we have had these accusations many times before
it would help if you could supply more details – or at least report it so someone can look
security@wordpress.org
We had to change hosts from one we paid $6 a month, to one we pay $200 a month, just to figure this out.
It seems it would have been much more economical to simply enlist/hire the assistance of one qualified individual temporarily, to troubleshoot your security issues and then provide you with a plan of action based on the results before committing to a hosting plan that increased your annual expenses by $2300. Of course, that still may have resulted in a recommendation to get off a shared server. Interesting.
Were you running the latest version of the plugin? There were some known remote code execution vulnerabilities in older versions of the plugin, but the current version of the plugin currently uses a blacklist of dangerous file types (which should be complete for most servers but might not work if your configuration varies significantly) and has an option which allows you to whitelist the types of files which are allowed to be uploaded, providing much better security.
I am sorry you experienced issues, and if you can provide more details, I will look into your problems. However, from time to time, security problems do emerge and care must be taken to make sure your site remains up to date and secure.
I had the same problem last week (Hacked multiple times)
I tracked it back to some Malaysian hacking group.
Apparently The Exploit Is fairly Popular
They were somehow uploading PHP files even though PHP files were blacklisted.
I’ve had to disable the plugin for the time being.
I have done some testing and it seems that this exploit relies on a rather naive quirk of Apache’s mod_mine (http://httpd.apache.org/docs/1.3/mod/mod_mime.html#multipleext) so it did not affect my own server and hence I did not see it in my testing. In the upcoming version of the plugin (0.70) I am making multiple changes which should increase the security of the plugin including fixing the bug in the blacklist filter, adding the .phtml filetype to the blacklist, and enabling a whitelist of known safe types as well by default.
I have just released version 0.70 which should prevent this and future similar exploits.
Thanks …. I have updated to .70
It works great on one of my blogs, but is not displaying the bottom half of the input box correctly on the other.
The older version displayed fine before.
Within minutes of re-activating I got several of these messages via-email.
Yep….. it was another attempted hack.
Attacker’s Footprint
@rednecktexan It looks like they were trying to attack the same flaw which I fixed in 0.70 but it would not have worked even if WordPress Firewall had not detected it because of the updated blacklist and the whitelist which is now enabled.
The result of attempting to upload that file
I should be able to look into the other visual issue within the next few days.
He did get through btw.
Uploaded something called helpp.jpg
a text file it appears.
Where was it uploaded to? If you post the last few entries in your webserver’s access log then I will be able to see what sort of attack they attempted.
As far as I can see from the logs, the attacker attempted to upload 1 file, then went to your home page, and then looked in your uploads folder. They do not then open any file, which suggests that the attempt was unsuccessful (if it was successful, they would have accessed the PHP shell they uploaded from that folder). The Google search which the attacker arrived by also suggests that they are just attempting to use a known exploit rather than perform a targeted attack.
What is the creation time and location of helpp.jpg? I don’t see anything to suggest that this attempt was successful (at least in the section of logs I have seen) but you might have been compromised another way/time.
It was uploaded about 21:33 to the WP-Contents/ uploads / 2011 / 09.
It happened in between the times that I uploaded the images in the links above.
At that point, according to the stat counter, there was no one else at the blog but me and him.
It was labeled Helpp.jpg, but it wouldn’t open as a .jpg. I viewed it as text, then deleted it.
