I’ve Been Hacked! WP-Lytebox Sucks

Hacking WordPressThis is the third time I’ve had to spent serious time “fixing” WordPress.  Say what you will about my old “Small Axe” or “Flip” solutions, but I never had a problem.  With WordPress, I have found regular issues.

This time, I traced the problem back to wp-lytebox, and I’m ashamed to say I’ve had to fix the same problem before.  It all started when I couldn’t load the post page in the backend of firsttube.com.  Digging in, I eventually found a file called sys.php in the root of the site, and it listed the contents of my site and had a form that allowed someone to add a page, chmod a page, or delete a page.  Killer!

I found that it was defaulting to /path/to/WP/wp-includes/plugins/wp-lytebox, and sure enough, digging into that directory revealed several other fun scripts, all of which gave someone the ability to access all the files on my site.  Fun!

I found that I already had replaced this plugin before, so I decided to get rid of it altogether, this now proving it wasn’t a misconfiguration, but rather, a problem with the wp-lytebox itself.

In this process, however, I was unable to fix my issue.  Visiting /wp-admin/post-new.php still rendered only a page footer, and nothing more.

So I starting fooling around in my directories looking for files that had been modified more recently than when I did my 2.9.2 upgrade.  One of the files? My .htaccess file.

This be odd,” I thought to myself, “I’ve changed this not, methinks.

Sure enough, there was a rogue line within: RewriteCond ^/default/$ /wp-admin/includes Huh?

I dug into that folder, and the .htaccess file there was recent too? It’s contents? DefaultIndex users.php

Of course, I immediately opened users.php and found, as you might have guessed, a bunch of Russian crap. Savvy WP hackers will know, it’s not a real file, there is no users.php in the real wp-admin/includes directory.

I also found a folder that had two large files, both named core.XXXX where XXXX was a 4 digit number, and a massive 40 MB error_log.  Yikes.

I thought I had everything cleaned out, and I truly believed that the way in was wp-lytebox.  Then I found this.  And sure enough, all of the listed files were compromised.  So I nuked all the files, and replaced them all.  D’oh!

So, if you’re arriving via Google or Bing or Yahoo!, do NOT use wp-lytebox.