March 6th, 2012 by Ken
Recently a few WordPress sites on my server were attacked by the Blackhole exploit going around. Each time it was removed, it would come back shortly after and after much frustration in trying to find a working solution to the problem, I finally figured it out this morning.
A number of people recommended WordPress plugins like Firewall 2 and Exploit Scanner to stop attacks, but none of these worked (Which is not to say it doesn’t do what it’s supposed to, just wasn’t working for this particular exploit).
I flipped through the access logs in an attempt to find something that stood out, like an exceptionally long URL query string or multiple consecutive accesses to a particular page but didn’t notice anything until I thought about filtering down to just the POST requests to the site. That’s when I found the following entry.
220.127.116.11 - - [06/Mar/2012:10:35:40 -0800] "POST /wp-content/plugins/ToolsPack/ToolsPack.php HTTP/1.0" 200 1 "-" "Mozilla/4.76 [en] (Win98; U)"
The ToolsPack wasn’t anything we had heard of or even recognized and there were only 3 different IPs that accessed this page directly numerous times throughout the day across the affected sites. We had our culprit.
Viewing the source of the file confirmed my suspicions and revealed that all it did was decode and evaluate whatever text was posted to that script.
The only thing I haven’t quite figured out yet is how the script got there in the first place. I found a ToolsPack zip file in the WordPress uploads directory which would suggest something in WordPress allowed it to be uploaded and decompressed to the plugins directory, but what, I’m unsure of.
If anyone has any thoughts or information I’d love for you to comment and let me know your findings!
For now, I’ve removed the files, blocked the IPs and made all the index files 444 (globally read-only) which should help prevent this from happening again.