WordPress.org

Ready to get started?Download WordPress

Forums

Security Alert? A7A php mailer (21 posts)

  1. dworsky
    Member
    Posted 8 years ago #

    I moved my WordPress blog to a new host last week, installing it by hand since Fantastico did not at the time have version 2.0.2.

    Today, when using FTP, I noticed a new directory had been added to the root of that domain (in public_html) called A7A. At first I thought it was a plugin. When I looked at the text file there, it appeared to be a php mailer of some sort.

    I feel that someone/something has hacked into my directory to add this program, which presumably would be used to send spam.

    I deleted the A7A directory, but wonder if there is some additional protection I need to add, without compromising the functionality (writeability) of my blog. Permissions on the public_html directory are: drwxr-xr-x

    Or is this a security flaw that WordPress needs to investigate?

    Thanks,

    Edgar

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I would doubt this, but I would certainly change every password you use on that domain without delay.
    Have you alerted your host?

  3. resiny
    Member
    Posted 8 years ago #

    I don't think this is a wordpress security flaw. Sounds more like an issue with your host or your passwords

  4. petit
    Member
    Posted 8 years ago #

    I agree with podz, and just want to add that it could be something your web host puts in your document tree, for example as a proxy for your mail.
    Check with your host if this is something normal.

  5. dworsky
    Member
    Posted 8 years ago #

    I have checked with the hosting company, and they thought it was a security exploit in WordPress 2.0.2.

    I will change my password.

    Edgar

  6. resiny
    Member
    Posted 8 years ago #

    just curious- what hosting company are you using?

  7. charle97
    Member
    Posted 8 years ago #

    just curious- what hosting company are you using?

    looks like site5

  8. NuclearMoose
    Member
    Posted 8 years ago #

    dworsky said:
    I have checked with the hosting company, and they thought it was a security exploit in WordPress 2.0.2.

    On what did they base this conclusion? I find it highly irresponsible for people to post crap like this when there are no facts to substantiate such a claim. If your host thinks that there is a legitimate flaw, then they should act upon it for the safety of their own servers and ensure that they have gathered every scrap of information and then pass it along to security@wordpress.org .

    If they simply blow this off as a WP security flaw and do nothing more about it, then they are not the kind of host I would ever use.

  9. dworsky
    Member
    Posted 8 years ago #

    I posted my problem in a public customer to customer forum at Site5... and the quasi-moderator of the forum was the one who replied. I am not even sure if he is a paid employee.

    He said:

    "Sounds like you found a wordpress exploit. The odds are the hacker wil be back.

    Those open source scripts . . .

    There are only so many solutions:

    1) wordpress plugs the hole and you apply the update
    2) you plug the hole (if you are good at coding)
    3) remove the script

    directories should be chmod 755.
    "

    I really *do* like Site5 and don't know what they could/should do.

    Edgar

  10. Mark (podz)
    Support Maven
    Posted 8 years ago #

    This is NOT a wordpress exploit.

    If it is, tell Site5 to post in this forum that it is not their fault at all. They cannot do that - because it IS their fault.

  11. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    I posted my problem in a public customer to customer forum at Site5... and the quasi-moderator of the forum was the one who replied. I am not even sure if he is a paid employee.

    Given his post, I'd take anything he says with a grain of salt. He's just making stuff up as he goes along.

    While he is correct that it is theoretically possible that it's a WP exploit (because any PHP script can have an exploit in it), this is unlikely for many reasons:
    - No currently known exploits exist for the latest versions
    - There have not been a large amount of hacked WP blogs recently, which you would expect if somebody found a real exploit

    More to the point, if he is somebody in a position where he could investigate the matter, clearly he has not done so and simply blamed WordPress. That's not the kind of response you want from a hosting provider. Yeah, if I got that sort of response, I'd drop the host like a bad habit. If they're not concerned about security, then I don't want them to have my business.

    I really *do* like Site5 and don't know what they could/should do.

    What they SHOULD do is actually investigate instead of talking out their ass about it being a WP exploit. If it is a real exploit, then they should find out what the exploit is and tell the world, like any good netizen. If it's not an exploit, then even suggesting that that is what it is is downright irresponsible and, yes, possibly criminal.

    In any case, I'm adding Site5 to my own list of "hosts not to do business with".

    As for his comments on Open Source, you might tell him that the forum he's posting on is not open source, but that it is "visual source", meaning hackers can see the code to it as well. For that matter, the webserver hosting his forum runs Apache, which *is* open source. As is all other software that comprises the very backbone of the whole bloody internet. He uses open source software every single day, as does everybody else on the planet. So his comments about Open Source are not only fairly stupid, but ignorant of the facts as well.

    For anybody who feels like commenting on this on their forums, you can find the actual post here: http://forums.site5.com/showthread.php?t=10297

  12. lhk
    Member
    Posted 8 years ago #

    Hi,

    a good host can literally "see" what venue was exploited to hack an account. Its a bit of work though, and many are too lazy to do that.

