Open GoogleCodeExporter opened 9 years ago
I was also hacked. Got an email bounce notification that tipped me off to look
in the upload/files/ folder. Found two PHP files: wtindex.php and
n8731157tp.php. I couldn't tell what they do but I removed them and changed my
password. Would like to know of any patch necessary to prevent this.
Original comment by m...@xternaldesign.com
on 18 Feb 2015 at 2:41
The priority on this should be higher. For the second time it's happened to a
site I run and I have to find a way around or go with a different solution.
Original comment by Ner...@gmail.com
on 19 Feb 2015 at 8:03
Totally dumb question but I'm guessing that because this exploits the
process-upload.php file that it circumvents the sys.includes.php file or any of
the security settings for preventing php files? I have my security settings to
not allow anything other then a graphics file to the upload folder but assume
that they are getting around this?
Original comment by no...@isp-vft.com
on 19 Feb 2015 at 9:06
That is correct, it bypasses the security settings and apparently has been
around for a while.. For now I've renamed the problem file and prevented the
upload directory from executing any files.
Original comment by Ner...@gmail.com
on 20 Feb 2015 at 12:55
[deleted comment]
I am not sure what Ner...@gmail.com means, but I tried to follow his advice. I
placed a .htaccess file in upload/files/ and turned off PHP execution as
explained
https://stackoverflow.com/questions/6368777/how-to-prevent-uploaded-file-from-be
ing-executed . Everything still seems to work, as far as I can see. I hope this
helps a little, but a real fix would be better. This issue should have a higher
priority!
Original comment by kleemann...@gmail.com
on 20 Feb 2015 at 2:01
kleemann... thanks for that. I just added. Hope it prevents further problems.
Original comment by m...@xternaldesign.com
on 20 Feb 2015 at 6:54
The script would check for process_upload.php, I renamed it to something
random. It appears to only be referenced in upload-from-computer.php
It is possible to find out what the newly renamed file is, but that would need
to regoster and login. While not a fix, makes it more difficult and manual for
the attacker.
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'process-upload.php')<-----
)
if !res
vprint_error("#{peer} - Connection timed out")
return Exploit::CheckCode::Unknown
elsif res.code.to_i == 404
vprint_error("#{peer} - No process-upload.php found")<--------
Original comment by Ner...@gmail.com
on 20 Feb 2015 at 7:08
Original issue reported on code.google.com by
kleemann...@gmail.com
on 27 Jan 2015 at 6:17