WordPress Twentyeleven theme hack via akismet
EDIT - See the comment section as Aksimet came and left a good explanation as to why this blogpost was wrong - sorry 
Ok - I have not blogged much lately but thats because I have not had much to say - now at the request of my client I have decided to put this up.
One of my clients sites got hacked from what looks like akismet.
It was a new site with very little in it because it was only built 2 days ago. It was indexed by Google pretty quickly due to some SEO fancy footwork but thats not the story.
Cleaning the site was simply a matter of putting the old index.php back and then removing all the wordpress signatures and chaning the theme directory and adding a whole bunch of security plugins that you can get all the way down to the tinfoil hat.. but the culprit seems to be a backdoor JS Akismet hack. So that plugin was disabled.
Here are the logs
92.253.84.230 - - [22/Aug/2011:07:12:47 -0500] "GET /wp-content/plugins/akismet/akismet.css?ver=3.2.1 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:12:47 -0500] "GET /wp-admin/css/colors-fresh.css?ver=20110703 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:12:47 -0500] "GET /wp-includes/js/l10n.js?ver=20101110 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:12:47 -0500] "GET /wp-content/plugins/akismet/akismet.js?ver=3.2.1 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:12:48 -0500] "GET /wp-admin/load-scripts.php?c=1&load=hoverIntent,common,jquery-color&ver=7d903dfc1d58d3c10544b01c2fc61931 HTTP/1.1" 200 3866 "http://www.xxx.net/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:21 -0500] "GET /wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme HTTP/1.1" 200 29588 "http://www.xxx.net/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:24 -0500] "GET /wp-content/plugins/akismet/akismet.css?ver=3.2.1 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:25 -0500] "GET /wp-admin/css/colors-fresh.css?ver=20110703 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:25 -0500] "GET /wp-includes/js/l10n.js?ver=20101110 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:25 -0500] "GET /wp-content/plugins/akismet/akismet.js?ver=3.2.1 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:43 -0500] "GET /wp-admin/images/button-grad-active.png HTTP/1.1" 200 284 "http://www.xxx.net/wp-admin/css/colors-fresh.css?ver=20110703" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:43 -0500] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 - "http://www.xxx.net/wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:44 -0500] "GET /wp-admin/theme-editor.php?file=/home/sony241/public_html/wp-content/themes/twenty11YYY/index.php&theme=Twenty+Eleven%2Ftwenty11YYY&a=te&scrollto=99 HTTP/1.1" 200 29206 "http://www.xxx.net/wp-admin/theme-editor.php?file=%2Fthemes%2Ftwenty11YYY%2Findex.php&theme=Twenty+Eleven%2Ftwenty11YYY&dir=theme" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:46 -0500] "GET /wp-content/plugins/akismet/akismet.css?ver=3.2.1 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=/home/sony241/public_html/wp-content/themes/twenty11YYY/index.php&theme=Twenty+Eleven%2Ftwenty11YYY&a=te&scrollto=99" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:46 -0500] "GET /wp-admin/css/colors-fresh.css?ver=20110703 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=/home/sony241/public_html/wp-content/themes/twenty11YYY/index.php&theme=Twenty+Eleven%2Ftwenty11YYY&a=te&scrollto=99" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:46 -0500] "GET /wp-includes/js/l10n.js?ver=20101110 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=/home/sony241/public_html/wp-content/themes/twenty11YYY/index.php&theme=Twenty+Eleven%2Ftwenty11YYY&a=te&scrollto=99" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:46 -0500] "GET /wp-content/plugins/akismet/akismet.js?ver=3.2.1 HTTP/1.1" 304 - "http://www.xxx.net/wp-admin/theme-editor.php?file=/home/sony241/public_html/wp-content/themes/twenty11YYY/index.php&theme=Twenty+Eleven%2Ftwenty11YYY&a=te&scrollto=99" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
92.253.84.230 - - [22/Aug/2011:07:16:56 -0500] "GET / HTTP/1.1" 200 1455 "-" "Mozilla/5.0 (Windows NT 6.0; rv:6.0) Gecko/20100101 Firefox/6.0"
217.162.28.98 - - [22/Aug/2011:07:17:34 -0500] "GET / HTTP/1.0" 200 1455 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)"
And here are the contents of the index.php that was edited
<html dir="rtl"> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1256"> <meta http-equiv="Content-Language" content="ar-jo"> <title>Hacked by FreeZoM TeaM</title> <meta name="keywords" content="FreeZoM TeaM,Karezma,Prime virus"> <meta name="description" content="FreeZoM TeaM,Karezma,Prime virus"> </head> <body topmargin="0" leftmargin="0" rightmargin="0" bottommargin="0" marginwidth="0" marginheight="0" link="#FF0000" vlink="#FF0000" alink="#FF0000" text="#FFFFFF" bgcolor="#000000"> <p align="center"><b><span lang="en-us"><font size="4">Hacked By <font color="#FF0000">FreeZoM </font>TeaM</font></span></b></p> <p align="center"> <img border="0" src="http://www5.0zz0.com/2011/08/21/09/664775110.jpg" width="500" height="300"></p> <p align="center"><span lang="en-us"><font size="4"><b>KaReZmA ||| Prime virus</b></font></span></p> <p align="center"> </p> <p align="center"><span lang="en-us"><font size="4"><b>Contact Prime : <a href="mailto:L-1@hotmail.com">L-1@hotmail.com</a></b></font></span></p> <p align="center"><span lang="en-us"><font size="4"><b>Contact karezma : </b> </font></span><b><span lang="en-us"><font size="4"> <a href="mailto:t2marvelm@yahoo.com">t2marvelm@yahoo.com</a></font></span></b></p> <p align="center"> </p> <P style="MARGIN-BOTTOM: -10px" align=center><embed width="1" height="1" src="http://www.youtube.com/v/CCxrR7GfXZI&autoplay=1"></P> </body> </html> Obviously to hide the identity I have changed some text to xxx and some to yyy. Hope this help you. WHP
Related Reading:
![Apple TV MD199LL/A [NEWEST VERSION]](http://ecx.images-amazon.com/images/I/31rYKKB4zFL._SL160_.jpg "Apple TV MD199LL/A [NEWEST VERSION]")
Apple TV MD199LL/A [NEWEST VERSION]Apple TV MD199LL/A [NEWEST VERSION]
ChristmasMichael Bublé has a special holiday gift for his naughty and nice fans. The multi Grammy Award winning Canadian presents Christmas. Commented Bublé,... Read More >
Two Peas in a Pod - Ceramic Salt & Pepper Shakers in Ivy Print Gift BoxHand painted in garden greens, this tiny set of ceramic salt and pepper shakers will charm your guests. Each shaker is dainty and detailed and reusabl... Read More >
Numi Organic Tea Flowering Gift Set in Handcrafted Mahogany Bamboo Chest: Glass Teapot & 6 Flowering Tea BlossomsPackaged in an exotic hand-made dark mahogany bamboo case, this Flowering Tea Gift Set is filled with six bouquets of tea leaves that blossom into a m... Read More >
August 23rd, 2011 - 10:40
Hi,
This isn’t an Akismet exploit. The reason css and js files for Akismet (and other things) appear in the logs is that the hacker was logged into wp-admin. Those css and js GETs are normal for a logged-in admin user.
The first POST is to /wp-admin/theme-editor.php, indicating the hacker had access to an admin account, and used the theme editor to upload their index.php file.