[wp-hackers] [Full-disclosure] Possible Code Execution vulnerability in WordPress ?

Marc Manthey marc at let.de
Sun Jul 3 11:33:06 UTC 2011 

hello list,

i am using wordpress since 2 years without any trouble, update  
regulary , but last friday, i got a mail from my hoster
that someone "uploaded" a phishing script into my "upload folder"  
after i found out that the "contact form" module might cause
the problem because i allways found a "wpcf7_captcha" directory in my  
"upload folder , i removed the module and all when fine.

Today i ve got another mail from rsa.com  that the same script is  
still on my site just in a "theme" folder.
I  looked into the installed "phishing script"   http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
it seems everything is loaded from https://www1.royalbank.com/  for  
example
https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif  <  
but this is not the original banking site !!

Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when i  
try http://www.royalbank.com it redirects me to the original banking  
site at

http://www.rbcroyalbank.com  !!!!

After  i searched for some information , i found this on the full  
disclosure list , and i am a bit  concerned now....

[Full-disclosure]	Code Execution vulnerability in WordPress  http://seclists.org/fulldisclosure/2011/Apr/535

any idea what todo ?

cheers


Marc

>>
>>
>> -------- Original Message --------
>> Subject: 	Fraudulent site, please shut down! [RBC 11266] IP:
>> 91.184.33.25 Domain: let.de
>> Date: 	Sun, 3 Jul 2011 02:33:05 +0300
>> From: 	<afcc at rsa.com>
>> To: 	<abuse at speedpartner.de>
>> CC: 	<metz at speedpartner.de>
>>
>>
>>
>> Sehr geehrte Damen und Herren,


second attemt

>>
>> http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html 
>> ,

First attempt:


> http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html


--  Les enfants teribbles - research / deployment
Marc Manthey- Vogelsangerstrasse 97
50823 Köln - Germany
Tel.:0049-221-29891489
Mobil:0049-1577-3329231
blog: http://let.de
twitter: http://twitter.com/macbroadcast/
facebook : http://opencu.tk

More information about the wp-hackers mailing list