Nmap Development mailing list archives
[NSE] Backdoored wordpress plugins
From: Henri Doreau <henri.doreau () greenbone net>
Date: Thu, 23 Jun 2011 20:31:19 +0200
Hello, starting a thread here after discussing the subject with Djalal and Paulino. According to the Wordpress blog[1] three wordpress plugins have been backdoored recently. Thousands installations might be affected[2] and it would be very nice to have a detection script for NSE. Some information about the backdooring code is available at [3]. Code to execute is sent via the HTTP headers or cookies, making me think that simply adding entries to http-enum isn't possible for detection. We have a wordpress plugins detection script, that could run additional checks if one of these plugin is detected. http-wp-plugins.nse could also store detected plugins into the registry, to be read by detection scripts, but that might also bloat it... Another option is to write completely autonomous script(s) dedicated to detect these backdoors. This is how http-malware-host works. Regards. [1] http://wordpress.org/news/2011/06/passwords-reset [2] http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache [3] http://adamharley.co.uk/2011/06/wordpress-plugin-backdoors -- Henri Doreau | Greenbone Networks GmbH | http://www.greenbone.net Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460 Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Backdoored wordpress plugins Henri Doreau (Jun 23)
- Re: [NSE] Backdoored wordpress plugins Gutek (Jun 23)
- Re: [NSE] Backdoored wordpress plugins Paulino Calderon (Jun 23)
- Re: [NSE] Backdoored wordpress plugins Gutek (Jun 23)