WordPress 3.0 email exploit

  • ryansaw

    (@ryansaw)


    13 years, 8 months ago

    I just saw a large increase of email being sent on my mail server. It was by a company called

    Br4|n Baba Inc

    They uploaded a file to my Wp-Content/Uploads folder called

    kimabanking.php

    and were able to send out over 5000 messages before I caught it.

    I searched the forum and didn’t see anything posted so I figured I would just let people know about it.

    Here is the IP address that I blacklisted that was associated with the exploit.

    41.155.114.66

    Not sure if this will ever help anyone, but figured it was worth letting people know about it.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    13 years, 8 months ago

    It’s a common hack technique. Your /wp-content/uploads/ directory probably has its permissions set to 777, which is writeable by everyone. The hack in question scours an exploited server (only one account needs to be exploited to compromise the entire server) for directories with 777 permissions to hide the file in.

    Setting the permissions of the directory to 755 should prevent that in the future, but WordPress may no longer be able to upload to the directory under certain server configurations.

    Vladimir Kolesnikov

    (@vladimir_kolesnikov)

    13 years, 4 months ago

    If you are running Apache, consider uploading .htaccess to /wp-content/uploads/ directory with this line:

    php_value engine off

    This will disable PHP interpreter for all PHP files in /wp-content/uploads/ and subdirectories.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WordPress 3.0 email exploit’ is closed to new replies.