Comments on: Trojan on this website http://photocritic.org/wordpress-exploit-iframe-gen-c/ The Photocritic DIY photography projects blog Sun, 14 Mar 2010 20:05:03 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: site fr http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-314728 site fr Sun, 24 Jan 2010 16:25:15 +0000 http://photocritic.org/?p=1482#comment-314728 Toujours de tres bonne info , merci Toujours de tres bonne info , merci

]]> By: jeremy http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296921 jeremy Tue, 17 Feb 2009 05:48:41 +0000 http://photocritic.org/?p=1482#comment-296921 Another reason to read by rss, I guess. Best of luck getting it all worked out, but don't hold off on new posts too much. The last one on breaking photographers block was fantastic. Another reason to read by rss, I guess. Best of luck getting it all worked out, but don’t hold off on new posts too much. The last one on breaking photographers block was fantastic.

]]> By: Lee Hampton-Whitehead http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296636 Lee Hampton-Whitehead Tue, 10 Feb 2009 19:06:45 +0000 http://photocritic.org/?p=1482#comment-296636 i am not convinced this is related to the XSS pre 2.6.5 http://wordpress.org/development/2008/11/wordpress-265/ says "only affects IP-based virtual servers running on Apache 2.x." and (in my opinion) does not seem to allow code to be written back to the web server my setup is name-based-virtual hosted 2.7 and it still got in !! i am not convinced this is related to the XSS pre 2.6.5

http://wordpress.org/development/2008/11/wordpress-265/ says

“only affects IP-based virtual servers running on Apache 2.x.”

and (in my opinion) does not seem to allow code to be written back to the web server

my setup is name-based-virtual hosted 2.7 and it still got in !!

]]> By: Donncha O Caoimh http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296634 Donncha O Caoimh Tue, 10 Feb 2009 18:46:09 +0000 http://photocritic.org/?p=1482#comment-296634 Glad you got your site fixed. WP-Super-Cache allowed a different bug to happen, but so would any other caching plugin. Security Focus mentioned that plugin because it's the most used.. Can you email security@wordpress.org with everything you've found? I have a feeling it's an old bug though. Glad you got your site fixed.

WP-Super-Cache allowed a different bug to happen, but so would any other caching plugin. Security Focus mentioned that plugin because it’s the most used..

Can you email security@wordpress.org with everything you’ve found? I have a feeling it’s an old bug though.

]]> By: Lee Hampton-Whitehead http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296633 Lee Hampton-Whitehead Tue, 10 Feb 2009 18:14:12 +0000 http://photocritic.org/?p=1482#comment-296633 My wife's site (wordpress as a CMS) is a self hosted wordpress 2.7 on an easyspace Virtual private server, where i control the security, and left the themes folder writable to apache after tweaking her latest theme of choice My wife’s site (wordpress as a CMS) is a self hosted wordpress 2.7 on an easyspace Virtual private server, where i control the security, and left the themes folder writable to apache after tweaking her latest theme of choice

]]> By: Duncan http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296632 Duncan Tue, 10 Feb 2009 18:09:53 +0000 http://photocritic.org/?p=1482#comment-296632 I was looking into a WP hack for a friend and this whitepaper was very helpful: http://blogsecurity.net/wordpress/wordpress-security-whitepaper/ I've seen two classes of WP hacks: •Something getting inserted into the page template. I think that WP stores each theme separately, so you might be able to restore back to a known-good copy of your theme if you've got extra stuff inserted. •Alternatively, I've seen a tiny iframe added to one or more posts, generally linking to a malicious site. This is easier to fix; just search for an iframe tag on each post and if you see one that shouldn't be there, nuke it. I was looking into a WP hack for a friend and this whitepaper was very helpful:

http://blogsecurity.net/wordpress/wordpress-security-whitepaper/

I’ve seen two classes of WP hacks:
•Something getting inserted into the page template. I think that WP stores each theme separately, so you might be able to restore back to a known-good copy of your theme if you’ve got extra stuff inserted.

•Alternatively, I’ve seen a tiny iframe added to one or more posts, generally linking to a malicious site. This is easier to fix; just search for an iframe tag on each post and if you see one that shouldn’t be there, nuke it.

