WordPress.org

Ready to get started?Download WordPress

Forums

Exploits that allow hard file editing and file uploading? (5 posts)

  1. zalienjoe
    Member
    Posted 3 years ago #

    I've been experience one hell of an issue, and I've been told that it is not the integrity of my leased server, but rather an exploit in WordPress.

    Here's what happens....

    1. A JPG file is uploaded into /themes/ This JPG is actually a redirect script with a .jpg extension. Then a theme file, usually header or footer is edited to hold the embed code for the image. This is not an SQL inject, it's a hard edit to the file.

    or

    2. A JS file will be edited with the redirect script inserted.

    Can someone please advise me on how a WordPress exploit would allow someone to upload to the WordPress theme directory and also edit theme files? Again though, it's not an SQL inject as in dynamically pulling the payload. It's a hard edit.

    What route would this attack be taking without gaining FTP access?

  2. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 3 years ago #

    Who told you it is not the server but a fault with WordPress? There have been a few instances of hosting companies trying to pass the buck, where the problem has subsequently be found to be due to lax security on theor servers.

    What theme are you using? Did you obtain it from the WordPress.org free themes directory or if it is a paid theme did you obtain it from the original author or elsewhere?

  3. zalienjoe
    Member
    Posted 3 years ago #

    Hey, thanks for the reply. The support team at my host told me it wasn't a system issue. They cited that 3 of my domains were running WordPress versions not up to date, and the others were up to date. They told me that any versions before x.x.x (I forget which version they quoted, but earlier than 3) were exploitable.

    However, the exploit continually takes place about once or twice a week (probably a bot attack) on a domain that IS and HAS BEEN up to date and with which I've implemented htaccess restrictions throughout. Checked all chmod levels ect...

    As I stated, I'm not aware of a WordPress exploit that allows manipulation of files. Perhaps I'm wrong, but all WordPress exploits could do is inject payloads in the db right? I'm trying to figure that out. I'm trying to figure out what route this hack is taking to gain access to modify my files and whether or not it could do so without FTP access.

    I've looked through the logs. I have found some questionable POST activity coming from China. I've since blocked several IP's. However, if this is a server security issue, I don't think these attacks are going to be in the log files I'm provided with...

    I was hoping somebody could confirm or point out their experience with such an exploit and possible methods to prevent it. I've found a few posts about similar hacks, and I've followed the suggested remedies with no avail.

    As for the skin, it's custom. I don't use free or premium skins. I have 2 plugins. I will be removing them, as I'm not sure if they are the issue or not either.

    I've combed my DB and found nothing suspicious. I'll be migrating it soon with a new prefix (was already a custom prefix) to a fresh install and changing all of the credentials. In theory, if it's not a server issue that should fix it and prevent any future attacks, right?

    I could speculate though that if it is a server issue, that it would be more likely that all domains on my server would be attacked. So, I don't really know.

  4. zalienjoe
    Member
    Posted 3 years ago #

    Just wondering if anyone has experience on what route this type of exploit would take. Anyone?

    I really need to track this down! I'm stumped currently...

  5. esmi
    Forum Moderator
    Posted 3 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic