WordPress hack plugin GroupDocs
by Bruce Brown | 0 commentOne of my wordpress blogs got hacked. I was notified by google
I was apprehensive about accessing the site from my computer so i checked it out from my smartphone. I figured most current malware attempts to download and install on windows systems, but are usually not smart enough to infect two different platforms (windows AND android). The site seemed fine, but I am sure there is something wrong. So I logged into the server. The dates look a little suspcious but I the actual php files looked find.
I noticed a pattern with the dates that the files were access. I am seeing scores of files/folders that have been “touched” and have the same date/time stamp Nov 22, 2015 12:00. You only see that many files changed at once when a script does it. I focused on those files and I can see that MOST of the Nov 22 1200 date/time stamps are on ONE plugin: plugin GroupDocs. I look at the error log:
INFO Started brute forcing. INFO checking: drinkmusiccity.com, david, david INFO checking: farmofpeace.com, salima, salima INFO checking: fayjames.com, fay, fay INFO checking: fantasyassembly.com, kevin-j, kevin-j INFO checking: fionaraven.com, fiona, fiona INFO checking: fishinglakes.com, Colby, Colby INFO checking: firetown.com, firetown, firetown INFO checking: fontainetours.com, claudia, claudia INFO checking: foreverboundadoption.org, designteam, designteam INFO checking: fotoparisberlin.com, amelie, amelie INFO checking: frabonisdeli.com, bennett-fraboni, bennett-fraboni INFO checking: freeloveforum.com, anne, anne INFO checking: funkatech.com, incyte, incyte INFO checking: futurist.com, brenda-cooper, brenda-cooper INFO checking: futebolnas4linhas.com, ingrid-carvalho, ingrid-carvalho INFO checking: freedomnewton.com, pastorc, pastorc INFO checking: k-bell.co.jp, kohei, kohei INFO checking: katrinakaif.co.uk, harish, harish INFO checking: kcfw.de, c-mohr, c-mohr INFO checking: kazu.co.nz, staff, staff INFO checking: keneally.com, samcniotktaetl, samcniotktaetl INFO checking: keratoconus.com.au, jim, jim INFO checking: fundacjadantian.com, fundacjadantian, fundacjadantian INFO checking: kibi-group.com, kibi, kibi
I look up the plugin GroupDocs. I has had a MAJOR compromise:
https://wordpress.org/support/topic/beaware-this-plugin-attracts-hackers
It is being used as a backdoor into WordPress. Honestly, I don’t remember even installing it. I am not sure if it came with the theme I installed or what. I start checking all more other blog’s plugins. I don’t see it any where else. Upon further inspection of the plugin, I can clearly see the PHP backdoor code:
sending: {
"type" : "WPBF_RESPONSE",
"linkPasses" : [
{
"site" : "farmofpeace.com",
"user" : "salima",
"pass" : "salima"
},
{
"site" : "i-entertainment.co.uk",
"user" : "nicolai2014",
"pass" : "nicolai2014"
},
{
"site" : "020haopai.com",
"user" : "siteadmin",
"pass" : "siteadmin"
},
{
"site" : "zargarcarpet.com",
"user" : "akeel",
"pass" : "akeel"
},
{
"site" : "haubstadtsommerfest.com",
"user" : "joeyconti",
"pass" : "joeyconti"
}
]
}
Starting brute forcing WordPress
CURRENT TIME: 2015-11-20 15:47:06
CURRENT TIME: 2015-11-20 15:47:37
CURRENT TIME: 2015-11-20 15:48:08
CURRENT TIME: 2015-11-20 15:48:39
Child dead. Reading response:
Done. read: 0 bytes
The Fix Action:
My name is Bruce Brown. i do computer security stuff as a hobby.