    I'm lucky insofar that my reseller account sits with a host who is anything but lazy. Their safety measures are great to start with, but during those very few instances over the past 4-5 years that a site got hacked, they could precisely pinpoint which was the fault and venue and even name the file and precise entry method.

    It usually was indeed a script not updated inspite of a security warning, they didn't blame the script either, nor did they take down any accounts, they just politely asked to have the script updated. But it sure helps to get a precise point of entry and filename.

    So, I recommend a better host.

  13. dworsky
    Member
    Posted 8 years ago #

    I maybe should have saved the files that I found in my public_html area in the folder a7a... but I deleted the whole thing, thinking it was bad (and it probably was).

    Uninformed me would think this makes it almost impossible for my host, Site5, to do any detective work at this point.

    Edgar

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    dworsky: They can examine the server's log files, if they have a clue. But it sounds like they don't. Regardless, if they can't tell you how their servers got hacked, do you really want them to be managing your servers?

  15. davidchait
    Member
    Posted 8 years ago #

    Reposting my post to the site5 forum. I've tweaked the content a bit... ;)

    WordPress is pretty darn secure. Note that the forums at site5 are community forums, NOT a tech-support forum. You should open a ticket IMMEDIATELY with site5's support team, and have them dig into this further. Any discussion here as to whether 'site5 looked into it' is premature, as they haven't...

    You should also download your access logs and take a look yourself. If it's something via the web, it should show in the logs.

    It's important to note that WP 2.0.2 is pretty darn secure, no known exploits at this time. HOWEVER, you could have plugins, or other scripts, that you are making use of that aren't completely secured.

    I've double-posted this in both forums to make sure it gets read. Definitely ALWAYS open a >support ticket< and make sure support looks into a breach. I don't think it is WP just on the surface, needs investigation by techs. Forums are almost never the route to actual support staff at most 'real' sites.

    -d

  16. Mark (podz)
    Support Maven
    Posted 8 years ago #

    "If your host genuinely believes that WordPress has a vulnerability that they have discovered they owe it to the wider community to submit that information - without delay - to security@wordpress.org. Until then, it's entirely their problem."

    and if it IS a WP problem - why is it on THEIR fantastico?

  17. dworsky
    Member
    Posted 8 years ago #

    I tried to view the ftp logs without much success, and then finally did get to see logs of activity (but I don't know that they were ftp logs).

    Below is a sample from the log I was able to access:

    196.204.154.141 - - [12/May/2006:04:51:39 -0400] "POST /a7a/ HTTP/1.1" 200 7656 "http://www.mouseprint.org/a7a/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    196.204.154.141 - - [12/May/2006:04:51:42 -0400] "GET /a7a/ima.jpg HTTP/1.1" 304 - "http://www.mouseprint.org/a7a/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    196.204.154.141 - - [12/May/2006:04:51:42 -0400] "GET /a7a/images/success.gif HTTP/1.1" 304 - "http://www.mouseprint.org/a7a/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    ==========

    Several different IP addresses accessed the A7A subdirectory, but this one seemed to come up the most.

    Tech support at Site5 also said:

    >>Also, I looked at our ftp logs and do not see the A7A directory uploaded via this method which means a security hole was likely used in wordpress to do this. Please check over your access logs for any suspicious requests. <<

    I am over my head at this point in trying to interpret logs... but I thought I would post what has happened based on comments provided here.

    Edgar

  18. Mark (podz)
    Support Maven
    Posted 8 years ago #

    "Dear Site5,
    If you genuinely believe that WordPress has a vulnerability that you have discovered you owe it to the wider community to submit that information - without delay - to security@wordpress.org. Until then, it's entirely your problem.

    And given that you believe WordPress to be flawed should you not withdraw it from fantastico and also close all WordPress accounts on your servers to prevent your servers being used by spammer en masse?"

  19. Dickie
    Member
    Posted 8 years ago #

    Just to note.. I am also with site5, and run WordPress (I think I was running version 2.0.1) 3 days ago I had my site hacked, (root directory cleaned, and new index.htm added)
    Although the A7A directory was not added, so it is not the same problem, but he did seem to create a new subdomain, and sub directory. The WP database was also wiped, but none of the wp files were removed/damaged.
    I have now upgraded to 3.0.3, but would love to know how he got in, So It doesn't happen again.
    I have also reported this to site5, and will let you knwo what they say.

  20. whooami
    Member
    Posted 8 years ago #

    If you were running an older version 3 days ago .. well that answers your question as today is well over a month beyond 2.03's release.

    In other words, worrying about how they "got in" doesnt matter if you dont keep up with security updates. Simply put they got in because of your lax web-mastering.

    edited: my bad otto :P

  21. Samuel Wood (Otto)
    Tech Ninja
    Posted 8 years ago #

    1. You replied to a one year old thread.

    Actually, 2 months old.

    But most likely, the guy got in by some other method, not via wordpress. There were a few hacks available for 2.01, but they required special circumstances.

Topic Closed

This topic has been closed to new replies.

About this Topic