Main Website RSS FeedCurrent Article

Wordpress 2.0.5 Site got hacked using c99shell ?

By Reaper-X on Nov 3, 2006 in Blogging, General Blogging, Hacking, Internet, Personal, Website, Wordpress

There’s an interesting talks right now (at least for me) on wp-testers mailing list about wordpress 2.0.5 site got hacked using c99shell, and what makes me curious about it .. is it really wordpress fault or is it caused by plugins used on his wordpress site ? i'm really sure that this hack caused by some vulnerable plugins used or maybe because the person itself is running vulnerable CMS / Forum software on his site. Btw i’ve tried searching various site about this stuff but the only thing i could find is some unspecified wordpress vulnerability that’s already fixed on 2.0.5 release.

Some people also say to use modsecurity for those who use a dedicated box but if you’re on shared host like me, you can ask your webhost about it. I don't know if my webhost already using modsecurity for the shared hosting account or not, but one thing for sure is .. i already test on my site, and it returns the 406 HTTP Header (most 406 http header caused by modsecurity) if i try to do something funny. Anyway i hope this problem is not caused by Wordpress itself.

RSS Feed for This Post7 Comment(s)

  1. 1
    justinf | Nov 17, 2006 at 18:34 / 6:34 PM | Links to this comments | Reply

    my blog use Nucleus and even that was hacked with c99 - so its nothing to do with wordpress itself. and my box is Fedora 5 with all the latest security patches.

    from my logs , it seems to be a hack based on the xmlrpc component of a blog.

  2. 2
    Reaper-X | Nov 17, 2006 at 19:02 / 7:02 PM | Links to this comments | Reply

    I see ... thanks a lot for that information, i really appreciate it .. but if it caused by xmlrpc then the problem is in the blog software itself :?

  3. 3
    Christos | Feb 8, 2007 at 7:55 / 7:55 AM | Links to this comments | Reply

    It has nothing to do with blog software.
    I had forgoten in my path the Appserv folder wich was indexed by the search engines and they used the "README-th.php" file to gain access.
    What I found disturbing is that the injection was done by Yahoo Slurp. I don't know how they managed to make Yahoo do the job for them but they did.

    The script-kiddies are capable of much more than what they’ve been doing Unfortunately.
    The last one who gained access to my self-hosted server, erased the whole disk.
    I guess I was lucky in unluckyness and pulled the plug while he was doing it so along with some other files the Apache log was saved
    and I was able to track the events down and
    found that it was I guy from Turkey.
    I have enough evidence from the log file and also from a forum where he posted his evil doing but I don't know what can I do against him (legally I mean).
    I did not only lost my sites I also lost about 70GB of data and software.

  4. 4
    amin | Mar 2, 2007 at 22:55 / 10:55 PM | Links to this comments | Reply

    help me

  5. 5
    gamal | Apr 6, 2007 at 2:11 / 2:11 AM | Links to this comments | Reply

    ukgjhhkhjj

  6. 6
    mahmoud | May 4, 2007 at 23:11 / 11:11 PM | Links to this comments | Reply

    eldooky2003@yahoo.com

  7. 7
    Michelle Wong | Feb 10, 2008 at 12:48 / 12:48 PM | Links to this comments | Reply

    Thanks for the great information. I just suscribed to your blog feed.Michelle, HostGator Coupons

1 Trackback(s)

  1. From possum.kicks-ass.org » Blog Archive » I’ve Been Exploited | Nov 13, 2006

RSS Feed for This PostPost a Comment

Line and paragraph breaks automatic, e-mail address never displayed, avoid using spammy words or phrases to prevent your comment from going into the oblivion, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous Post
Next Post