We’ve had several WordPress sites defaced, all of them having the same pattern (at least the raw access log says so). From the logs it appears they directly login to WordPress then go to theme editor > edit the 404.php file with a malicious code, they now run the code to deface the site.
Here is the log (the site replaced with example.com)
125.167.118.62 - - [01/Aug/2012:14:22:58 +0800] "GET / HTTP/1.1" 200 6318 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/css/supersized.css HTTP/1.1" 200 2556 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/js/effects.js?ver=3.4.1 HTTP/1.1" 200 890 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/js/superfish.js?ver=3.4.1 HTTP/1.1" 200 3083 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/style.css HTTP/1.1" 200 23095 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:01 +0800] "GET /wp-content/themes/Wallbase/js/supersized.3.1.3.min.js?ver=3.4.1 HTTP/1.1" 200 11671 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/css/prettyphoto.css HTTP/1.1" 200 19697 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:01 +0800] "GET /wp-content/themes/Wallbase/js/jquery.prettyPhoto.js?ver=3.4.1 HTTP/1.1" 200 22373 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:02 +0800] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-includes/js/jquery/jquery.js?ver=1.7.2 HTTP/1.1" 200 94861 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:02 +0800] "GET /wp-login.php HTTP/1.1" 200 2171 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:04 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 200 36317 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:04 +0800] "GET /wp-admin/css/wp-admin.css?ver=3.4.1 HTTP/1.1" 200 108246 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:07 +0800] "GET /wp-admin/images/button-grad.png HTTP/1.1" 200 243 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:07 +0800] "GET /wp-admin/images/wordpress-logo.png?ver=20120216 HTTP/1.1" 200 5048 "http://example.com/wp-admin/css/wp-admin.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:13 +0800] "POST /wp-login.php HTTP/1.1" 302 - "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:14 +0800] "GET /wp-admin/ HTTP/1.1" 200 52163 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:19 +0800] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1 HTTP/1.1" 200 28480 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-includes/js/thickbox/thickbox.css?ver=3.4.1 HTTP/1.1" 200 3870 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-content/themes/Wallbase/images/slide.png HTTP/1.1" 200 198 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:21 +0800] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3.4.1 HTTP/1.1" 200 1087 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:22 +0800] "GET /wp-admin/images/wpspin_light.gif HTTP/1.1" 200 2193 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:24 +0800] "GET /wp-admin/images/media-button.png?ver=20111005 HTTP/1.1" 200 3117 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-includes/css/editor.css?ver=3.4.1 HTTP/1.1" 200 43861 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=3.4.1 HTTP/1.1" 200 37529 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:21 +0800] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,thickbox,plugin-install,media-upload,word-count,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=3.4.1 HTTP/1.1" 200 56368 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-includes/images/admin-bar-sprite.png?d=20111130 HTTP/1.1" 200 3999 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/arrows.png HTTP/1.1" 200 494 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/menu-shadow.png HTTP/1.1" 200 131 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/wp-badge.png?ver=20111120 HTTP/1.1" 200 14352 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-admin/images/white-grad.png HTTP/1.1" 200 210 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-admin/images/xit.gif HTTP/1.1" 200 182 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/menu.png?ver=20120201 HTTP/1.1" 200 13585 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1" 200 5886 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/icons32.png?ver=20111206 HTTP/1.1" 200 13441 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:00 +0800] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 47622 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:03 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:04 +0800] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color&ver=3.4.1 HTTP/1.1" 200 5480 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:25 +0800] "POST /wp-admin/theme-editor.php HTTP/1.1" 200 48032 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:28 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:48 +0800] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyten HTTP/1.1" 200 26759 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:50 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:20 +0800] "GET /wp-admin/images/button-grad-active.png HTTP/1.1" 200 284 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:20 +0800] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:58 +0800] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22492&updated=true HTTP/1.1" 200 151535 "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:06 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22492&updated=true" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:01 +0800] "GET /wp-content/themes/twentyten/404.php HTTP/1.1" 200 39291 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=sort_asc HTTP/1.1" 200 85 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_lnk HTTP/1.1" 