Does this have anything to do with WordPress?
yea I guess.. i just need to know where I can start looking for an error in the actual website code. (I was told that the code is broken somewhere and when i try to upload a page to the site it can’t find the page. So someone might have accidently deletes a small part of the main code.
I’m having a similar issue with uploads all of the sudden… amongst several other strange issues that just popped up last night, like pages dissapearing / turning into posts. Here is the URL that the uploader is now inserting:
http://DOMAIN.COM//../../../../../../../../../../../../../../../../../tmp/140098455_44f1a7149d.thumbnail.jpg
Like I said… was working for years.. then suddenly after last night I get this.
lgutica please post a URL
robc Do you have a working URL? The site in your profile is empty.
Actually I’ve figured out what’s going on… my site has been exploited… appears to be script kiddie and an older exploit…
access log reads
207.210.112.209 – – [23/Mar/2008:17:18:55 -0700] “HEAD /wp-admin/ HTTP/1.1” 200 – “-” “-“
[24/Mar/2008:22:28:10 -0700] “POST /wp-admin/options.php HTTP/1.0” 500 1313 “http://agwired.com/wp-admin/options.php” “Opera”
[24/Mar/2008:22:28:10 -0700] “POST /wp-admin/options.php HTTP/1.0” 302 342 “http://agwired.com/wp-admin/options.php” “Opera”
[24/Mar/2008:22:28:11 -0700] “POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0” 500 1219 “http://agwired.com/upload.php?style=inline&tab=upload&post_id=-1” “Opera”
[24/Mar/2008:22:28:12 -0700] “POST /wp-admin/upload.php?style=inline&tab=upload&post_id=-1 HTTP/1.0” 302 – “http://agwired.com/upload.php?style=inline&tab=upload&post_id=-1” “Opera”
[24/Mar/2008:22:28:12 -0700] “POST /wp-admin/options.php HTTP/1.0” 500 1293 “http://agwired.com/wp-admin/options.php” “Opera”
[24/Mar/2008:22:28:13 -0700] “POST /wp-admin/options.php HTTP/1.0” 302 342 “http://agwired.com/wp-admin/options.php” “Opera”
[24/Mar/2008:22:28:13 -0700] “GET /wp-admin/upgrade.php?step=1 HTTP/1.0” 200 60971 “-” “-“
That’s where initial damage was done… and I do have in my possession a 14k php script that was placed in temp, but that I am not sure if it was run.
Rows were altered in my wp_options other than upload path, which lead to pages being turned into posts / disappearing from manage page… All of my plugins were deactivated because the offender “activated” this “plugin” and it was listed in options table as the first of all activated plugins… I’m clueless as to how he / she would then access such a “faceless plugin” or whether or not they were able to.. I didn’t catch any calls that “activated” the plugin.. and unfortunately had mysql logging turned off. Not sure what I’m going to do from this point forward?
running wordpress 2.3.3
I’ve found others faced with a similar exploit in previous version but not this recent version: http://justaddwater.dk/2007/11/15/justaddwaterdk-hacked/
All I know is agwired is a legitimate WordPress site. Perhaps a mod will jump in here with advice.
Yes hopefully… as I do have more logs / information regarding this exploit attempt and as I didn’t actually intend to post the blogs URL in my rush to find others dealing with this recent bout of scripted attacks.
