attack on wp-admin/install.php

Discussion:

Konrad Karpieszuk

2013-10-08 16:56:12 UTC

hello

today few people reported me that instead of main page of my wordpress
site, they see installation wizard. after few minutes main website was ok,
but every subpages had error 404.

i went to dashborad > settings > permalink and refreshed structure of
permalinks. after that all website was ok.

but i see i logs that really somebody tried to get into install.php script,
even few times per second, this is apache log from begging of attack:

http://wklej.org/id/1145478/

question: how it was possible that regular visitors saw installation script
during this attack? and why affter attack permalinks was broken?

at this domain i have two sites:
dev.wpzlecenia.pl - everything is up to date
wpzlecenia.pl - two plugins are in older versions
- Google XML Sitemaps (i have 3.2.9) here is changelog
http://www.arnebrachhold.de/projects/wordpress-plugins/google-xml-sitemaps-generator/changelog/,
it looks that this plugin has no security issue in this version
- WordPress SEO by Yoast - (i have version 1.4.15) here is changelog
http://wordpress.org/plugins/wordpress-seo/changelog/ , it looks that
everything is ok in this older version

--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

Mika A Epstein

2013-10-08 18:47:06 UTC

Permalink

I think causality is the other way around.

People were hitting install.php so much because the wizard was showing.
Was your SQL server glitching?

October 8, 2013 9:56 AM
hello
today few people reported me that instead of main page of my wordpress
site, they see installation wizard. after few minutes main website was ok,
but every subpages had error 404.
i went to dashborad > settings > permalink and refreshed structure of
permalinks. after that all website was ok.
but i see i logs that really somebody tried to get into install.php script,
http://wklej.org/id/1145478/
question: how it was possible that regular visitors saw installation script
during this attack? and why affter attack permalinks was broken?
dev.wpzlecenia.pl - everything is up to date
wpzlecenia.pl - two plugins are in older versions
- Google XML Sitemaps (i have 3.2.9) here is changelog
http://www.arnebrachhold.de/projects/wordpress-plugins/google-xml-sitemaps-generator/changelog/,
it looks that this plugin has no security issue in this version
- WordPress SEO by Yoast - (i have version 1.4.15) here is changelog
http://wordpress.org/plugins/wordpress-seo/changelog/ , it looks that
everything is ok in this older version
--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

--
Mika A Epstein (aka Ipstenu)
http://ipstenu.org | http://halfelf.org

Konrad Karpieszuk

2013-10-09 06:39:56 UTC

Permalink

two things:

1. my website is not so popular that in one second 20 person try to connect

2. as you can see in log, /wp-admin/install.php is added not always to main
domain but sometimes to single post urls (ie

/2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
) This is not url which somebody type in address bar without reason

--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

Post by Mika A Epstein
I think causality is the other way around.
People were hitting install.php so much because the wizard was showing.
Was your SQL server glitching?

October 8, 2013 9:56 AM
hello
today few people reported me that instead of main page of my wordpress
site, they see installation wizard. after few minutes main website was ok,
but every subpages had error 404.
i went to dashborad > settings > permalink and refreshed structure of
permalinks. after that all website was ok.
but i see i logs that really somebody tried to get into install.php script,
http://wklej.org/id/1145478/
question: how it was possible that regular visitors saw installation script
during this attack? and why affter attack permalinks was broken?
dev.wpzlecenia.pl - everything is up to date
wpzlecenia.pl - two plugins are in older versions
- Google XML Sitemaps (i have 3.2.9) here is changelog
http://www.arnebrachhold.de/**projects/wordpress-plugins/**
google-xml-sitemaps-generator/**changelog/<http://www.arnebrachhold.de/projects/wordpress-plugins/google-xml-sitemaps-generator/changelog/>
,
it looks that this plugin has no security issue in this version
- WordPress SEO by Yoast - (i have version 1.4.15) here is changelog
http://wordpress.org/plugins/**wordpress-seo/changelog/<http://wordpress.org/plugins/wordpress-seo/changelog/>, it looks that
everything is ok in this older version
--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski
______________________________**_________________
wp-hackers mailing list
http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>

--
Mika A Epstein (aka Ipstenu)
http://ipstenu.org | http://halfelf.org
______________________________**_________________
wp-hackers mailing list
http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>

Roger Chen

2013-10-09 06:53:45 UTC

Permalink

From the response code (302), it looks like your visitors were stuck in a

redirect loop, which is why there are so many requests to install.php
grouped together. WordPress redirects to wp-admin/install.php when it
thinks your database hasn't been setup. It will preserve the existing
request path when it performs this redirect, since it's completely possible
that somebody actually wanted to set up wordpress in a subdirectory like
'/2013/10/..../'. It looks like you just botched your database
configuration somehow.

Roger

1. my website is not so popular that in one second 20 person try to connect
2. as you can see in log, /wp-admin/install.php is added not always to main
domain but sometimes to single post urls (ie
/2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
) This is not url which somebody type in address bar without reason
--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

Post by Mika A Epstein
I think causality is the other way around.
People were hitting install.php so much because the wizard was showing.
Was your SQL server glitching?

