Possible security issue with my server

Someone else posted recently about it happening to them too. Scary. How did you find it?

The DOD called me. (Honest to God)

And its odd, the washington folder was added in my web root, which makes me think it was wordpress.

the washington folder was added in my web root, which makes me think it was wordpress.

Ummm…… how so?

I’d have to think that the folder being added to your web root indicates an insecure server, not an issue with WP.

Hmm. Seems I’m not the only one https://www.ads-software.com/support/topic.php?id=26488. My host is currently trying to track down what happened. Not trying to yell FIRE but taking a peek at the raw access logs and it looks to this untrained eyed like someone was able to access the wordpress directory and managed to gleen a password?

Any of this make sense to anyone? The same IP first pulled the whole /wp directory then I see this about 25 time in a row then the same (three requests) for the wp-admin.php file

[07/Mar/2005:00:54:11 -0500] “GET /wp/wp-pass.php HTTP/1.1” 302 5 “-“
“Java/1.4.2_04”

4 minutes later is the time stamp of the first of 15 spam posts, with no requests in between… I just want to find out what happened so I can plug the hole.

cross posted at:
https://www.ads-software.com/support/topic.php?id=26488

Er…scary indeed….let me know when to abandon ship, or if there’s a fix I might swab the decks.

What 0ther applications do you have running on your server?

I think you should be coming to the forum AFTER you have checked out everything with your host. At this point, you are simply crying wolf without having all of the facts at hand.

Sorry if I offended NM, I thought this was a support forum for an application I’m having problems with. I tend to respond better to suggestions and solutions rather than admonishments. Not all of us are mavens.

Back to the issue at hand – could it possibly be a permissions problem? i.e. the famous 5 minute install for 1.5 (I used fantastico to install) doesn’t set permissions correctly? I’m just trying to figure out what went wrong.

MJ, your story is different from mcangeli’s – you had someone making posts, he had someone uploading a phishing folder at the root level of his server – the only similarity is that you both had your sites hacked.

My apologies, that came off harsher than I intended. Just a tad frustrated is all.

MJ,
Apologies accepted. Not a big deal. I can certainly understand your frustration as well as the angst of wondering what happened. It’s just that it’s very important to have all the facts in hand so that we can accurately determine if WordPress actually does have a vulnerability. Otherwise conjecture takes over and misinformation begins flying all over the place.

Here’s what I’ve done:

Added an .htaccess file to the /wp directory. Change all permissions to what I *think* they should be (see: https://www.ads-software.com/support/topic.php?id=21139#post-120173 ) as well as change all passwords (ftp/cpanel/wp login). If it happens again – I am at a loss, but you’ll be the first to know ??

NM, I’m running wordpress and gallery. Those are the only scripts on this site. That being said, before I came here, I went to my host. I changed all passwords on the scripts, ftp and even my login with my host.

I posted on this site to see if anyone was aware of any holes in the wordpress system. I’m fairly certain that it wasn’t a problem of an insecure server and I honestly do not appreciate the subject of this post being changed (it made it harder to find, as I was looking for the topic I POSTED).

I’m working with my host. I’m checking on the gallery script, which resides in gallery/. The folder that was created was created in my webroot. As I said, the only thing immediately there is the wordpress code. I’m attempting to get any and all available logs from my host, however thats proving a little harder than I had hoped.

As another note, I have asked them to check for a root kit as well.

And if you read the original message:

I don’t know if its a hole in WordPress, gallery or my passwords in general, but someone gained access to my server and added a bank login to my domain. I wanted to send out a heads up to everyone out there, keep an eye on your domains. I’m working with my host to find out how it was done.

Mark

I didn’t cry fire. I said keep an eye on your sites, I’m still working on what the cause was.