200 572 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=small_dir HTTP/1.1" 200 498 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_diz HTTP/1.1" 200 1034 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=change HTTP/1.1" 200 290 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_php HTTP/1.1" 200 1125 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=download HTTP/1.1" 200 161 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=arrow_ltr HTTP/1.1" 200 88 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_png HTTP/1.1" 200 175 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_css HTTP/1.1" 200 134 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_txt HTTP/1.1" 200 132 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:29 +0800] "GET /wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 27424 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:31 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_htaccess HTTP/1.1" 200 117 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:32 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_html HTTP/1.1" 200 1125 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:17 +0800] "GET /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html HTTP/1.1" 200 7686 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:20 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_exe HTTP/1.1" 200 118 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_gif HTTP/1.1" 200 175 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_ini HTTP/1.1" 200 134 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_rtf HTTP/1.1" 200 164 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:31:14 +0800] "POST /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html%2F HTTP/1.1" 200 11608 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:33:28 +0800] "GET / HTTP/1.1" 200 3336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:34:25 +0800] "GET /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html%2F HTTP/1.1" 200 11597 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
Now what baffles me is according to logs they all them seem to have logged-in directly to WordPress as if they know the password (since it’s only one login attempt in line 16 above). This is true even for sites only up one day ago and the passwords are not simple ABCs.
It is also worth noting that only accounts with WordPress installed were defaced. Normal HTML-only sites on the same server were not defaced. And while it’s possible that there are key-loggers in client stations it certainly don’t make sense as the hacker could’ve simply used cpanel instead of gong to all the trouble in WP.
Given these facts, how can a hacker login to WordPress and be successful on one attempt?
EDIT:
I found this in the log too but this is coming from the server’s IP not the hacker’s. But what’s interesting is the “Alexa Toolbar” phrase is the same as this script I found: http://pastebin.com/raw.php?i=hcvPE8YV
[01/Aug/2012:14:22:47 +0800] "POST /wp-login.php HTTP/1.1" 200 3266 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
[01/Aug/2012:14:22:48 +0800] "GET /wp-admin/theme-editor.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
[01/Aug/2012:14:22:48 +0800] "GET /wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2Ftheme-editor.php&reauth=1 HTTP/1.1" 200 2187 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
You kinda answered your own question there, although you probably don’t realize it. But I’ll go ahead and make it explicit for you.
Important point to understand: This is a completely automated attack. Once you grasp that and the implications of it, then the answer is clear.
Firstly, the initial attack vector won’t be in your http logs, because that’s not the way they got in. They either accessed your server directly, or accessed the mySQL server directly. Either way, a false user was created on the site, or the admin password was changed directly using SQL commands.
After this, the login and injection of the script via the theme-editor was entirely automated. What’s you’re seeing is the “payload” portion of the attack.
Scripted attacks like this consist of three phases:
The actual attack, which gains them some form of access to the system. In some cases, this may be manual, but in most cases it’s done through an automated process which tries lots of attacks rapidly, until any of them succeeds.
Escalation, where the attack exploits the initial entry point in order to gain a higher level of privileges. For example, an SQL injection exploit can be used to create a new user in the database, and this can then be exploited to gain access to the PHP, which can be used to run arbitrary code.
Payload injection, where the escalated privileges are used to insert the payload. Usually spamming code or other pre-built crap.
The point being that each of these phases is mostly independent from the next one. You’re only seeing the last step in your logs here. The attacker gained immediate access to your site because the script knew the password already. The password was modified or access was gained via some other means.
And yes, sometimes this approach means that exploits run in stupid ways. It has to do with the automated script-kiddie nature of the systems being used. I’ve seen an attack where an FTP account was exploited, a PHP file was uploaded, the PHP file modified WordPress installations it found, and then the WordPress installs were used to inject spam into themes. The fact that the initial attack allowed directly injecting any PHP desired didn’t matter, the attacking system was wired to proceed in a specific process, even if most of the process was useless in some cases.