Background

The client is hosting a wordpress real estate web site made a with a custom theme. The client got in contact with us due to the site being continually defaced by turkish hackers.

turkisg-hackers

Phase 1: Identify Issue

We ran CXS exploit scanner which revealed some uploaded files containing the turkish hackers template in the root of the site. The scan also revealed many new, non wordpress files and folders added to wp-admin and wp-includes folder. We also ran wpscan which did not actually reveal any outdated plugins or themes.

Phase 2: Remove and Secure

    • We deleted the wp-admin and wp-includes and uploaded fresh versions from the wordpress repo.
    • We manually removed any exploited files and folders identified by CXS (too many to list here).
    • We reset all permissions for all directories and files to 0755 and 0644 to eliminate possibility of 777.
    • Added additional rules to root htaccess to prevent injections and other misc issues.

    Phase 3: Waiting Period

    In order to see if the fixes have worked we waited 24 hours to see if the site was being defaced again.  We checked and the site was defaced again, so we then moved to phase 4.

    Phase 4: Further Investigation

    We went through the access log to identify any unusual behavior or activity from visitors and we found a few very odd url’s being requested. For example, in the screenshot you can see that google is spidering a url which is requesting access to the var folder on the server.
    google-suncoaster

    Upon clicking this url we were presented with a page called “BLACKJOKER MINI SHELL” which has the purpose of allowing an attacker to upload malicious files to the client’s server.

    mini-shell

    Further scans by CXS, MALDET, WPSCAN and Wordfence did not reveal anything malicious so we proceeded to download the whole site in order to perform a textual search for the term “blackjoker” in order to identify any file containing that term.

    After downloading and doing the search we found that the custom theme the client was using contained one file with the shell code allowing attackers to upload files to the clients hosting account.

    blackjoker

    After removing the file from the server, the upload script was prevented from being executed again.

    Conclusion

    It seems that the malicious code already existed when the client set up their web site on their server, hence the hacker was already inside the hosting without the client knowing.