lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20110719100609.GE2953@foo.fgeek.fi>
Date: Tue, 19 Jul 2011 13:06:09 +0300
From: Henri Salo <henri@...v.fi>
To: Marc Manthey <marc@....de>
Cc: full-disclosure@...ts.grok.org.uk, phishing@....com
Subject: Re: Possible Code Execution vulnerability in
 WordPress ?

On Sun, Jul 03, 2011 at 01:46:30PM +0200, Marc Manthey wrote:
> hello list,
> 
> Sorry this is my first post to this list because i am really worried  
> about a  wordpress vulnerability and someone on this list might use  
> wordpress aswell
> and could give me some advice what todo.
> 
> I am using wordpress since 2 years without any trouble, update  
> regulary , but last friday, i got a mail from my hoster that someone  
> "uploaded"
> a phishing script into my "upload folder" in wordpress and google put  
> my site on the blocklists aswell.
> 
>   After i found out that the "contact form" module might cause the  
> problem because i allways found a
>   "wpcf7_captcha" directory in my "upload folder , i removed the  
> module and all when fine for a day..
> 
> >> http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html
> 
> Today i received another mail from rsa.com  that the same script is  
> still on my site just in a "theme" folder.
> 
> > http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html
> 
> 
> I  looked into the installed "phishing script"   http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
> it seems everything is loaded from https://www1.royalbank.com/  for  
> example
> https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif  <  
> but this is not the original banking site !!
> 
> Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when i  
> try http://www.royalbank.com it redirects me to the original banking  
> site at
> 
> http://www.rbcroyalbank.com  !!!!
> 
> After  i searched for some information , i found this on the full  
> disclosure list , and i am a bit  concerned now....
> 
> [Full-disclosure]	Code Execution vulnerability in WordPress  http://seclists.org/fulldisclosure/2011/Apr/535
> 
> 
> Vulnerabilities in WordPress http://www.securityfocus.com/archive/1/510274
> 
> any idea what todo beside shutting my site down :)?
> 
> regards
> 
> Marc
> 
> >> -------- Original Message --------
> >> Subject: 	Fraudulent site, please shut down! [RBC 11266] IP:
> >> 91.184.33.25 Domain: let.de
> >> Date: 	Sun, 3 Jul 2011 02:33:05 +0300
> >> From: 	<afcc@....com>
> >> To: 	<abuse@...edpartner.de>
> >> CC: 	<metz@...edpartner.de>
> >>
> 
> 
> 
> --  Les enfants teribbles - research / deployment
> Marc Manthey- Vogelsangerstrasse 97
> 50823 Köln - Germany
> Tel.:0049-221-29891489
> Mobil:0049-1577-3329231
> blog: http://let.de
> twitter: http://twitter.com/macbroadcast/
> facebook : http://opencu.tk

Which version of Wordpress and modules you were using? Do you have logs of the incident? I am including RBC to this email as they probably are interested of the details. There might be other similar phishing pages active.

www1.royalbank.com has address 142.245.40.233
www.royalbank.com has address 142.245.34.203
royalbank.com has address 142.245.1.203
www.rbcroyalbank.com has address 142.245.1.15
rbcroyalbank.com has address 142.245.1.15

Whois of both domains:
---
   Registrant: 
      Royal Bank of Canada
      RBC Domain Registration
      330 Front St W - 4th Flr 
      Toronto, ON M5V 3B7
      CA
      Email: rbcdomainreg@....com

   Registrar Name....: CORPORATE DOMAINS, INC.
   Registrar Whois...: whois.corporatedomains.com
   Registrar Homepage: www.cscprotectsbrands.com 

   Domain Name: rbcroyalbank.com

      Created on..............: Thu, Nov 09, 2000
      Expires on..............: Sun, Nov 09, 2014
      Record last updated on..: Fri, Feb 11, 2011

   Administrative,Technical Contact:
      Royal Bank of Canada
      RBC Domain Registration
      330 Front St W - 4th Flr 
      Toronto, ON M5V 3B7
      CA
      Phone: +1.4163485121
      Email: rbcdomainreg@....com

   DNS Servers:

   ns4.rbc.com
   ns2.rbc.com
   ns1.rbc.com
   ns3.rbc.com
---

Reading this bug-raport http://core.trac.wordpress.org/ticket/17969 says to me that there is still possibility of vulnerability. I'll bet it is in one of the modules as well.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