WordPress.org

Ready to get started?Download WordPress

Forums

[Security Hole] Wp 2.6.1 with besucher.txt (8 posts)

  1. wetgraphique
    Member
    Posted 5 years ago #

    dear matt, i have experienced a security hole in wordpress 2.6.1.

    someone has installed a file called besucher.txt in the root of the blog.

    plugins active:

    Akismet 2.1.8
    Flash Tag Cloud 0.4
    Flexo Archives 1.0.12
    Get Recent Comments 2.0.2
    Highlight Author Comments 1.0.3
    ShareThis 2.3
    Snazzy Archives 0.5.2
    Subscribe To Comments 2.1.2
    WP-Cumulus 1.13
    WP-DBManager 2.31
    WP-PostRatings 1.31
    WP-PostRatings Widget 1.31
    WP Auto Tagger 1.3.1
    WP Super Cache

    inactive plugins:
    cforms 8.7
    WP-chgFontSize 1.6
    WP-OpenID 2.2.2
    Hello Dolly 1.5

    posted on the forum but no replies.

    please excuse me for posting here, but i think this could be important.

    marco infussi

  2. wetgraphique
    Member
    Posted 5 years ago #

    another question: can it be related to the tags used in my template?
    what if i use tags for older versions?

    i surely do not use deprecated tags.

    these are other dicussions, but nothing in there:
    http://wordpress.org/support/topic/175671?replies=2
    http://wordpress.org/support/topic/131264?replies=6

  3. Roy
    Member
    Posted 5 years ago #

    What makes you think this is a WP related thing? As far as I can tell, you can also have folders with too many permissions and somebody put a file in it. Doing a Google search for besucher.txt results in many hits and not just WP sites. In most cases the file itself contains a string of numbers and symbols. But if you can read German, did you also read this little tutorial? It teacher how to count visitors and it uses a besucher.txt to do just that.
    But maybe somebody turned it into a hack.

  4. wetgraphique
    Member
    Posted 5 years ago #

    i have read that tutorial yet.

    it is surely a related to wp.
    i have only wp installed in that site, as it is my playground for testing. it is not an official webspace.

    permissions are in control. as no-one (as long if it this not a security hole) can write the root of a shared server.

  5. ClaytonJames
    Member
    Posted 5 years ago #

    permissions are in control. as no-one (as long if it this not a security hole) can write the root of a shared server.

    Maybe your WordPress permissions are within your control and correct, but unless you have absolute control over a shared server (is such a thing possible?), how do you know the server itself or another site(s) on that server has not been compromised? Or possibly even your FTP account information? There are far many more possibilities than just the fault of WordPress. So many variables... Corruption through plugin vulnerabilities, introducing a threat by installing a template with pre-existing exploit code, (ever come across huge blocks of base64 encoding in the functions.php of a theme?) or using insecure versions of software or add-on's while putting off an upgrade. There are so many other things to check in addition to WordPress. I hope you get to the bottom of it. If you find that you really do have a WordPress issue, please be sure to share it with the developers before putting it out in the open.

    This guide might help.

    http://codex.wordpress.org/Reporting_Bugs#Reporting_security_issues

    Best of luck to you!

  6. wetgraphique
    Member
    Posted 5 years ago #

    dear clayton james, please, don't think i'm not that noob :) !

    - shared server is not compromised
    - other sites on the shared server can surely be compromised, but it is not possible that someone writes only a file in -that- wordpress folder, without writing something elsewhere.
    - my ftp account is ok without doubt.
    - i think there is such a plugin vulnerability, this is the reason why i listed plugins installed.
    - template is written by me. it does not contain exploit code, at least not before i have gone completely rotten. i know very well those encoded blocks.

    i have checked all the variables possible, be sure.
    as i don't write a request like that in a forum, if i can solve it by myself. i wrote because, after one day of proofing logs and every line of code, i'm still clueless.

    m

  7. Roy
    Member
    Posted 5 years ago #

    I can still hardly imagine that this is a WP issue. Putting files on your server can (as far as I know) not be done by PHP commands. The only way to put a file on your server is misuse of your FTP account or of course an FTP function in WP (but the image uploader writes to an image folder) or a plugin and I don't think I see a plugin with FTP or upload functionality in your list.
    I'm sure you also checked your access logs? Don't they tell you something?
    Does the timestamp of the besucher.txt perhaps give a clue?

    And just out of curiosity, what does the file do actually? And did you read the (what I expect to be) code of it?

    I don't really have an idea either, but maybe my rantings will give you some ideas to look at.

  8. ClaytonJames
    Member
    Posted 5 years ago #

    dear clayton james, please, don't think i'm not that noob :) !

    Not at all. I never implied that you were. I offered areas of concern for investigation, that although very basic, need to be ruled out in the course of any analysis involving suspected compromise. I know nothing about your hosting environment, or the extent of your knowledge, or what you have or have not already done. That fact that you are asking for help, indicates the need for such. Being a linear thinker myself, of course I thought to offer up the very basics first. Telling us that you choose to use a shared hosting environment, simply reinforced my impression of your possible need for basic or "beginner" assistance. That's all. Very simple, no insult intended. My sincere apologies if you mistook it for such.

    - my ftp account is ok without doubt.
    - i think there is such a plugin vulnerability, this is the reason why i listed plugins installed.
    - template is written by me. it does not contain exploit code

    Sounds to me like you are making progress. I'm sure you will figure it out. You sound like a sharp person.

    Best wishes.

Topic Closed

This topic has been closed to new replies.

About this Topic