Update on WordPress hack

[tacit]

In this blog post, I talked about a recent Wordpress hack attack on two of my WordPress sites that appears to be using a zero-day vulnerability to gain administrator access to WordPress sites

Comments

Wordpress break in

[edm]

Do you currently have any idea how they're logging in first/creating the admin users? Once they gain admin access the rest seems obvious "install backdoors", but the piece that puzzles me is that you say they're able to gain admin access apparently without password guessing.

Assuming these are fully patched current Wordpress sites and the passwords aren't reused from anywhere (ie, not in any of the gazillions of stolen password dumps), it sounds like there'd have to be some new means of getting admin access on Wordpress. Which would be worrying.

Ewen

Re: Wordpress break in

[tacit]

I don't. In one case, the attacker logged on to an account named "admin" even though there wasn't such an account on that site at all. There appears to be a zero-day exploit that allows an attacker to create arbitrary accounts, but I don't know how it's happening. I've found that moving the WordPress login page to a hidden URL appears to be effective at mitigating the attack, which suggests the attack may be exploiting a weakness in the WordPress login scripts, either wp-login.php or some related script, and that the attackers need access to those scripts to log in.

possible host vulnerabilty

[anonymous]

Are the sites on a the same host?

You say that admin accounts are being created by the attacker.

I'm guessing that the attacker has access to the host and thus can read every wp-config.php.

Using the details grabbed from those files, the attacker is directly creating admin accounts.

If you are on a shared host, move the sites after cleaning them. Then move all hosts that haven't been effected yet. Then burn the host.

If you are on you own machine then restrict SSH access. Shut of FTP access. Audit users. And consider burning the host.