What do they want to exploit and how to stop it

  • Resolved SickSquirrel

    (@sicksquirrel)


    11 years ago

    I just looked through my 404 Monitor results for today. I saw about 130 entries where they looked for a file. Each entry was a different theme but the same file. I need to know what it does, how it can be exploited (so y’all can patch) and if I can disable (rename ) it if I don’t want uploads by anyone.

    The URL is https://www.domain.com/wp-content/themes/theme-name/functions/upload-handler.php

    I’m assuming it allows uploads to the site and the upload is an exploit of some type.

Viewing 7 replies - 1 through 7 (of 7 total)
  • catacaustic

    (@catacaustic)

    WordPress themselves can’t do much about that. It looks liek it’s a direct attempt to hack an insecure upload, and most likely from a particular vendor. Can you give a couple of examples of the theme flders that you’re seeing?

    As far as security goes, as long as your theme/themes don’t have that file, then you don’t need to worry. You’ll only ever serve out the 404 pages, which may not seem like the best idea, but it at least tells the wanna-be hackers that your site doesn’t have those files. If your theme/themes do have that file, contact the themes author for more advice.

    wplamp

    (@wplamp)

    I did a quick search for the file they’re looking for and found this.

    https://www.exploit-db.com/exploits/29946/

    Thread Starter SickSquirrel

    (@sicksquirrel)

    Thanks. If my theme has it, can I rename it?

    catacaustic

    (@catacaustic)

    You can, but it might break something. If it was me, I’d move to a differnt theme (from a different provider as it seems like that exploit is fairly wide-spread) so that I don’t have any chance of this issue. Just renaming a file can work for a short time – until the bots find the new file anyway.

    Thread Starter SickSquirrel

    (@sicksquirrel)

    Oh I don’t use their themes. In the back of my mind I’m concerned that this might snowball to all themes and all are vulnerable.

    What this does do is remind me to list all my original themes and child themes and their originator. This way I have a quick reference when theme exploits are discovered

    catacaustic

    (@catacaustic)

    It’s that particular file that’s vunerable, so unless the theme uses that code, that vunerability isn’t relavant to the theme.

    That’s not saying that every theme that doesn’t use that script is safe, it only means that it doesn’t have that particular vunerability. ??

    Thread Starter SickSquirrel

    (@sicksquirrel)

    I just ran through each wp-content directory on each site. None has the / functions folder so I’m definitely sure I’m okay.

    I know it’s the file, not the theme that is vulnerable. I just meant the theme is dangerous because it has that file. If these themes use a particular exploit, it might unknowingly be in others. There should be a repository for every theme. In case of an exploit, every theme listed could be tested.

    If I had my server like I used to, I’d donate a partition to this cause. In theory it’s a good idea. You just need space, bandwidth, a security expert, empty machine to test themes, more security experts who know Linux, Ubuntu, Apple and other OS as well as the patience to deal with it all.

    You just need that ??

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘What do they want to exploit and how to stop it’ is closed to new replies.