post mortem: hacked WordPress with a cryptominer (2018)
This is a post mortem report of a hacked WordPress instance with a cryoptominer in 2018 which was handled by me.
- Incident Controller: Daniel Ruf
- Operations A: Daniel Ruf
- Communications A: Daniel Ruf
- Project Owner A: REDACTED
At 10:08 PM, on 29th of May 2018 at a meetup we became aware of a 99% CPU usage of our root server which also impacted the availability of the other websites on the same server.
2018.05.29 22:08: monitoring alerted us of high CPU usage
2018.05.29 22:09: informed PO of hacked website, started first analysis
2018.05.29 22:09: blacklisted IP address of attacker, blocked access to systems, killed the problematic processes
2018.05.29 22:15: zipped the website for further analysis and checked the system for integrity
2018.05.29 22:20: informed PO of the taken actions
High CPU usage and affected availability of websites on the same server.
- Weak or reused passwords
- No information from the PO about the new WordPress instance
- No security measures
A quick view at our monitoring panel showed us a 99% CPU usage.
After logging into the server and running
top the current situation was quite clear:
%CPU COMMAND 391.0 cnrig 95.7 php 29.6 php-fpm 9.6 sendmail 4.0 fail2ban-server 3.0 sendmail ...
So there was something using almost 4 of the 8 (see
nproc) cores (threads) of the i7 CPU called
cnrig, a process of
php using almost a core plus
sendmail processes and
fail2ban was actively blocking another attack wave and there were also many
smtp processes running as a result.
fail2ban-server were the only processes which were not directly bound to the WordPress instance in Plesk and were spawned by root. But the other processes were actually spawned by the hacked WordPress instance.
sendmail was used as part of regular spam attacks which originate from hacked WordPress instances using different webshells as the attackers often have no SSH access like in this case. So they used the PHP webshells to start other attacks and run different things.
And one of these was a cryptominer called CNRig (running as
cnrig) which is optimized to use the available resources as effective as possible.
This high performance cryptominer is freely available as opensource project and can be found at GitHub
CNRig is a high performance CryptoNight CPU miner for Linux. Based on the formidable XMRig, its distinguishing features are automatic updates and compatibility with old distributions.
We have immediately blocked the affected website, its logins and users in Plesk, killed the processes and blocked the used IP address using
Another check with
ls in the WordPress instance showed us that there are files that should not be there:
drwxr-xr-x 8hq9 drwxr-xr-x bfe9a drwxr-xr-x c997d5 drwxr-xr-x cnrig drwxr-xr-x daa10f drwxr-xr-x jdhse -rwsr-Sr-T Jan 1 1970 security.php -rwsr-Sr-T Jan 1 1970 wp-archive.php -rwsr-Sr-T Jan 1 1970 wp-loads.php -rw-r--r-- zz1.php
And there were also changes made to files in legitimate files and directories.
Some of the listed files had also a sticky bit (
T) and a timestamp of
0 which translates to
The retrieved accesslog shows how the attackers probably started the attack:
220.127.116.11 - - [28/May/2018:08:10:41 +0200] "GET /wp-login.php HTTP/1.0" 200 18.104.22.168 - - [28/May/2018:08:10:42 +0200] "POST /wp-login.php HTTP/1.0" 302 22.214.171.124 - - [28/May/2018:08:10:42 +0200] "GET /wp-admin/ HTTP/1.0" 200 126.96.36.199 - - [28/May/2018:08:10:43 +0200] "GET /wp-admin/theme-install.php HTTP/1.0" 200 188.8.131.52 - - [28/May/2018:08:10:43 +0200] "POST /wp-admin/update.php?action=upload-theme HTTP/1.0" 200 184.108.40.206 - - [28/May/2018:08:10:44 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 220.127.116.11 - - [28/May/2018:08:10:44 +0200] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200 18.104.22.168 - - [28/May/2018:08:10:44 +0200] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 22.214.171.124 - - [28/May/2018:08:10:46 +0200] "GET /wp-content/plugins/apikey/apikey.php?test=hello HTTP/1.0" 200 126.96.36.199 - - [28/May/2018:08:37:01 +0200] "POST /wp-content/plugins/apikey/apikey.php HTTP/1.0" 200
We have since blocked the IP using
iptables -i eth0 -A INPUT -s 188.8.131.52/24 -j DROP.
According to the accesslog the attackers successfully logged into the WordPress backend, uploaded a theme and a plugin (which probably contained some webshells and related code) and tested the installed plugin. After this they started the cryptominer and the different attacks using PHP.
wp_users database table there was also at least 1 user which was probably added and used by the attackers:
ID user_login user_nicename user_email user_registered 3 wp.service.controller.mYSiM Service 0000-00-00 00:00:00
The used cnrig binary was also submitted to VirusTotal
Written by Daniel Ruf. You should follow him on Twitter