Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible Code Execution vulnerability in WordPress ?

From: Henri Salo <henri () nerv fi>
Date: Tue, 19 Jul 2011 13:06:09 +0300
On Sun, Jul 03, 2011 at 01:46:30PM +0200, Marc Manthey wrote:

hello list,

Sorry this is my first post to this list because i am really worried  
about a  wordpress vulnerability and someone on this list might use  
wordpress aswell
and could give me some advice what todo.

I am using wordpress since 2 years without any trouble, update  
regulary , but last friday, i got a mail from my hoster that someone  
"uploaded"
a phishing script into my "upload folder" in wordpress and google put  
my site on the blocklists aswell.

  After i found out that the "contact form" module might cause the  
problem because i allways found a
  "wpcf7_captcha" directory in my "upload folder , i removed the  
module and all when fine for a day..


http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html


Today i received another mail from rsa.com  that the same script is  
still on my site just in a "theme" folder.


http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html



I  looked into the installed "phishing script"   http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
it seems everything is loaded from https://www1.royalbank.com/  for  
example
https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif  <  
but this is not the original banking site !!

Is this a DNS manipulation ? https://www1.royalbank.com <  ??? when i  
try http://www.royalbank.com it redirects me to the original banking  
site at

http://www.rbcroyalbank.com  !!!!

After  i searched for some information , i found this on the full  
disclosure list , and i am a bit  concerned now....

[Full-disclosure]     Code Execution vulnerability in WordPress  http://seclists.org/fulldisclosure/2011/Apr/535


Vulnerabilities in WordPress http://www.securityfocus.com/archive/1/510274

any idea what todo beside shutting my site down :)?

regards

Marc


-------- Original Message --------
Subject:   Fraudulent site, please shut down! [RBC 11266] IP:
91.184.33.25 Domain: let.de
Date:      Sun, 3 Jul 2011 02:33:05 +0300
From:      <afcc () rsa com>
To:        <abuse () speedpartner de>
CC:        <metz () speedpartner de>





--  Les enfants teribbles - research / deployment
Marc Manthey- Vogelsangerstrasse 97
50823 Köln - Germany
Tel.:0049-221-29891489
Mobil:0049-1577-3329231
blog: http://let.de
twitter: http://twitter.com/macbroadcast/
facebook : http://opencu.tk


Which version of Wordpress and modules you were using? Do you have logs of the incident? I am including RBC to this 
email as they probably are interested of the details. There might be other similar phishing pages active.

www1.royalbank.com has address 142.245.40.233
www.royalbank.com has address 142.245.34.203
royalbank.com has address 142.245.1.203
www.rbcroyalbank.com has address 142.245.1.15
rbcroyalbank.com has address 142.245.1.15

Whois of both domains:
---
   Registrant: 
      Royal Bank of Canada
      RBC Domain Registration
      330 Front St W - 4th Flr 
      Toronto, ON M5V 3B7
      CA
      Email: rbcdomainreg () rbc com

   Registrar Name....: CORPORATE DOMAINS, INC.
   Registrar Whois...: whois.corporatedomains.com
   Registrar Homepage: www.cscprotectsbrands.com 

   Domain Name: rbcroyalbank.com

      Created on..............: Thu, Nov 09, 2000
      Expires on..............: Sun, Nov 09, 2014
      Record last updated on..: Fri, Feb 11, 2011

   Administrative,Technical Contact:
      Royal Bank of Canada
      RBC Domain Registration
      330 Front St W - 4th Flr 
      Toronto, ON M5V 3B7
      CA
      Phone: +1.4163485121
      Email: rbcdomainreg () rbc com

   DNS Servers:

   ns4.rbc.com
   ns2.rbc.com
   ns1.rbc.com
   ns3.rbc.com
---

Reading this bug-raport http://core.trac.wordpress.org/ticket/17969 says to me that there is still possibility of 
vulnerability. I'll bet it is in one of the modules as well.

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: