We had Identified the incident, now it was time for Containment. To do that, since I still had access to mySQL, I could take that admin user back by creating a new user following these instructions<\/a> (I also could have just updated the data for the existing user). Once that was completed and I had reset the password to my main admin user and set all the other data back, I updated my WordPress instance from 4.8.5 to the latest version, 4.9.4.<\/p>\n Next was the Investigation piece. As you will no doubt recall, I had long ago set up a pull of my website logs into Splunk<\/a>. Thankfully this was still up and running, and so I had Apache logs. To figure out who had logged in, I did a simple Splunk query to show the successful POSTs to my wp-login.php<\/span> page:<\/p>\n Aha! Now I had a source IP address, so I could easily search for events from that IP address (incidentally, the IP address was located in Indonesia, consistent with this group). Once I did a search for that in the Apache logs, I had an exact timeline of everything that happened, starting on the morning of 11 January 2018:<\/p>\n While I was investigating these logs, I also had a search via WinSCP for any files that were touched on 2018-01-11. The only files that returned were all in that Aviliate directory again, providing confirmation that this was the backdoor they had installed. In my console, the plugin appeared as Akismet, which is a popular anti-spam plugin that many WordPress sites have, which made it blend in and appear to be legitimate.<\/p>\n I removed this plugin manually from my site for containment, but not before I downloaded a copy for investigation. Here\u2019s where it started to get even more interesting. First, however, it was back to Investigation mode.<\/p>\n I returned to Splunk to see what traffic to this Aviliate plugin had occurred after installation. Turns out there was very little traffic to that plugin, but I did get a few hits from additional IP addresses. In addition, I saw a pattern in the traffic: the attacker would hit \/blog\/wp-content\/plugins\/Aviliate\/user.php<\/span> and then go to \/NTI5enhqLzk2MjUvMjkvNDU5MDEvOQ==<\/span> which certainly isn\u2019t a valid URL on my site, or at least shouldn\u2019t be. That meant that there was something interesting going on in that user.php<\/span> file, so that was the next place to look.<\/p>\n That file was nothing more than a function to grab the contents of another site and PHP eval<\/span> it. No legitimate PHP site grabs data from random URL and evals it, so this was clearly malicious. The URL was hxxp:\/\/elro[.]us\/fina25\/wso.txt<\/span>, which Virus Total shows as malcious<\/a>, hosting a PHP Backdoor Webshell (details here<\/a>). Visiting that site over TOR brings up a fairly standard PHP backdoor console. This backdoor requires the user agent to look like an Indexer, otherwise it returns a 404. This would likely explain why so much traffic had suspicious user agent strings.<\/p>\n The afore-mentioned IP addresses all hit the user.php<\/span> script then did various other things. Most were on the 11th and 12th of January, but I did find one repeat visitor who arrived at the site via Yahoo search. That particular search led to them hitting \/NGlfMzgyMTVfaXRrYS90Xzg4Njdfa2F5.html<\/span>, which may have been a persistent backdoor link. Further Splunk searches on that particular URL found even more visits from other IPs.<\/p>\n The original Google Search Console alert was for \/<\/span>eWYtOTgyNy1mdi8xNjEyLXZ1.amm<\/span><\/a>, which I also search for in Splunk and saw a number of hits.<\/p>\n The other Aviliate file that was accessed was the file ass.php<\/span>, which appeared be another file management tool called \u201cB Ge Team File Manager\u201d. Googling that term brings up an alarming number of sites that appear to have once had this backdoor as well. The attacker only accessed ass.php<\/span> once on my site, POSTing something that I could not determine. As this event happened on 12 January, a search for files modified at this time returned two sitemap files, site_map.xml<\/span> and home-site-map.xml<\/span>. The former had a bunch of random URLs, including the ones above. This user also accessed a file that should not have existed, at \/wp-content\/uploads\/2014\/09\/cropped-DSC04285.jpg<\/span>, although searching for this file now returns no results.