Analysing an attack from WordPress Hello Dolly plugin

You might notice a heavy CPU usage consumption on your machine. Some may be a natural cause for example a known script being executed at a specific time whilst others may be due to a simple attack. Even if the attack  is not a successful one, you may encounter a high CPU usage of your server which may eventually cause several kernel hungs or even cause other applications to be deprived from CPU usage. What i mean is that the goal of the attacker though it has not been reached, you may encounter worse situation on your server.

Let's see a brief analysis of an attack caused by a WordPress plugin known as "Hello Dolly". The event started with a high CPU consumption on a server. Of course, by viewing the Htop or Atop processes, you can determine processes consuming more CPU.

Photo credits: Komodosec.com
Photo credits: Komodosec.com

1.Here is an idea of the Processes consuming more CPU by firing a simple ps command. The processes 829 and 4416 were the one consuming more CPU.

[[email protected]:/www/website.com/htdocs/wp-content]# ps aux|grep php

apache     829  6.2  0.5 351212 97492 ?        S    Oct05 127:36 php -q /tmp/tmp

apache    3459  0.3  0.3 416340 60080 ?        S    Oct06   1:43 php-fpm: pool www                                                                                            

apache    4416  7.2  0.5 336860 82656 ?        D    Oct05 146:43 php -q /tmp/tmp

apache    4753  0.2  0.3 420176 64048 ?        S    Oct06   1:20 php-fpm: pool www                                                                                            

root      7539  0.0  0.0 103248   868 pts/3    S+   06:55   0:00 grep php

2.We can noticed that the process php -q /tmp/tmp emanate from a plugin on the server. For example the PID 4416 corborate with the lsof command.

[[email protected]:/www/website.com/htdocs/wp-content]# lsof plugins/

COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF      NODE NAME

php       829 apache  cwd    DIR   0,20     4096 168820763 plugins

php      4416 apache  cwd    DIR   0,20     4096 168820763 plugins

bash    22664   root  cwd    DIR   0,20     4096 168820763 plugins

php     29199 apache  cwd    DIR   0,20     4096 168820763 plugins

php     29304 apache  cwd    DIR   0,20     4096 168820763 plugins

php     30153 apache  cwd    DIR   0,20     4096 168820763 plugins

3. If we make a strace -p of 2919 we can noticed that its trying to open the /etc/hosts file. 

[[email protected]:/www/website.com/htdocs/wp-content/plugins]# strace -p 29199

Process 29199 attached - interrupt to quit

socket(PF_NETLINK, SOCK_RAW, 0)         = -1 EMFILE (Too many open files)

open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = -1 EMFILE (Too many open files)

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)

socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = -1 EMFILE (Too many open files)

alarm(0)                                = 15

rt_sigaction(SIGALRM, {SIG_DFL, [], SA_RESTORER, 0x7f66381729a0}, NULL, 8) = 0

poll([{fd=3447, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)

4. Another interesting information to know which website or url does the intrusion emanating from is by firing a lsof -p on the pid

[[email protected]:/www/website.com/logs]# lsof -p 29304

COMMAND   PID   USER   FD   TYPE     DEVICE SIZE/OFF       NODE NAME

php     29304 apache  cwd    DIR       0,20     4096  168820763 /www/website.com/htdocs/wp-content/plugins 

php     29304 apache  rtd    DIR      253,0     4096          2 /

php     29304 apache  txt    REG      253,2  4105624      16544 /usr/bin/php

5. If we now try to analyse the log by sorting only the bot, we can find some "POST" being carried out which comes from IP 92.62.129.97 . At first glimpse, it looks like a google bot. Are we sure?

92.62.129.97 - - [05/Oct/2015:20:45:49 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com

/bot.html)"

92.62.129.97 - - [05/Oct/2015:21:20:43 -0400] "POST /wp-content/plugins/index.php?cookie=1 HTTP/1.0" 200 13 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com

/bot.html)"

6. Who is 92.62.129.97 ?

92.62.129.97

GeoIP Country Edition: LT, Lithuania

GeoIP City Edition, Rev 1: LT, N/A, N/A, N/A, N/A, 56.000000, 24.000000, 0, 0

GeoIP ASNum Edition: AS42549 UAB Baltnetos komunikacijos

7. Did we noticed that this IP is well reputed for attacks?

Check out this website https://www.firyx.com/whois?ip=92.62.129.97 You would noticed that there were attacks even on some Windows server reported by some people.

8. After more research, we can conclude that several WordPress users have encountered same situation where the Hello Dolly plugin was causing a heavy load on there servers. After they have removed it, things have changed. Ref:

We can deduce that how unknown plugins on wordpress can be dangerous if the codes are not properly audited by security experts. An analysis is very important before using such kind of plugins.

Note: This information might be uncomplete in some sort as it may happened that the Hello Dolly was already compromised prior to the attack. The aim of the article is to get show an analysis methodology due to a high CPU consumption.

  • Lutjebroeker.nl

    Always wondered why somebody would activate that useless plugin

    • Indeed.. I agree.. its of no use.. i have encountered such situation though..

  • I would like to point out that this is false information and you’ve provided no indication pointing to the Hello Dolly plugin as the point of entry for an attack.

    The Hello Dolly plugin is included in WordPress core, which goes through rigorous testing and security checks. Looking at the plugin source indicates absolutely no possible threat of attack that would cause such high CPU load on your server, outside of maybe directly accessing it which would bring no benefit to a potential attacker.

    That said, you should take a look at the security of your server, Apache/Nginx setup, and your WordPress site. Good job tracking down the origination of the attack though!

    • Hello.. I agree the analysis is some kind uncomplete.. However, the aim is to explain the analysis methodology. It might be that the hello dolly plugin was already hacked. But atleast the cause of the CPU consumption has been detected due to the hello dolly plugin

  • Rick Dees

    Do you know who wrote the “Hello Dolly” plugin? If “Hello Dolly” has a backdoor, then it means your entire WordPress site is a backdoor.