lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <F79D134E-5913-45DA-A75D-EB12C11F4A6E@let.de>
Date: Sun, 3 Jul 2011 13:46:30 +0200
From: Marc Manthey <marc@....de>
To: full-disclosure@...ts.grok.org.uk
Subject: Possible Code Execution vulnerability in
	WordPress ?

hello list,

Sorry this is my first post to this list because i am really worried  
about a  wordpress vulnerability and someone on this list might use  
wordpress aswell
and could give me some advice what todo.

I am using wordpress since 2 years without any trouble, update  
regulary , but last friday, i got a mail from my hoster that someone  
"uploaded"
a phishing script into my "upload folder" in wordpress and google put  
my site on the blocklists aswell.

  After i found out that the "contact form" module might cause the  
problem because i allways found a
  "wpcf7_captcha" directory in my "upload folder , i removed the  
module and all when fine for a day..

>> http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html

Today i received another mail from rsa.com  that the same script is  
still on my site just in a "theme" folder.

> http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html


I  looked into the installed "phishing script"   http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
it seems everything is loaded from https://www1.royalbank.com/  for  
example
https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif  <  
but this is not the original banking site !!

Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when i  
try http://www.royalbank.com it redirects me to the original banking  
site at

http://www.rbcroyalbank.com  !!!!

After  i searched for some information , i found this on the full  
disclosure list , and i am a bit  concerned now....

[Full-disclosure]	Code Execution vulnerability in WordPress  http://seclists.org/fulldisclosure/2011/Apr/535


Vulnerabilities in WordPress http://www.securityfocus.com/archive/1/510274

any idea what todo beside shutting my site down :)?

regards

Marc

>> -------- Original Message --------
>> Subject: 	Fraudulent site, please shut down! [RBC 11266] IP:
>> 91.184.33.25 Domain: let.de
>> Date: 	Sun, 3 Jul 2011 02:33:05 +0300
>> From: 	<afcc@....com>
>> To: 	<abuse@...edpartner.de>
>> CC: 	<metz@...edpartner.de>
>>



--  Les enfants teribbles - research / deployment
Marc Manthey- Vogelsangerstrasse 97
50823 Köln - Germany
Tel.:0049-221-29891489
Mobil:0049-1577-3329231
blog: http://let.de
twitter: http://twitter.com/macbroadcast/
facebook : http://opencu.tk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