Hacked - Someone has added files to my server (4 posts)

  1. Alex Cragg
    Posted 8 years ago #

    I just logged onto my ftp and saw that a folder has been added to my WordPress folder, and it is from a corresponding 404 i got earlier today.

    for the 404, the referrer was listed as libwww-perl/5.803.

    My wp install is CHMOD 755.

    Nothing has changed on my site.

    The folder that has been put onto my server just contains more folders, no files.

    What can i do to stop this happening again, and am I ok to just delete this folder straight up?


  2. whooami
    Posted 8 years ago #

    thats a remote file inclusion attack.

    the referer is not libwww-perl/5.803. Thats the user-agent. It means they used a script. Nothing else, nothing more.


    Are you using randshop?


    PHP 5 mitigates this risk substantially.
    turn register_globals to OFF
    use mod_security
    disallow allow_url_fopen if youre still using PHP 4

  3. Alex Cragg
    Posted 8 years ago #

    No I'm not, i have other e-commerce on the same host, but not on this domain. What else could be causing the vulnerability? The details talk of index.php, but my index.php is just the standard wp-blog-header include, nothing else.

    You're right, in my haste to post I didnt realise it was the user agent, not referrer.

    Thanks for the speedy reply.

    Edit: Ok just seen your edit, not too hot on server configuration. I'm still on php 4, where should I be putting that line?

    plus, deleted the folder, nothing happened to my site, so thats a plus!

  4. whooami
    Posted 8 years ago #

    heres another quick fix; this wont eliminate the problem completely as some of these script kiddies have caught on and are now adjusting the UA:

    in your .htaccess, disallow that user-agent.

    RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC,OR]
    RewriteRule ^.* - [F]


    If I were you, I would be going through my files, trying to locate what I have installed that uses that variable, if anything. If you go through your files and see that that variable isnt being used ANYWHERE, than chances are that THAT log entry doesn't correspond to the actual successful attack.

    use wingrep (google it) and search **all** your files for that variable above.

    Im off to work, but if you need help email me -- I'm unbusy at work for the next 12 or so hours.

Topic Closed

This topic has been closed to new replies.

About this Topic