|
Full Disclosure
mailing list archives
Re: Possible Code Execution vulnerability in WordPress ?
From: Henri Salo <henri () nerv fi>
Date: Tue, 19 Jul 2011 13:06:09 +0300
On Sun, Jul 03, 2011 at 01:46:30PM +0200, Marc Manthey wrote:
hello list,
Sorry this is my first post to this list because i am really worried
about a wordpress vulnerability and someone on this list might use
wordpress aswell
and could give me some advice what todo.
I am using wordpress since 2 years without any trouble, update
regulary , but last friday, i got a mail from my hoster that someone
"uploaded"
a phishing script into my "upload folder" in wordpress and google put
my site on the blocklists aswell.
After i found out that the "contact form" module might cause the
problem because i allways found a
"wpcf7_captcha" directory in my "upload folder , i removed the
module and all when fine for a day..
http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html
Today i received another mail from rsa.com that the same script is
still on my site just in a "theme" folder.
http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html
I looked into the installed "phishing script" http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
it seems everything is loaded from https://www1.royalbank.com/ for
example
https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif <
but this is not the original banking site !!
Is this a DNS manipulation ? https://www1.royalbank.com < ??? when i
try http://www.royalbank.com it redirects me to the original banking
site at
http://www.rbcroyalbank.com !!!!
After i searched for some information , i found this on the full
disclosure list , and i am a bit concerned now....
[Full-disclosure] Code Execution vulnerability in WordPress http://seclists.org/fulldisclosure/2011/Apr/535
Vulnerabilities in WordPress http://www.securityfocus.com/archive/1/510274
any idea what todo beside shutting my site down :)?
regards
Marc
-------- Original Message --------
Subject: Fraudulent site, please shut down! [RBC 11266] IP:
91.184.33.25 Domain: let.de
Date: Sun, 3 Jul 2011 02:33:05 +0300
From: <afcc () rsa com>
To: <abuse () speedpartner de>
CC: <metz () speedpartner de>
-- Les enfants teribbles - research / deployment
Marc Manthey- Vogelsangerstrasse 97
50823 Köln - Germany
Tel.:0049-221-29891489
Mobil:0049-1577-3329231
blog: http://let.de
twitter: http://twitter.com/macbroadcast/
facebook : http://opencu.tk
Which version of Wordpress and modules you were using? Do you have logs of the incident? I am including RBC to this
email as they probably are interested of the details. There might be other similar phishing pages active.
www1.royalbank.com has address 142.245.40.233
www.royalbank.com has address 142.245.34.203
royalbank.com has address 142.245.1.203
www.rbcroyalbank.com has address 142.245.1.15
rbcroyalbank.com has address 142.245.1.15
Whois of both domains:
---
Registrant:
Royal Bank of Canada
RBC Domain Registration
330 Front St W - 4th Flr
Toronto, ON M5V 3B7
CA
Email: rbcdomainreg () rbc com
Registrar Name....: CORPORATE DOMAINS, INC.
Registrar Whois...: whois.corporatedomains.com
Registrar Homepage: www.cscprotectsbrands.com
Domain Name: rbcroyalbank.com
Created on..............: Thu, Nov 09, 2000
Expires on..............: Sun, Nov 09, 2014
Record last updated on..: Fri, Feb 11, 2011
Administrative,Technical Contact:
Royal Bank of Canada
RBC Domain Registration
330 Front St W - 4th Flr
Toronto, ON M5V 3B7
CA
Phone: +1.4163485121
Email: rbcdomainreg () rbc com
DNS Servers:
ns4.rbc.com
ns2.rbc.com
ns1.rbc.com
ns3.rbc.com
---
Reading this bug-raport http://core.trac.wordpress.org/ticket/17969 says to me that there is still possibility of
vulnerability. I'll bet it is in one of the modules as well.
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
