WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] What do they want to exploit and how to stop it (8 posts)

  1. SickSquirrel
    Member
    Posted 6 months ago #

    I just looked through my 404 Monitor results for today. I saw about 130 entries where they looked for a file. Each entry was a different theme but the same file. I need to know what it does, how it can be exploited (so y'all can patch) and if I can disable (rename ) it if I don't want uploads by anyone.

    The URL is http://www.domain.com/wp-content/themes/theme-name/functions/upload-handler.php

    I'm assuming it allows uploads to the site and the upload is an exploit of some type.

  2. catacaustic
    Member
    Posted 6 months ago #

    WordPress themselves can't do much about that. It looks liek it's a direct attempt to hack an insecure upload, and most likely from a particular vendor. Can you give a couple of examples of the theme flders that you're seeing?

    As far as security goes, as long as your theme/themes don't have that file, then you don't need to worry. You'll only ever serve out the 404 pages, which may not seem like the best idea, but it at least tells the wanna-be hackers that your site doesn't have those files. If your theme/themes do have that file, contact the themes author for more advice.

  3. wplamp
    Member
    Posted 6 months ago #

    I did a quick search for the file they're looking for and found this.

    http://www.exploit-db.com/exploits/29946/

  4. SickSquirrel
    Member
    Posted 6 months ago #

    Thanks. If my theme has it, can I rename it?

  5. catacaustic
    Member
    Posted 6 months ago #

    You can, but it might break something. If it was me, I'd move to a differnt theme (from a different provider as it seems like that exploit is fairly wide-spread) so that I don't have any chance of this issue. Just renaming a file can work for a short time - until the bots find the new file anyway.

  6. SickSquirrel
    Member
    Posted 6 months ago #

    Oh I don't use their themes. In the back of my mind I'm concerned that this might snowball to all themes and all are vulnerable.

    What this does do is remind me to list all my original themes and child themes and their originator. This way I have a quick reference when theme exploits are discovered

  7. catacaustic
    Member
    Posted 6 months ago #

    It's that particular file that's vunerable, so unless the theme uses that code, that vunerability isn't relavant to the theme.

    That's not saying that every theme that doesn't use that script is safe, it only means that it doesn't have that particular vunerability. :)

  8. SickSquirrel
    Member
    Posted 6 months ago #

    I just ran through each wp-content directory on each site. None has the / functions folder so I'm definitely sure I'm okay.

    I know it's the file, not the theme that is vulnerable. I just meant the theme is dangerous because it has that file. If these themes use a particular exploit, it might unknowingly be in others. There should be a repository for every theme. In case of an exploit, every theme listed could be tested.

    If I had my server like I used to, I'd donate a partition to this cause. In theory it's a good idea. You just need space, bandwidth, a security expert, empty machine to test themes, more security experts who know Linux, Ubuntu, Apple and other OS as well as the patience to deal with it all.

    You just need that :)

Reply

You must log in to post.

About this Topic

Tags

No tags yet.