How Do I Secure WordPress Blogs Against Elemento_pcx Exploit?
Posted
by Volomike
on Server Fault
See other posts from Server Fault
or by Volomike
Published on 2010-05-04T18:04:21Z
Indexed on
2010/05/04
18:09 UTC
Read the original article
Hit count: 452
I have a client who has several WordPress 2.9.2 blogs that he hosts. They are getting a deface kind of hack with the Elemento_pcx exploit somehow. It drops these files in the root folder of the blog:
-rw-r--r-- 1 userx userx 1459 Apr 16 04:25 default.htm
-rw-r--r-- 1 userx userx 1459 Apr 16 04:25 default.php
-rw-r--r-- 1 userx userx 1459 Apr 16 04:25 index.asp
-rw-r--r-- 1 userx userx 1459 Apr 16 04:25 index.aspx
-rw-r--r-- 1 userx userx 1459 Apr 16 04:25 index.htm
-rw-r--r-- 1 userx userx 1459 Apr 16 04:25 index.html
-rwxr-xr-x 1 userx userx 1459 Apr 16 04:25 index.php*
It overwrites index.php. A keyword inside each file is "Elemento_pcx". It shows a white fist with a black background and the phrase "HACKED" in bold letters above it.
We cannot determine how it gets in to do what it does. The wp-admin password isn't hard, but it's also not very easy either. I'll change it up a little to show you what the password sort of looks like: wviking10. Do you think it's using an engine to crack the password? If so, how come our server logs aren't flooded with wp-admin requests as it runs down a random password list?
The wp-content folder has no changes inside it, but is run as chmod 777 because wp-cache required it. Also, the wp-content/cache folder is run as chmod 777 too.
© Server Fault or respective owner