even deleted them and uploaded them from a fresh download of WordPress over FTP.
I found several directories that were out of place: developerl, openbayl, and webstruct. The latter was filled with XML documents, some sort of sitemap:
<?xml version="1.0" encoding="UTF-8" ?> <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>http://<my_hacked_site></loc> <lastmod>2020-04-07T10:13:06-05:00</lastmod> <changefreq>always</changefreq> <priority>1.0</priority> </url> <url> <loc>http://<my_hacked_site>/46/Auto-34cm-2-Meter-Kabel-C16620-Aerzetix-Radio/</loc> <lastmod>2020-04-07T10:13:06-05:00</lastmod> <changefreq>daily</changefreq> <priority>0.9</priority> </url> <url> <loc>http://<my_hacked_site>/141/35-mm-KlinkenStecker-und-Adapter-Handy-25-mm-Stecker-iPad-MP3Player/</loc> <lastmod>2020-04-07T10:13:06-05:00</lastmod> <changefreq>daily</changefreq> <priority>0.9</priority> </url> <url>
The openbayl directory contained a moban.html file that contained some sort of HTML template, and the developerl directory seems to have the core part of the hack. It includes another moban.html file that contains a bastardized copy of the sites WordPress headers and footers, and some mangled content that appears to be scraped from the site as well. There was some sort of encoded key in a logs.txt file, and a map.log file pointing to the webstruct xml files. I’ve uploaded this file as a gist.
I downloaded a copy of these files, then deleted them from the site. After running security scans and looking for any additional files that didn’t belong, I was still locked out of installing plugins. I started pouring through the SQL data, looking for what happened. I checked the .htaccess file for any shenanigans, and disabled all plugins. My user appeared to have admin access in the database, and I verified that the administrator role had the install_plugin role in the wp_options wp_user_roles row. But when I added a PHP check in the site files, I didn’t have the role.
I had spent almost two hours digging through this. I had identified the time of the hack, and thankfully, I had a backup from the night before. I restored it, and functionality was back to normal.
I’m troubled that I don’t know how the hack occured. Everything was reasonably up to date. We were behind on a WordPress update, 5.3.x to 5.4, but I’m not aware of any vulnerabilities that would have allowed us to be hacked. Regardless, I took additional steps after restoring the site, including installing Sucuri Security and NinjaScanner. I’m also going to be deploying them on all sites under management.