#Hacks #Security

WPCoreSys (Dolly) Hack – Revisited

by

This is revisit to one of my most popular post, WPCoreSys (Dolly) Hack. I reader asked some follow-up questions which I think can be useful to other people who are going through the same WordPress hack.

I can’t thank you enough for your post on the WPCoreSys (Dolly) Hack.  I’ve been chasing this problem for a few weeks on my WP site, but unable to get to the actual root cause.   I’m far from a WP expert (which I’m sure has slowed me down), but I was able to delete the WPCoreSys directory from within the Plugins folder, and also delete the four entries from the wp_dolly_plugin_table (using phpmyadmin), but unable to figure out how to delete the table itself.  I’ve also changed admin, cpanel and FTP passwords, and installed some security and audit plugins.  Hopefully, all that’s enough to keep the hackers away from doing anything else.

Although your post was incredibly helpful, I do have two questions for you:

First, were ever able to figure out what the hackers were doing?  I saw that they created entries into my WP_Posts table, and based on the content it looked like it was somehow related with downloading of pirated files.  But, not exactly sure how my little WP site figured into it all.

Secondly, and more importantly, the code changes in your post were way above my technical skill.  So, I was wondering if you were aware of any sort of plug in, or other utility that could do the necessary clean-up work for this hack?

I do have one question you may be help to with, that live-traffic shows people going to URLs like:

  • http://www.mywebsiteexample.com/?La-saga-McJames–Tome-2—-Dans-le-lit-d-un-guerrier.pdf
  • http://www.mywebsiteexample.com/?Revue-technique-automobile—n-253—mai-1967—Simca-1500-1501—Renault-8-Gordini.pdf
  • http://www.mywebsiteexample.com/?Photoshop-Elements-11-pour-les-photographes.pdf

…and other very curious/odd names.  Those PDFs don’t exist on my site, so WP just takes the user to the home page.  Do you have any thoughts about those names, and what might be generating that traffic?  I’m wondering if it’s attempt to hack, and a result of the hacking.

Once again, I’m grateful that I found your post.

My response:

Glad that the blog post was informative.  I’ve been getting a lot of positive feedback about it.  Seems like a decently common exploit and not a lot of information about it.  To drop the tables, you should be able to do it from within phpmyadmin.  https://www.youtube.com/watch?v=GTnV4VmJWPk  or run a ‘drop table xxxxx’ sql command.  If you’re still unable to drop (aka delete) a table then you could rename it.  Something like __mytablename (NOT USED)__ or something like that since no developer in their right mind would use parenthesis in their table names as well as it being descriptive enough that its an unused table.
 

You did almost everything needed, if you follow my blog post instructions you should be fine.  Since the cleanup, that site hasn’t been hit with another malware attack.

The attack is a typical SQL Injection attack that injects XSS scripts into the website.  The XSS script’s payload is do the following:

  • Put Javacript code into the pages of your website that would trigger a redirect upon arrival to the website of their choice.
  • Put content and website links of their choice into your website.
  • Put Javascript code that would trigger q popup box, download dialog boxes to download malware, or place tracking cookies onto the computer of your visitors.
As for plugins, I think I provided some near the bottom of the blog post.  This one https://wordpress.org/plugins/gotmls/ is very well made and when you run it, it scans all the files on your website and provide you the ability to clean them.  Again, the trigger code is in your website’s PHP files.
 

As for the random URL strings you’re seeing is bots querying for hidden pages.  They are a nuisance and causes extra processing for your server.  I recommend a plugin called 

 
Learn more about bad queries
 
See more malware scripts so you can identify if you have a compromised PHP or WordPress site.