New WordPress attack targeting the phpinfo() function

• September 15, 2015
• technology  
• hackers  
• security  
• wordpress  

Are the authors of PHP and WordPress merely evil or Satan incarnate? That was the thought that crossed my mind (even though I’m an atheist) when I saw the most recent attack against my site. The attacker was in the Ukraine (country code UA) on domain hidehost.net at address 91.200.12.53. The attacker started with a “GET /” request. The subsequent requests were all POST to a /wp-includes/*.php path. Specifically these paths:

POST /wp-includes/class.wp-dependencies.php
POST /wp-includes/feed-rss2.php
POST /wp-includes/date.php
POST /wp-includes/pluggable-deprecated.php
POST /wp-includes/default-constants.php
POST /wp-includes/bookmark-template.php
POST /wp-includes/pluggable.php
POST /wp-includes/feed.php
POST /wp-includes/theme.php
POST /wp-includes/formatting.php

Each POST request had one line from the following list in the data portion of the request:

q01b955=phpinfo();
q044e97=phpinfo();
q6d8db6=phpinfo();
q791d24=phpinfo();
q82e86f=phpinfo();
q874478=phpinfo();
qb214de=phpinfo();
qcd4fab=phpinfo();
qeb2df4=phpinfo();

My WordPress v4.3 installation responded with a HTTP 200 (OK) status to each request. I manually executed each request and got the same 200 status but no output from the phpinfo() function. So I am reasonably confident the attacker did not get any useful data from my server. Specifically, no data other than that I have not been infected by malware (see the next paragraph).

Googling for “attack phpinfo” returns many results such as this one which explain why the ability to remotely invoke the phpinfo() function is a security risk. Googling for any of the tokens on the left-hand side of the above assignments returned nothing useful. Neither are those tokens base32 or base64 encoded values.

This suggests that this attacker is looking for sites that have been previously infected by malware. I’ve seen attacks in the past with seemingly nonsensical tokens. Careful analysis has suggested, if not proved, that each of those attacks is trying to detect, and presumably exploit, malware already present on the computer.