October 8, 2013 9:56 AM
hello
today few people reported me that instead of main page of my wordpress
site, they see installation wizard. after few minutes main website was

ok,

Post by Mika A Epstein

but every subpages had error 404.
i went to dashborad > settings > permalink and refreshed structure of
permalinks. after that all website was ok.
but i see i logs that really somebody tried to get into install.php script,
http://wklej.org/id/1145478/
question: how it was possible that regular visitors saw installation script
during this attack? and why affter attack permalinks was broken?
dev.wpzlecenia.pl - everything is up to date
wpzlecenia.pl - two plugins are in older versions
- Google XML Sitemaps (i have 3.2.9) here is changelog
http://www.arnebrachhold.de/**projects/wordpress-plugins/**
google-xml-sitemaps-generator/**changelog/<

http://www.arnebrachhold.de/projects/wordpress-plugins/google-xml-sitemaps-generator/changelog/

Post by Mika A Epstein

,
it looks that this plugin has no security issue in this version
- WordPress SEO by Yoast - (i have version 1.4.15) here is changelog
http://wordpress.org/plugins/**wordpress-seo/changelog/<

http://wordpress.org/plugins/wordpress-seo/changelog/>, it looks that

Post by Mika A Epstein

everything is ok in this older version
--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski
______________________________**_________________
wp-hackers mailing list
http://lists.automattic.com/**mailman/listinfo/wp-hackers<

http://lists.automattic.com/mailman/listinfo/wp-hackers>

Post by Mika A Epstein
--
Mika A Epstein (aka Ipstenu)
http://ipstenu.org | http://halfelf.org
______________________________**_________________
wp-hackers mailing list
http://lists.automattic.com/**mailman/listinfo/wp-hackers<

http://lists.automattic.com/mailman/listinfo/wp-hackers>
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

Bryan Petty

2013-10-09 06:55:16 UTC

Permalink

On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk

Post by Konrad Karpieszuk
1. my website is not so popular that in one second 20 person try to connect
2. as you can see in log, /wp-admin/install.php is added not always to main
domain but sometimes to single post urls (ie
/2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
) This is not url which somebody type in address bar without reason

--
Regards,
Bryan Petty

Konrad Karpieszuk

2013-10-09 07:35:56 UTC

Permalink

ok, one more info which i thought isn't relative to this problem, but
maybe.

three months ago somebody start this famous ddos attack to wp-login.php at
those websites. tens of times per second somebody tried to login into
dashboard using random passwords. at beginning i resolved this in .htaccess
by adding rules that nobody except from my ip address can acces to
wp-login.php. but beacouse i have cowriter without permamnent IP address,
this was not good solution

so few days ago i changed in files:
wp-login.php
wp-admin/index.php

first line from:

<?php

to

<?php if ($_COOKIE["superauth"] != "yep") exit("dostep zabroniony"); //

it check if we got some 'secret' cookie and if cookie is absent it
immadietly execute die().

It looks like good solution: wordpress core isnt started at all, server is
happy.
Can it be somehow related to this attack on wp-admin/install.php? i dont
belive that this kind of change has something common with install script,
but maybe i dont know wordpress core very good. Or maybe this attacker when
saw that wp-login.php and wp-admin/index.php are secured started new way to
attack? )or he or she started this long time ago but htaccess prevented
from this)? all ip's from log are outside of Poland, but my regular
visitors are almost only from Poland

--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

Post by Bryan Petty
On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk

Post by Konrad Karpieszuk
1. my website is not so popular that in one second 20 person try to

connect

Post by Konrad Karpieszuk
2. as you can see in log, /wp-admin/install.php is added not always to

main

Post by Konrad Karpieszuk
domain but sometimes to single post urls (ie
/2013/10/wdrozenie-zakupionego-szablonu-wordpress/wp-admin/install.php
) This is not url which somebody type in address bar without reason

It's actually fairly likely that in the event that your DB has dropped
as Mika was suggesting, that one of your plugins or server
configuration was causing a redirect loop back to install.php itself
as well.
Most hack attempts don't intentionally claim a user agent as
"Feedfetcher-Google" (which was also seeing that install.php redirect
loop).
--
Regards,
Bryan Petty
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

Abdussamad Abdurrazzaq

2013-10-09 07:54:56 UTC

Permalink

If you are this worried you can always delete install.php.

Post by Konrad Karpieszuk
ok, one more info which i thought isn't relative to this problem, but
maybe.
three months ago somebody start this famous ddos attack to wp-login.php at
those websites. tens of times per second somebody tried to login into
dashboard using random passwords. at beginning i resolved this in .htaccess
by adding rules that nobody except from my ip address can acces to
wp-login.php. but beacouse i have cowriter without permamnent IP address,
this was not good solution
wp-login.php
wp-admin/index.php
<?php
to
<?php if ($_COOKIE["superauth"] != "yep") exit("dostep zabroniony"); //
it check if we got some 'secret' cookie and if cookie is absent it
immadietly execute die().
It looks like good solution: wordpress core isnt started at all, server is
happy.
Can it be somehow related to this attack on wp-admin/install.php? i dont
belive that this kind of change has something common with install script,
but maybe i dont know wordpress core very good. Or maybe this attacker when
saw that wp-login.php and wp-admin/index.php are secured started new way to
attack? )or he or she started this long time ago but htaccess prevented
from this)? all ip's from log are outside of Poland, but my regular
visitors are almost only from Poland
--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

Post by Bryan Petty
On Wed, Oct 9, 2013 at 12:39 AM, Konrad Karpieszuk

Post by Konrad Karpieszuk
1. my website is not so popular that in one second 20 person try to

connect

Post by Konrad Karpieszuk
2. as you can see in log, /wp-admin/install.php is added not always to

main

_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers

Konrad Karpieszuk

2013-10-09 09:19:55 UTC

Permalink

first of all i want to know *why*. :) i;ve got tens of wordpress sites and
i will have more. i dont want to delete install.php every time (and after
every wordpress upgrade). also maybe we have totally new way to hack
wordpress sites (as you can see it is somehow working, because intruded
broke my site)

--
(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

On Wed, Oct 9, 2013 at 9:54 AM, Abdussamad Abdurrazzaq <

Post by Abdussamad Abdurrazzaq
If you are this worried you can always delete install.php.