mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)
-
Since a few weeks, I have a few wordpress blogs misused as spam-relay. With apache mod_log_post I’ve now been able to catch the complete POST request, and here how it looks like (cf. below). This request here sends a spam to a gmail.com account.
To prevent this, I had to add these lines to the .htaccess:
<Limit POST> order deny,allow deny from all </Limit>
(but this also prevents editing).
Is this a known issue ? I saw some similar posts in the archives about 1-2 years ago, but nothing really similar and for the current 3.0.1 version.
I’m still trying to find where in the WP code this ‘file’ variable is decoded and included, but no success yet. Maybe you will have a better idea?
Regards,
Olivier (managing the server, not the wp-setups)1) “raw” POST request:
[Code moderated as per the Forum Rules. Please don’t re-post any hack code.]
2) Decoded request:
[Code moderated as per the Forum Rules. Please don’t re-post any hack code.]
Thank you for your past orders with our company. We strive to improve our services and provide best delivery experience for your purchases.
Please remember to place your orders on our new site. Once you get there please add it to your bookmarks for future reference.With kind regards,
Support Team
“.$fullname.”
“.$address.”
“.$city.”, “.$state.” “.$zipcode.”, “.$country;##########################################################
[Code moderated as per the Forum Rules.]
- The topic ‘mail-spam relay over 3.0.1 POST exploit ? (base64_decode eval decrypt)’ is closed to new replies.