Damn … my VPS is being cracked
UPDATE: What appears to have happened …
Yeah, as I type this, I’m getting hit with an attack. I’m not precisely sure of the motive. I just know that there are two directories on my server that should not be there and the attack appears to be coming through a specific URL. It’s been happening for several days nowIt just started today, according to my server logs, and the attacker is using / attempting to use PHP functions that interact with the shell.
He was also able to grab a whole bunch of data about my server as you can see from the above-linked code. I have my suspicions about how it is getting through, but nothing I can prove just yet. I’m going to look into it and see what I can come up with.
In the meantime, I’m just going to ask nicely that he (assuming this is a guy) please, please stop, and don’t mess up any of my stuff while visiting.
And please take steps to disable certain system-affecting functions in your php.ini file (if you have access).
UPDATE: This crack appears to involve a ShellBOT as well.
UPDATE 2: ShellBOTs are bad. Apparently they open a connection to an IRC server allowing all kinds of nasty things to happen. So hoping nothing serious was compromised.
UPDATE 3: Interesting to know: when working in the shell, your file name does not need to have the ‘proper‘ extension that it would on a web server in order to be executed.
Let’s say you have a plain text file named ‘hello.txt.’ It contains one line: <?php echo 'hello world';?>. In order for this file to run as a web page, it would need to have a .php (or whatever is designated in your server configuration file). But as a shell script, it could have just about any name and still be executed by typing ‘php hello.txt’ at the command line.
In this case, the attacker grabbed (or attempted to grab) a ShellBOT written in Perl from another server (file name b.txt) and execute it by sending the ‘perl b.txt’ after the wget command.
UPDATE 4: I’m pretty sure my suspicions have been confirmed. It seems that at least one other person has had an issue with WP Super Cache opening their server to attack. I suspected this early on, and deleted the plugin and its associated files. As an added measure, I disabled those functions that can execute system commands. So far, so good. I can’t say my server is now secure, but I’m hoping that hole has been filled.
I have been there before! Let me know if you need another set of eyes to look @ those server logs. I would love to know how they got in.
Man, so would I :-). I know what they’re doing once they’re in. But I don’t know how they’re getting in.
I had a similar problem before I upgraded to 2.3.1. In my case it was the trackback and the old version of XMLRPC that was vulnerable to exec() commands and file generation.
Thanks Chris… I think I upgraded WP a couple of days too late. I figured it was WP related though because the only URLs they were trying were WP URLs on this blog.
I thought the XMLRPC issue had been fixed a couple of years ago.
As an extra precaution I disabled exec() — the only function the attacker tried that I hadn’t disabled before now (d’oh!). With any luck that will do it.
[...] had replied to me letting me know that Tiffany Brown was having a similar experience (though with greater consequence) and a report in the WordPress forums. Both Kristie Wells from Joyent and Donncha got back to me, [...]
I had the same issue lately and eggdrop and mocks were dropped in because of a vulnerable PHP script. Once I found the corrupted scripts, I installed patched scripts, turned on safe mode for that account and then disabled the exec() function. Since the hacker was from Taiwan, I also took the liberty of banning the IP address range for the IPS they were using.
It really is the wild-west out there.. Glad to hear I’m not the only one whacking these weeds.