Bot for JCE able to upload malicious file to up-to-date WordPress site

  • mordaru

    (@mordaru)


    10 years, 3 months ago

    I have a WordPress site hosted on a CloudLinux server, and for some reason malicious scripts were uploaded to my .cagefs/tmp folder by a bot.

    File timestamps and the following log timestamps match exactly, so I’m puzzled how a hack/exploit for Joomla (afaik) worked on a WP install?

    70.35.202.197 - - [03/Mar/2016:03:02:50 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 0 "-" "BOT/0.1 (BOT for JCE)"

70.35.202.197 - - [03/Mar/2016:03:02:58 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 0 "-" "BOT/0.1 (BOT for JCE)"

70.35.202.197 - - [03/Mar/2016:03:03:13 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 0 "-" "BOT/0.1 (BOT for JCE)"

70.35.202.197 - - [03/Mar/2016:03:03:21 -0500] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 0 "-" "BOT/0.1 (BOT for JCE)"
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    10 years, 3 months ago

    Hmmm, the inner workings of servers is outside of my primary knowledge base, but AFAIK, when someone submits a form with a file field, that file is immediately uploaded to /tmp. The only limitation is size. It’s what happens after that makes the difference. Without script to move the file from /tmp to a normal location, the file should eventually be deleted. Even when it exists, the /tmp folder is(should/must be) not executable so there is no risk there.

    If I’m mistaken, someone please clarify.

    Thread Starter mordaru

    (@mordaru)

    10 years, 3 months ago

    Thanks for the response.

    Weird thing is, the files weren’t deleted until I removed them manually several hours later when my scanner found them. It’s important to note that the responses were 200 (OK) so I’m assuming the requests had completed thus the tmp files must have been deleted? What could have caused them to remain?

    Moderator bcworkz

    (@bcworkz)

    10 years, 3 months ago

    I would posit that if you were to setup a simple form with a file upload field that POSTs the exact same request, the response would also be 200, along with the normal index or front page of your site. The file POSTed along with that would remain in /tmp.

    Unless you have a plugin that would respond to one of those query strings, they would just be ignored. Unfortunately, there’s no way to know what other data was POSTed along with the file. Another exploit could have been lurking there.

    Script would only delete the file if it was expecting file data in the first place. I suppose in a way it’s a good sign that it remained, indicating the POST data was ignored.

    My understanding is Linux systems normally only flush /tmp when restarted, but hosts run CRON jobs periodically to clean out /tmp since their O/S is rarely restarted. What that period is would be host dependent. It’s possibly only once a day, so ignored files could linger there for quite some time.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Bot for JCE able to upload malicious file to up-to-date WordPress site’ is closed to new replies.