[wp-testers] Re: wp-testers Digest, Vol 29, Issue 10

Mon Jul 30 10:21:10 GMT 2007

Hi all,

I'm not sure what does this mean, my host reported a hacking attempt.
I am using 2.2 instead of the latest version but I'll post it just in
case it applies to the current versions, does it help?

Could someone intepret for me if it is a valid hacking attempt?

Below in the email:

We need to inform you that your hosting account for example.sg has
been hacked and used to send spam to other Internet users.

To prevent further abuse of your account and the server, we have
disabled the following location on your account:

home/example/www/www/wp-admin

Here is how the hackers have exploited your account:

200.89.188.195 - - [29/Jul/2007:17:52:27 -0400] "GET
/wp-admin/plugin-editor.php?file=hello.php HTTP/1.1" 200 6366
"http://example.sg/wp-admin/plugin-editor.php" "Mozilla/5.0 (Windows;
U; Windows NT 5.1; es-AR; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5"

200.89.188.195 - - [29/Jul/2007:17:52:29 -0400] "GET
/wp-admin/plugin-editor.php?file=hello.php HTTP/1.1" 200 5939
"http://example.sg/wp-admin/plugin-editor.php" "Mozilla/5.0 (Windows;
U; Windows NT 5.1; es-AR; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5"

200.89.188.195 - - [29/Jul/2007:17:52:36 -0400] "POST
/wp-admin/plugin-editor.php HTTP/1.1" 302 5
"http://example.sg/wp-admin/plugin-editor.php?file=hello.php"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.8.1.5)
Gecko/20070713 Firefox/2.0.0.5"

200.89.188.195 - - [29/Jul/2007:17:52:36 -0400] "GET
/wp-admin/plugin-editor.php?file=hello.php&a=te HTTP/1.1" 200 13087
"http://example.sg/wp-admin/plugin-editor.php?file=hello.php"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.8.1.5)
Gecko/20070713 Firefox/2.0.0.5"

As you can see, the hacker uploaded a spam tool to your webspace to
send out spam.

We have deleted the offensive uploaded by the hacker:

home/example/www/www/wp-content/plugins/hello.php

Please upgrade any third party software you are using on your account
to the latest versions. Also, if you are using any custom scripts,
please secure them as soon as possible.

When you are ready to secure your account, please contact us, and we
will enable the access to the disabled directory.

On 7/24/07, wp-testers-request at lists.automattic.com
<wp-testers-request at lists.automattic.com> wrote:
> Send wp-testers mailing list submissions to
>         wp-testers at lists.automattic.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.automattic.com/mailman/listinfo/wp-testers
> or, via email, send a message with subject or body 'help' to
>         wp-testers-request at lists.automattic.com
>
> You can reach the person managing the list at
>         wp-testers-owner at lists.automattic.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of wp-testers digest..."
>
>
> Today's Topics:
>
>    1. fancy permalinks broken in IIS? (Lloyd Budd)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 23 Jul 2007 14:25:11 -0700
> From: "Lloyd Budd" <lloydomattic at gmail.com>
> Subject: [wp-testers] fancy permalinks broken in IIS?
> To: wp-testers at lists.automattic.com
> Message-ID:
>         <70ebb7140707231425r6614bf49k6e5b7e5f5e61a8b at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi testers,
>
> Anyone have a IIS environment to investigate?
> #4513 fancy permalinks broken in IIS?
> in 2.2.1
> http://trac.wordpress.org/ticket/4513
>
> Thank you,
> --
> Lloyd Budd | Digital Entomologist | | Skype:foolswisdom
> WordPress.com | WordPress.org | Automattic.com
>
>
> ------------------------------
>
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>
>
> End of wp-testers Digest, Vol 29, Issue 10
> ******************************************
>

-- 

This e-mail is provided "AS IS" with no warranties, and confers no rights.