WordPress security issue – upload webscript

  • Resolved itmonitor

    (@itmonitor)


    6 years, 6 months ago

    Hello,

    We have a www.remarpro.com website hosted into a KVM. We noticed that we suffer regularly from unauthorized uploads of scrip exploits (copied below), that use the WordPress files admin-post.php and admin-ajax.php to upload those scripts.

    I deleted the exploit files from the server. I set (again) the WordPress folders to 755 and files to 644. I wonder if there is anything you can do to avoid those WordPress files to be used to upload exploits into a server.

    Looking forward to your reply,

    Rgs

    IM

    Web referer URL :
    Local IP : xxx
    Web upload script user : nobody (99)
    Web upload script owner: xxxxxx (1001)
    Web upload script path : /home/xxxxxx/public_html/wp-admin/admin-ajax.php
    Web upload script URL : https://xxxxxxx/wp-admin/admin-ajax.php
    Remote IP : 205.185.123.173 FrantechSolutions
    Deleted : No
    Quarantined : No

    ———– SCAN REPORT ———–
    TimeStamp:
    (/usr/sbin/cxs –nobayes –cgi –defapache nobody –doptions Mv –exploitscan –nofallback –filemax 10000 –noforce –html –mail root –options mMOLfSGchexdnwZDRru –qoptions Mv –quiet –sizemax 1000000 –smtp –ssl –summary –sversionscan –timemax 30 –nounofficial –novirusscan /tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB)

    ‘/tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB’
    Known exploit = [Fingerprint Match] [RFI Exploit [P1419]]

Viewing 8 replies - 1 through 8 (of 8 total)

  • Do you have a list of your active plugins you could provide us? the admin-ajax.php file is used by several plugins to send ajax requests, so it could be one of your third-party plugins sending a jQuery or ajax request to a custom method which could be unsafe.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter itmonitor

    (@itmonitor)

    @milardovich thank you. Please, is there a way I can send the plugin list to you through Private Message?

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    No there is not a way you can private message and attempting to do so is not allowed. You’re asking for help on a public forum. If you want help then you need to use the forum.

    Thread Starter itmonitor

    (@itmonitor)

    @anevins thank you Andrew. Listing publicly the WordPress plugins installed in my sever would bring security risks. Do you have any option to let this list confidential?

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Nope

    Thread Starter itmonitor

    (@itmonitor)

    Thank you. Seems like there could be a vulnerability in WordPress or in one plugin that could be in use by manu www.remarpro.com users and bringing them potential risk (data, inforamtion, whatever). I am trying to help find out this vulnerability and eliminate it. If there is anybody from WordPress security reading this thread and to whom I can send a PM or email with my plugins list, I am ready to cooperate. Thank you.

    • This reply was modified 6 years, 6 months ago by itmonitor.
    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    There is nothing confidential or vulnerable about listing your plugins, but it matters not. You are hacked and you need to work through the recommended articles to delouse your site. Looking through infected plugins after you’ve been hacked isn’t the way to do that.

    If you’ve missed my reply, here it is again:
    Follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    You have not demonstrated an issue with WordPress core; Edit: Or in a plugin or theme.

    • This reply was modified 6 years, 6 months ago by Andrew Nevins.
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘WordPress security issue – upload webscript’ is closed to new replies.