<\/span><\/p>\n Finding no other artifacts, I feel that this has been taken care of. A review of the Apache log from today shows continuing attempts to access certain URLs, but they all return 404s. Thus, this appears to have been Eradicated at this time. However, it was certainly an interesting exercise, and not all of the items that I found appear to be detected as malware. IOCs of the event below:<\/p>\n The starred MD5 hashes above are not in Virus Total, so they may represent new tools used by this group.<\/p>\n The only remaining question that I have is, how did they get in? My Admin password is stored in KeePass and is random, so it\u2019s hard to see how it could be brute-forced. Could it have been intercepted in transit somehow? I\u2019m not sure.<\/p>\n Lessons learned?<\/p>\n It\u2019s been a while since I updated this blog, and this lack of attention (and falling behind a few versions in WordPress) led to this very site getting hacked! Fortunately, I was quickly alerted to it thanks to Google, and if nothing else, this presents an interesting case study in investigating what happened. Full details… Continue reading Investigating a WordPress Compromise<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[282,283,252,281],"class_list":["post-1257","post","type-post","status-publish","format-standard","hentry","category-security","tag-forensics","tag-malware","tag-splunk","tag-wordpress","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=1257"}],"version-history":[{"count":4,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1257\/revisions"}],"predecessor-version":[{"id":1261,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1257\/revisions\/1261"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=1257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=1257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=1257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"clip_image001\"](\"http:\/\/www.nathanhunstad.com\/blog\/wp-content\/uploads\/2018\/02\/clip_image001_thumb.png\" "\\"clip_image001\\"")
<\/a><\/p>\n\n
\n\n
\n Type<\/strong><\/td>\n Value<\/strong><\/td>\n Note<\/strong><\/td>\n<\/tr>\n \n Email<\/td>\n javaintelegentcyber@gmail[.]com<\/td>\n Email address for altered WordPress admin user<\/td>\n<\/tr>\n \n IP<\/td>\n 114.125.62.180<\/td>\n Initial attacker IP<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/teti[.]az\/wp-admin\/network\/anu\/wp-login.php<\/td>\n Referrer for initial attack<\/td>\n<\/tr>\n \n MD5<\/td>\n 90d3aea687c0b53e69f8100fd7ed5f07<\/td>\n admin.php in Aviliate plugin<\/td>\n<\/tr>\n \n MD5<\/td>\n b21a404710858576e4e674c7847d014a<\/td>\n ass.php in Aviliate plugin<\/td>\n<\/tr>\n \n MD5<\/td>\n b086f53b3f1258c5012afaa3a4aa2e04<\/td>\n b.php in Aviliate plugin*<\/td>\n<\/tr>\n \n MD5<\/td>\n 781c312fe0acf6c79f59bc1663090975<\/td>\n ftp.php in Aviliate plugin<\/td>\n<\/tr>\n \n MD5<\/td>\n fa66278d9f284cb080931a49768efe47<\/td>\n index.html in Aviliate plugin<\/td>\n<\/tr>\n \n MD5<\/td>\n 23ef3628ab19af2a8127f4c0abc40dd5<\/td>\n index.php in Aviliate plugin*<\/td>\n<\/tr>\n \n MD5<\/td>\n 33bf39fd010e3312cde659469bebc18d<\/td>\n k.php in Aviliate plugin*<\/td>\n<\/tr>\n \n MD5<\/td>\n 756023c23273fa840d7af376545a1f04<\/td>\n systems.php in Aviliate plugin*<\/td>\n<\/tr>\n \n MD5<\/td>\n 63605007c074d272ea2407203e2c7d48<\/td>\n user.php in Aviliate plugin<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/elro[.]us\/fina25\/wso.txt<\/td>\n URL hosting code loaded by user.php<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/kalined[.]com\/tmp\/a.tx<\/td>\n URL hosting code loaded by b.php<\/td>\n<\/tr>\n \n URL<\/td>\n hxxps:\/\/pastebin[.]com\/raw\/BYZj83nV<\/td>\n URL hosting DH-5HELL 2014 backdoor loaded by ftp.php<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/kalined[.]com\/includes\/random.css<\/td>\n URL hosting code loaded by k.php<\/td>\n<\/tr>\n \n URL<\/td>\n hxxp:\/\/www.avatarfilms[.]org\/wordpress\/wp-content\/plugins\/Premium_Gallery_Manager\/04.txt<\/td>\n URL hosting code loaded by systems.php<\/td>\n<\/tr>\n \n MD5<\/td>\n 3b725e982e9c54a26a8a77cdaa8a8fcb<\/td>\n 04.txt code for the above*<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n