Potential theme & plugins exploits

  • Just went through my 404 logs for one site. The following list is from various fishing expeditions. I can only assume they want to exploit the sites which have these themes/plugins. You’ll notice many of the same file names in different plugins. I’ve removed only my domain name.

    https://.com/wp-content/plugins/wp-property/readme.txt

https://.com/wp-content/themes/lightspeed/framework/_scripts/valums_uploader/php.php

https://.com/wp-content/themes/nuance/functions/jwpanel/scripts/valums_uploader/php.php

//FCKeditor/editor/filemanager/connectors/test.html

https://.com/wp-content/themes/saico/framework/_scripts/valums_uploader/php.php

https://.com/wp-content/themes/eptonic/functions/jwpanel/scripts/valums_uploader/php.php

https://.com/wp-content/themes/skyd/framework/_scripts/valums_uploader/php.php

https://.com/wp-content/themes/skinizer/framework/_scripts/valums_uploader/php.php

//FCKeditor/editor/filemanager/connectors/uploadtest.html

https://.com/wp-content/themes/area53/framework/_scripts/valums_uploader/php.php

https://.com/wp-content/themes/switchblade/framework/_scripts/valums_uploader/php.php

https://.com/wp-content/plugins/woopra/readme.txt

https://.com/wp-content/plugins/seo-watcher/readme.txt

https://.com/wp-content/plugins/formidable/pro/js/nicedit.js

//FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

/wp-includes/js/jquery/jquery-migrate.min.js

//FCKeditor/editor/filemanager/browser/default/connectors/test.html

https://.com/wp-content/themes/blinc/framework/_scripts/valums_uploader/php.php

https://.com/wp-content/themes/clockstone/style.css

https://.com/wp-content/themes/increase/style.css

https://.com/MuraProxy.cfc?method=isValidSession&authtoken=

https://.com/wp-content/plugins/pretty-link/readme.txt

https://.com/wp-content/plugins/
/MuraProxy.cfc?method=isValidSession&authtoken=
Viewing 4 replies - 1 through 4 (of 4 total)

  • At first glance, most of those requests look like the standard fare when you get hit with a wpscan script that’s run specifically to enumerate known vulnerable themes and plugins. If they’re all from one ip, just block the numbskull in .htaccess, but you may find that each request (can be dozens at a time) will also appear to be from a different ip address.

    If any returned a 200, then you need to take a closer look at the target.

    Thread Starter SickSquirrel

    (@sicksquirrel)

    Different IPs over a period of ten days. I added all class C IPs but now I have 50+ IPs in my .htaccess list. Busy site so more strain on server. About one-third are .ru and .pl and .ua.

    Moderator bcworkz

    (@bcworkz)

    Blocking IPs is always a catch up game, they are constantly finding new IPs to launch from. As long as you have no out dated, vulnerable theme or plugins, and you immediately update as soon as available, there’s little to worry about really. I’ll wager nearly every one of those scanned for have been patched. You have to weigh risk against server performance. If you need the performance, let them scan away, they won’t find anything. Just be sure your 404 page has the bare minimum content. And just in case, always keep good backups.

    If nothing else, such logs make a handy list of themes and plugins to avoid ??

    Thread Starter SickSquirrel

    (@sicksquirrel)

    .
    If nothing else, such logs make a handy list of themes and plugins to avoid ??

    Exactly why I posted it. Check to be sure it was updated recently, ask the coders if it was patched, always o homework before installing. Better to be safe than sorry!!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Potential theme & plugins exploits’ is closed to new replies.