Security Alert? A7A php mailer

  • I moved my WordPress blog to a new host last week, installing it by hand since Fantastico did not at the time have version 2.0.2.

    Today, when using FTP, I noticed a new directory had been added to the root of that domain (in public_html) called A7A. At first I thought it was a plugin. When I looked at the text file there, it appeared to be a php mailer of some sort.

    I feel that someone/something has hacked into my directory to add this program, which presumably would be used to send spam.

    I deleted the A7A directory, but wonder if there is some additional protection I need to add, without compromising the functionality (writeability) of my blog. Permissions on the public_html directory are: drwxr-xr-x

    Or is this a security flaw that WordPress needs to investigate?

    Thanks,

    Edgar

Viewing 5 replies - 16 through 20 (of 20 total)
  • Thread Starter dworsky

    (@dworsky)

    I tried to view the ftp logs without much success, and then finally did get to see logs of activity (but I don’t know that they were ftp logs).

    Below is a sample from the log I was able to access:

    196.204.154.141 – – [12/May/2006:04:51:39 -0400] “POST /a7a/ HTTP/1.1” 200 7656 “https://www.mouseprint.org/a7a/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
    196.204.154.141 – – [12/May/2006:04:51:42 -0400] “GET /a7a/ima.jpg HTTP/1.1” 304 – “https://www.mouseprint.org/a7a/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
    196.204.154.141 – – [12/May/2006:04:51:42 -0400] “GET /a7a/images/success.gif HTTP/1.1” 304 – “https://www.mouseprint.org/a7a/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

    ==========

    Several different IP addresses accessed the A7A subdirectory, but this one seemed to come up the most.

    Tech support at Site5 also said:

    >>Also, I looked at our ftp logs and do not see the A7A directory uploaded via this method which means a security hole was likely used in wordpress to do this. Please check over your access logs for any suspicious requests. <<

    I am over my head at this point in trying to interpret logs… but I thought I would post what has happened based on comments provided here.

    Edgar

    “Dear Site5,
    If you genuinely believe that WordPress has a vulnerability that you have discovered you owe it to the wider community to submit that information – without delay – to [email protected]. Until then, it’s entirely your problem.

    And given that you believe WordPress to be flawed should you not withdraw it from fantastico and also close all WordPress accounts on your servers to prevent your servers being used by spammer en masse?”

    Just to note.. I am also with site5, and run WordPress (I think I was running version 2.0.1) 3 days ago I had my site hacked, (root directory cleaned, and new index.htm added)
    Although the A7A directory was not added, so it is not the same problem, but he did seem to create a new subdomain, and sub directory. The WP database was also wiped, but none of the wp files were removed/damaged.
    I have now upgraded to 3.0.3, but would love to know how he got in, So It doesn’t happen again.
    I have also reported this to site5, and will let you knwo what they say.

    If you were running an older version 3 days ago .. well that answers your question as today is well over a month beyond 2.03‘s release.

    In other words, worrying about how they “got in” doesnt matter if you dont keep up with security updates. Simply put they got in because of your lax web-mastering.

    edited: my bad otto ??

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    1. You replied to a one year old thread.

    Actually, 2 months old.

    But most likely, the guy got in by some other method, not via wordpress. There were a few hacks available for 2.01, but they required special circumstances.

Viewing 5 replies - 16 through 20 (of 20 total)
  • The topic ‘Security Alert? A7A php mailer’ is closed to new replies.

Tags