Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] Backdoored wordpress plugins
From: Henri Doreau <henri.doreau () greenbone net>
Date: Thu, 23 Jun 2011 20:31:19 +0200


starting a thread here after discussing the subject with Djalal and Paulino.

According to the Wordpress blog[1] three wordpress plugins have been
backdoored recently. Thousands installations might be affected[2] and
it would be very nice to have a detection script for NSE.

Some information about the backdooring code is available at [3]. Code
to execute is sent via the HTTP headers or cookies, making me think
that simply adding entries to http-enum isn't possible for detection.

We have a wordpress plugins detection script, that could run
additional checks if one of these plugin is detected.
http-wp-plugins.nse could also store detected plugins into the
registry, to be read by detection scripts, but that might also bloat

Another option is to write completely autonomous script(s) dedicated
to detect these backdoors. This is how http-malware-host works.


[1] http://wordpress.org/news/2011/06/passwords-reset
[2] http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache
[3] http://adamharley.co.uk/2011/06/wordpress-plugin-backdoors

Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]