[NSE] Backdoored wordpress plugins

[Henri Doreau <henri.doreau () greenbone net>]

Hello,

starting a thread here after discussing the subject with Djalal and Paulino.

According to the Wordpress blog[1] three wordpress plugins have been
backdoored recently. Thousands installations might be affected[2] and
it would be very nice to have a detection script for NSE.

Some information about the backdooring code is available at [3]. Code
to execute is sent via the HTTP headers or cookies, making me think
that simply adding entries to http-enum isn't possible for detection.

We have a wordpress plugins detection script, that could run
additional checks if one of these plugin is detected.
http-wp-plugins.nse could also store detected plugins into the
registry, to be read by detection scripts, but that might also bloat
it...

Another option is to write completely autonomous script(s) dedicated
to detect these backdoors. This is how http-malware-host works.

Regards.


[1] http://wordpress.org/news/2011/06/passwords-reset
[2] http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache
[3] http://adamharley.co.uk/2011/06/wordpress-plugin-backdoors

-- 
Henri Doreau |  Greenbone Networks GmbH  |  http://www.greenbone.net
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/