WordPress.org

Ready to get started?Download WordPress

Forums

Possible security issue with my server (22 posts)

  1. mcangeli
    Member
    Posted 9 years ago #

    I don't know if its a hole in WordPress, gallery or my passwords in general, but someone gained access to my server and added a bank login to my domain. I wanted to send out a heads up to everyone out there, keep an eye on your domains. I'm working with my host to find out how it was done.

    Mark

  2. oriecat
    Member
    Posted 9 years ago #

    Someone else posted recently about it happening to them too. Scary. How did you find it?

  3. mcangeli
    Member
    Posted 9 years ago #

    The DOD called me. (Honest to God)

  4. mcangeli
    Member
    Posted 9 years ago #

    And its odd, the washington folder was added in my web root, which makes me think it was wordpress.

  5. the washington folder was added in my web root, which makes me think it was wordpress.

    Ummm...... how so?

  6. michaelc
    Member
    Posted 9 years ago #

    I'd have to think that the folder being added to your web root indicates an insecure server, not an issue with WP.

  7. MJ
    Member
    Posted 9 years ago #

    Hmm. Seems I'm not the only one http://wordpress.org/support/topic.php?id=26488. My host is currently trying to track down what happened. Not trying to yell FIRE but taking a peek at the raw access logs and it looks to this untrained eyed like someone was able to access the wordpress directory and managed to gleen a password?

    Any of this make sense to anyone? The same IP first pulled the whole /wp directory then I see this about 25 time in a row then the same (three requests) for the wp-admin.php file

    [07/Mar/2005:00:54:11 -0500] "GET /wp/wp-pass.php HTTP/1.1" 302 5 "-"
    "Java/1.4.2_04"

    4 minutes later is the time stamp of the first of 15 spam posts, with no requests in between... I just want to find out what happened so I can plug the hole.

    cross posted at:
    http://wordpress.org/support/topic.php?id=26488

  8. Jinsan
    Member
    Posted 9 years ago #

    Er...scary indeed....let me know when to abandon ship, or if there's a fix I might swab the decks.

  9. NuclearMoose
    Member
    Posted 9 years ago #

    What 0ther applications do you have running on your server?

    I think you should be coming to the forum AFTER you have checked out everything with your host. At this point, you are simply crying wolf without having all of the facts at hand.

  10. MJ
    Member
    Posted 9 years ago #

    Sorry if I offended NM, I thought this was a support forum for an application I'm having problems with. I tend to respond better to suggestions and solutions rather than admonishments. Not all of us are mavens.

    Back to the issue at hand - could it possibly be a permissions problem? i.e. the famous 5 minute install for 1.5 (I used fantastico to install) doesn't set permissions correctly? I'm just trying to figure out what went wrong.

  11. michaelc
    Member
    Posted 9 years ago #

    MJ, your story is different from mcangeli's - you had someone making posts, he had someone uploading a phishing folder at the root level of his server - the only similarity is that you both had your sites hacked.

  12. MJ
    Member
    Posted 9 years ago #

    My apologies, that came off harsher than I intended. Just a tad frustrated is all.

  13. NuclearMoose
    Member
    Posted 9 years ago #

    MJ,
    Apologies accepted. Not a big deal. I can certainly understand your frustration as well as the angst of wondering what happened. It's just that it's very important to have all the facts in hand so that we can accurately determine if WordPress actually does have a vulnerability. Otherwise conjecture takes over and misinformation begins flying all over the place.

  14. MJ
    Member
    Posted 9 years ago #

    Here's what I've done:

    Added an .htaccess file to the /wp directory. Change all permissions to what I *think* they should be (see: http://wordpress.org/support/topic.php?id=21139#post-120173 ) as well as change all passwords (ftp/cpanel/wp login). If it happens again - I am at a loss, but you'll be the first to know :)

  15. mcangeli
    Member
    Posted 9 years ago #

    NM, I'm running wordpress and gallery. Those are the only scripts on this site. That being said, before I came here, I went to my host. I changed all passwords on the scripts, ftp and even my login with my host.

    I posted on this site to see if anyone was aware of any holes in the wordpress system. I'm fairly certain that it wasn't a problem of an insecure server and I honestly do not appreciate the subject of this post being changed (it made it harder to find, as I was looking for the topic I POSTED).

    I'm working with my host. I'm checking on the gallery script, which resides in gallery/. The folder that was created was created in my webroot. As I said, the only thing immediately there is the wordpress code. I'm attempting to get any and all available logs from my host, however thats proving a little harder than I had hoped.

  16. mcangeli
    Member
    Posted 9 years ago #

    As another note, I have asked them to check for a root kit as well.

    And if you read the original message:

    I don't know if its a hole in WordPress, gallery or my passwords in general, but someone gained access to my server and added a bank login to my domain. I wanted to send out a heads up to everyone out there, keep an eye on your domains. I'm working with my host to find out how it was done.

    Mark

    I didn't cry fire. I said keep an eye on your sites, I'm still working on what the cause was.

  17. NuclearMoose
    Member
    Posted 9 years ago #

    I honestly do not appreciate the subject of this post being changed (it made it harder to find, as I was looking for the topic I POSTED).

    Sorry you feel that way. I honestly don't appreciate people making unsubstantiated claims of security problems when they don't have all the facts. So we agree to disagree.

    You can access all of your own posts quickly by using the VIEW YOUR PROFILE link at the top of the page.

  18. mcangeli
    Member
    Posted 9 years ago #

    Again, I said I didn't know if it was wordpress, gallery or a password issue in general. My point of the post was to let people know that some how someone accessed my server and I was working on figuring out how it was done.

    And I wasn't aware that the posts were listed under the view profile page (show's you how many times I've looked at my profile on here...) so thank you for that. Its good to know.

  19. mcangeli
    Member
    Posted 9 years ago #

    Well, my host has said its an issue with a script. Now to narrow it down to which script.

  20. davidchait
    Member
    Posted 9 years ago #

    Yes, definitely keep us posted here!

    -d

  21. mcangeli
    Member
    Posted 9 years ago #

    I think its narrowed down to an issue with gallery.
    http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=24669&highlight=hacked

    Anyone running v1.4.4-pl4 is advised to upgrade to the latest stable release.

    The gallery guys are still working on it.

  22. mcangeli
    Member
    Posted 9 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.