Support » Fixing WordPress » WordPress security issue – upload webscript

  • Resolved itmonitor

    (@itmonitor)


    Hello,

    We have a WordPress.org website hosted into a KVM. We noticed that we suffer regularly from unauthorized uploads of scrip exploits (copied below), that use the WordPress files admin-post.php and admin-ajax.php to upload those scripts.

    I deleted the exploit files from the server. I set (again) the WordPress folders to 755 and files to 644. I wonder if there is anything you can do to avoid those WordPress files to be used to upload exploits into a server.

    Looking forward to your reply,

    Rgs

    IM

    Web referer URL :
    Local IP : xxx
    Web upload script user : nobody (99)
    Web upload script owner: xxxxxx (1001)
    Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-ajax.php
    Web upload script URL : http://xxxxxxx/wp-admin/admin-ajax.php
    Remote IP : 205.185.123.173 FrantechSolutions
    Deleted : No
    Quarantined : No

    ———– SCAN REPORT ———–
    TimeStamp:
    (/usr/sbin/cxs –nobayes –cgi –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –noforce –html –mail root –options mMOLfSGchexdnwZDRru –qoptions Mv –quiet –sizemax 1000000 –smtp –ssl –summary –sversionscan –timemax 30 –nounofficial –novirusscan /tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB)

    ‘/tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB’
    Known exploit = [Fingerprint Match] [RFI Exploit [P1419]]

Viewing 9 replies - 1 through 9 (of 9 total)
  • milardovich

    (@milardovich)

    Do you have a list of your active plugins you could provide us? the admin-ajax.php file is used by several plugins to send ajax requests, so it could be one of your third-party plugins sending a jQuery or ajax request to a custom method which could be unsafe.

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    itmonitor

    (@itmonitor)

    @milardovich thank you. Please, is there a way I can send the plugin list to you through Private Message?

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    No there is not a way you can private message and attempting to do so is not allowed. You’re asking for help on a public forum. If you want help then you need to use the forum.

    itmonitor

    (@itmonitor)

    @anevins thank you Andrew. Listing publicly the WordPress plugins installed in my sever would bring security risks. Do you have any option to let this list confidential?

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Nope

    itmonitor

    (@itmonitor)

    Thank you. Seems like there could be a vulnerability in WordPress or in one plugin that could be in use by manu WordPress.org users and bringing them potential risk (data, inforamtion, whatever). I am trying to help find out this vulnerability and eliminate it. If there is anybody from WordPress security reading this thread and to whom I can send a PM or email with my plugins list, I am ready to cooperate. Thank you.

    • This reply was modified 10 months ago by  itmonitor.
    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    There is nothing confidential or vulnerable about listing your plugins, but it matters not. You are hacked and you need to work through the recommended articles to delouse your site. Looking through infected plugins after you’ve been hacked isn’t the way to do that.

    If you’ve missed my reply, here it is again:
    Follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    You have not demonstrated an issue with WordPress core; Edit: Or in a plugin or theme.

    milardovich

    (@milardovich)

    @itmonitor unfortunately this is a community-driven forum and we do not offer any private messaging feature, since it would loose it essence. The links @anevins provided are very complete, but if you think you are blocked and can’t clean it properly I would highly recommend you to look for some professional help, there are a lot of security experts out there like the companies Andrew named before.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘WordPress security issue – upload webscript’ is closed to new replies.