]]> By: Chris Black http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296630 Chris Black Tue, 10 Feb 2009 17:01:55 +0000 http://photocritic.org/?p=1482#comment-296630 Lee: is your wife's website hosted by 1&1 (mine is) Haje: only plugin which we have in common is akismet Lee: is your wife’s website hosted by 1&1 (mine is)

Haje: only plugin which we have in common is akismet

]]> By: Lee Hampton-Whitehead http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296625 Lee Hampton-Whitehead Tue, 10 Feb 2009 16:23:51 +0000 http://photocritic.org/?p=1482#comment-296625 in case it is of any use the httpd log from the time of the hack 87.118.120.36 - - [10/Feb/2009:02:05:43 +0000] "POST /wp-atom.php HTTP/1.1" 200 32 "-" 87.118.120.36 - - [10/Feb/2009:02:05:43 +0000] "POST /wp-atom.php HTTP/1.1" 200 - "-" ip is in germany in case it is of any use

the httpd log from the time of the hack

87.118.120.36 – - [10/Feb/2009:02:05:43 +0000] “POST /wp-atom.php HTTP/1.1″ 200 32 “-”
87.118.120.36 – - [10/Feb/2009:02:05:43 +0000] “POST /wp-atom.php HTTP/1.1″ 200 – “-”

ip is in germany

]]> By: Chris Black http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296624 Chris Black Tue, 10 Feb 2009 16:23:18 +0000 http://photocritic.org/?p=1482#comment-296624 Hi same thing has just happened with my site - I googled Exploit-IFrame.gen.c and found you. Hopefully I can follow what you did and deal with this... Hi same thing has just happened with my site – I googled Exploit-IFrame.gen.c and found you.

Hopefully I can follow what you did and deal with this…

]]> By: Lee Hampton-Whitehead http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296623 Lee Hampton-Whitehead Tue, 10 Feb 2009 16:17:31 +0000 http://photocritic.org/?p=1482#comment-296623 interesting post today (10th feb) at 0205 UK time, my wife wordpress site got hacked too. same snippet of code placed in every header.php file underneath the themes folder nothing obvious in httpd logs, i am very confused interesting post
today (10th feb) at 0205 UK time, my wife wordpress site got hacked too.

same snippet of code placed in every header.php file underneath the themes folder

nothing obvious in httpd logs, i am very confused

]]> By: Haje Jan Kamps http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296610 Haje Jan Kamps Tue, 10 Feb 2009 11:39:06 +0000 http://photocritic.org/?p=1482#comment-296610 Flo: Yeah, that's what I'm afraid of too, but I do trust most of the plug-ins quite well, and they are all (with two notable exceptions, which I'll fix tonight) completely up to date. I've had issues with odd things showing up on my blog before, but all rootkit checking in the world doesn't indicate that the server itself is compromised - and the passwords are as hardened as I can make them with paranoia levels turned to 11 (passwords are many digits, completely random, with upper and lower, numerals and obscure punctuation symbols), no FTP access, each site on the server lives in its own silo, etc. Apart from my octal n00b mistake, I am genuinely surprised how the site still ended up hacked - I've genuinely done everything in my power to keep it completely safe... I guess I'll just have to start doing more. Flo: Yeah, that’s what I’m afraid of too, but I do trust most of the plug-ins quite well, and they are all (with two notable exceptions, which I’ll fix tonight) completely up to date.

I’ve had issues with odd things showing up on my blog before, but all rootkit checking in the world doesn’t indicate that the server itself is compromised – and the passwords are as hardened as I can make them with paranoia levels turned to 11 (passwords are many digits, completely random, with upper and lower, numerals and obscure punctuation symbols), no FTP access, each site on the server lives in its own silo, etc.

Apart from my octal n00b mistake, I am genuinely surprised how the site still ended up hacked – I’ve genuinely done everything in my power to keep it completely safe… I guess I’ll just have to start doing more.

]]> By: Flo http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296609 Flo Tue, 10 Feb 2009 11:31:08 +0000 http://photocritic.org/?p=1482#comment-296609 This does not necessarily have to be connected to file permissions or your webmaster. There are tons of ways how wordpress can become vulnerable. For example, there are quite a few plugins which can be a security risk, so you should keep those up to date as well. This does not necessarily have to be connected to file permissions or your webmaster. There are tons of ways how wordpress can become vulnerable. For example, there are quite a few plugins which can be a security risk, so you should keep those up to date as well.

]]> By: Haje Jan Kamps http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296608 Haje Jan Kamps Tue, 10 Feb 2009 11:16:18 +0000 http://photocritic.org/?p=1482#comment-296608 patpro: Jeez, can you tell I typed this up in a rush? I obviously ought to have my have my webmaster pass revoked on a permanent basis... patpro: Jeez, can you tell I typed this up in a rush?

I obviously ought to have my have my webmaster pass revoked on a permanent basis…

]]> By: patpro http://photocritic.org/wordpress-exploit-iframe-gen-c/#comment-296607 patpro Tue, 10 Feb 2009 11:06:27 +0000 http://photocritic.org/?p=1482#comment-296607 You might want to replace "octagonal" by "octal" ;) You might want to replace “octagonal” by “octal” ;)

]]>