WordPress site hacked postmortem

A few weeks ago, an attacker gained access to one of our wordpress installations. We only came to know about it yesterday and that too because whenever people would visit the site via google, they would get redirected to another site.

Initially, we thought this was the work of a script kiddie but what we found on our server was much more sophisticated. For privacy reasons, I’ve left out my client and agency’s name out of this.

Here’s the postmortem for this hack:

26th December, 2018 – Attacker accessed the site. We came to know about this via the apache access logs. It seems like this person successfully managed to login and gain access to the backend.

21st January, 2019 – We came to know google redirecting users to another site when access the hacked site.

22nd January, 2019 –¬† We start investigating and learn that the index.php has been modified on the root WordPress folder. Upon further investigation it turns out that there are a couple of other files also injected in the server. These files/folders are:

  • wp-content/uploads/gravity_forms – Gravity forms doesn’t place any kind of files in here. For some reason, the attacker uploaded this folder in the uploads folder. We believe this to be the first point of entry in the hack.
  • Html text containing links to other websites as a nav item in the backend. This was added by the attacker via the WordPress backend. We don’t know why did they do this.
  • wp-includes/pomo/bingbot.php – This is the big one. Essentially, this script contains a huge base64 string. Upon decoding this string, we discover a fully fledged html file. This file has a lot of garbled text encoded in hex/base64, etc.
    I run the file locally to see what does it do and to my surprise its almost a miniature cms. Written in chinese.

This is how it looks like:
Apparently, this file has a sneaky function which contacts another server arbitrarily. Basically, this function monkey patches a existing php function and is executed whenever this function is called. The callback function is heavily encoded via various obfuscation techniques. We use cyberchef to decode this. It takes some time but in the end, we learn that the the script sends some server information to thisdoor.com

This file is pretty full on. For example, you can browse the directory structure, run sql commands, run php commands and lots more. It has something called backshell which is something I’m not able to figure out.

23rd January, 2019 – The server has been cleared and a new WordPress installation has been deployed. WordPress has been activated for the time being. We’re still looking into how the attacker gained access into the server.

We know the tail end of the hack but we do not know how the attacker got access to the website.


Precautions:

Secure your passwords! Seems like the attacker must have previously farmed one of our admin username and password and gained entry via the backend. We got to know about this by checking the apache access log.

 

Addendum

One of the more weird parts found in the modified index.php:
setcookie('haircki','haircooki', time()+3600*24);

The bingbot.php found in the pomo folder:

Decrypted bingbot.php(Don’t run this locally without thoroughly neutering the script)


Decrypted bingbot.php