[wp-testers] **Maybe OT** Hacking Problem In 2.7.1

[Paul Robinson]

Hi,

I hope the title is descriptive enough & I think it's a little off topic so
I've added that.

Basically for the last 2 maybe 3 weeks I've had stability problems with my
website, I assumed it was down to server problems & asked my host to check
it out. Apparently there was no problems. Then the site just stopped working
& only showing 500 errors. I download the apache error logs & find this:

[Mon Apr 13 05:37:38 2009] [error] [client 217.199.222.19] ModSecurity:
Access denied with code 503 (phase 2). Pattern match
"=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
at REQUEST_URI. [file
"/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
"23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to
remote include command shell"] [severity "CRITICAL"] [hostname "
return-true.com"] [uri "/hw3.php"] [unique_id "SeMyEkPNBIMAAFN2guwAAAAE"]
[Mon Apr 13 05:37:38 2009] [error] [client 217.199.222.19] ModSecurity:
Access denied with code 503 (phase 2). Pattern match
"=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
at REQUEST_URI. [file
"/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
"23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to
remote include command shell"] [severity "CRITICAL"] [hostname "
return-true.com"] [uri "/2009/03//hw3.php"] [unique_id
"SeMyEkPNBIMAAEe1L5IAAAAF"]
[Mon Apr 13 05:37:38 2009] [error] [client 217.199.222.19] ModSecurity:
Access denied with code 503 (phase 2). Pattern match
"=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
at REQUEST_URI. [file
"/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
"23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to
remote include command shell"] [severity "CRITICAL"] [hostname "
return-true.com"] [uri
"/2009/03/zstore-helper-wordpress-plugin-for-zazzle-store-builder//hw3.php"]
[unique_id "SeMyEkPNBIMAAFLAg at sAAAAC"]
[Mon Apr 13 05:51:33 2009] [error] [client 200.93.147.154] ModSecurity:
Access denied with code 503 (phase 2). Pattern match
"=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
at REQUEST_URI. [file
"/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
"23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to
remote include command shell"] [severity "CRITICAL"] [hostname "
return-true.com"] [uri "/includes/header.php"] [unique_id
"SeM1VUPNBIMAAGVMYQAAAAAJ"]
[Mon Apr 13 05:51:33 2009] [error] [client 200.93.147.154] ModSecurity:
Access denied with code 503 (phase 2). Pattern match
"=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
at REQUEST_URI. [file
"/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
"23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt to
remote include command shell"] [severity "CRITICAL"] [hostname "
return-true.com"] [uri "/2009/04/php-tip-5-header//includes/header.php"]
[unique_id "SeM1VUPNBIMAAHm84wEAAAAF"]

then after that all processes created by my site a cut by the shared servers
memory limiting script. The last two times this happened it took a reinstall
of WordPress' files to fix it, but this last time I had to restore a back up
of the database, which are taken regularly thank god. I have been told by my
host that the attacks are always blocked but they seem to break WordPress
somehow & that's what I'm hoping someone can help with. I realize it's a
long shot, but I've got nothing to lose seeing as it's happening fairly
often.

I have beefed up security on WP a lot, I've changed the default db prefix,
I've chmod'ed all folders to the recommended settings & i've placed
.htaccess files in my admin & includes folders. Any other suggestions of
what is happening or how to stop it would be great. Thanks

Paul.