Blog of Daniel Ruf

post mortem: hacked WordPress with a cryptominer (2018)

15.06.2019

This is a post mortem report of a hacked WordPress instance with a cryoptominer in 2018 which was handled by me.

post mortem

People

  • Incident Controller: Daniel Ruf
  • Operations A: Daniel Ruf
  • Communications A: Daniel Ruf
  • Project Owner A: REDACTED

Problem

At 10:08 PM, on 29th of May 2018 at a meetup we became aware of a 99% CPU usage of our root server which also impacted the availability of the other websites on the same server.

Timeline

2018-05-29 22:08: monitoring alerted us of high CPU usage
2018-05-29 22:09: informed PO of hacked website, started first analysis
2018-05-29 22:09: blacklisted IP address of attacker, blocked access to systems, killed the problematic processes
2018-05-29 22:15: archived the website for further analysis and checked the system for integrity
2018-05-29 22:20: informed PO of the taken actions

Impact

High CPU usage and affected availability of websites on the same server.

Contributing Factors

  • Weak or reused passwords
  • No information from the PO about the new WordPress instance
  • No security measures

Abstract

A quick view at our monitoring panel showed us a 99% CPU usage. After logging into the server and running top the current situation was quite clear:

 %CPU    COMMAND
391.0    cnrig
 95.7    php
 29.6    php-fpm
  9.6    sendmail
  4.0    fail2ban-server
  3.0    sendmail
...

So there was something using almost 4 of the 8 (see nproc) cores (threads) of the i7 CPU called cnrig, a process of php using almost a core plus php-fpm, some sendmail processes and fail2ban was actively blocking another attack wave and there were also many smtp processes running as a result.

php-fpm and fail2ban-server were the only processes which were not directly bound to the WordPress instance in Plesk and were spawned by root. But the other processes were actually spawned by the hacked WordPress instance.

sendmail was used as part of regular spam attacks which originate from hacked WordPress instances using different webshells as the attackers often have no SSH access like in this case. So they used the PHP webshells to start other attacks and run different things.

And one of these was a cryptominer called CNRig (running as cnrig) which is optimized to use the available resources as effective as possible.

This high performance cryptominer is freely available as opensource project and can be found at GitHub

CNRig is a high performance CryptoNight CPU miner for Linux. Based on the formidable XMRig, its distinguishing features are automatic updates and compatibility with old distributions.

We have immediately blocked the affected website, its logins and users in Plesk, killed the processes and blocked the used IP address using iptables.

Another check with ls in the WordPress instance showed us that there are files that should not be there:

drwxr-xr-x                 8hq9
drwxr-xr-x                 bfe9a
drwxr-xr-x                 c997d5
drwxr-xr-x                 cnrig
drwxr-xr-x                 daa10f
drwxr-xr-x                 jdhse
-rwsr-Sr-T   Jan 1 1970    security.php
-rwsr-Sr-T   Jan 1 1970    wp-archive.php
-rwsr-Sr-T   Jan 1 1970    wp-loads.php
-rw-r--r--                 zz1.php

And there were also changes made to files in legitimate files and directories.

Some of the listed files had also a sticky bit (T) and a timestamp of 0 which translates to 01-01-1970.

The retrieved accesslog shows how the attackers probably started the attack:

5.101.40.93 - - [28/May/2018:08:10:41 +0200] "GET /wp-login.php HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:42 +0200] "POST /wp-login.php HTTP/1.0" 302
5.101.40.93 - - [28/May/2018:08:10:42 +0200] "GET /wp-admin/ HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:43 +0200] "GET /wp-admin/theme-install.php HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:43 +0200] "POST /wp-admin/update.php?action=upload-theme HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:44 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:44 +0200] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:44 +0200] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:10:46 +0200] "GET /wp-content/plugins/apikey/apikey.php?test=hello HTTP/1.0" 200
5.101.40.93 - - [28/May/2018:08:37:01 +0200] "POST /wp-content/plugins/apikey/apikey.php HTTP/1.0" 200

We have since blocked the IP using the following command:
iptables -i eth0 -A INPUT -s 5.101.40.0/24 -j DROP

According to the accesslog the attackers successfully logged into the WordPress backend, uploaded a theme and a plugin (which probably contained some webshells and related code) and tested the installed plugin. After this they started the cryptominer and the different attacks using PHP.

In the wp_users database table there was also at least 1 user which was probably added and used by the attackers:

    ID                     user_login    user_nicename    user_email      user_registered
     3    wp.service.controller.mYSiM          Service                0000-00-00 00:00:00

The used cnrig binary was also submitted to VirusTotal