The client is hosting a wordpress real estate web site made a with a custom theme. The client got in contact with us due to the site being continually defaced by turkish hackers.
Phase 1: Identify Issue
We ran CXS exploit scanner which revealed some uploaded files containing the turkish hackers template in the root of the site. The scan also revealed many new, non wordpress files and folders added to wp-admin and wp-includes folder. We also ran wpscan which did not actually reveal any outdated plugins or themes.
Phase 2: Remove and Secure
- We deleted the wp-admin and wp-includes and uploaded fresh versions from the wordpress repo.
- We manually removed any exploited files and folders identified by CXS (too many to list here).
- We reset all permissions for all directories and files to 0755 and 0644 to eliminate possibility of 777.
- Added additional rules to root htaccess to prevent injections and other misc issues.
Phase 3: Waiting Period
In order to see if the fixes have worked we waited 24 hours to see if the site was being defaced again. We checked and the site was defaced again, so we then moved to phase 4.
Phase 4: Further Investigation
We went through the access log to identify any unusual behavior or activity from visitors and we found a few very odd url’s being requested. For example, in the screenshot you can see that google is spidering a url which is requesting access to the var folder on the server.
Upon clicking this url we were presented with a page called “BLACKJOKER MINI SHELL” which has the purpose of allowing an attacker to upload malicious files to the client’s server.
Further scans by CXS, MALDET, WPSCAN and Wordfence did not reveal anything malicious so we proceeded to download the whole site in order to perform a textual search for the term “blackjoker” in order to identify any file containing that term.
After downloading and doing the search we found that the custom theme the client was using contained one file with the shell code allowing attackers to upload files to the clients hosting account.
After removing the file from the server, the upload script was prevented from being executed again.
It seems that the malicious code already existed when the client set up their web site on their server, hence the hacker was already inside the hosting without the client knowing.