Search

Recent Posts

Tags


« | Main | »

Recent WordPress Plugin ‘scans’

By Dale Reagan | January 31, 2011

I am sure that most folks managing WordPress sites pay attention to their web server ERROR logs.  I came across this set of very specific scans for WordPress plugins – I suspect that either some entity was simply ‘researching’ the use of these OR that these plugins may have some security concerns (this is un-confirmed) but the point is that this is the type of thing to keep an eye out for.   If you are using Mod_Security (a WAF – Web Application Firewall) then you can configure filters to react to (and block) such scans.

So – should you:

  1. allow this type of access?  (If you don’t care then stop here…)
  2. be running these types of scans yourself?

############
The actual web request is something like:

“HEAD /path-to-Wordpress/wp-content/plugins/fmoblog_2_1/fmoblog.php HTTP/1.1”

HEAD ~/path_to_wp_plugins

  • /fmoblog_2_1/fmoblog.php
  • /simple-forum/sf-includes.php
  • /mylinksdump/myLinksDump.php
  • /downloads-manager/upload.php
  • /BackUp/Archive.php
  • /photoracer/prbrowse.php
  • /dm-albums/wp-dm-albums.php
  • /events-manager/events-manager.php
  • /wp-syntax/wp-syntax.php
  • /db-toolkit/plugincore.php
  • /wassup/spy.php
  • /event-registration/styles.css
  • /wp-adserve/adclick.php
  • /related-sites/BTE_RW_ge.php
  • /cpl/cplphoto.php
  • /wp-photo-album/wppa.php
  • /wp-download/wp-download.php
  • /sniplets/modules/syntax_highlight.php
  • /wp-cal/functions/editevent.php
  • /wordspew/wordspew-rss.php
  • /nextgen-smooth-gallery/nggSmooth.php
  • /wp-forum/forum_feed.php
  • /mingle-forum/feed.php
  • /wpSS/ss_load.php
  • /wp-shopping-cart/image_processing.php
  • /fgallery/fim_rss.php
  • /wp-filemanager/ajaxfilemanager/ajaxfilemanager.php
  • /ImageManager/manager.php
  • /wp-table/js/wptable-button.php
  • /wordtube/wordtube-button.php
  • /st_newsletter/stnl_iframe.php
  • /events-calendar/events-calendar.php

############
HEAD ~/path_to_wp_themes

  • /pyrmont-v2/style.css HTTP/1.1

Things to note about such scans:

  1. the request is to see if a very specific file exists
  2. the use of the HEAD option simply returns ‘found’ or ‘not found’
  3. what is the GEOIP information for the IP making these requests – in this case: SC, Seychelles
  4. is the IP/country associated with the plugin author(s)?
  5. once ‘found’, are additional requests made for the resource?
  6. are you using the latest version of these plugins? (hopefully, the latest version does not have any security issues..)

The preceding list is a starting point for reviewing such activity.  If you determine/decide that the activity is malicious then you can either create a filter to deny such access or simply block the IP at the firewall level.  As always, you mileage should vary.  🙂

— Update – new Scan on 2/2/2011

This scan uses a valid URI for your FQDN – note the attempt to concatenate the new URI to allow a POST operation.

GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.1
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.0
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.0
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.1
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.0
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.0
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.1
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.1
GET /URI+%5BPLM=0%5D+GET+http://FQDN_URI+%5B0,67572,72007%5D+-%3E+%5BN%5D+POST+http://FQDN_blog-path/wp-comments-post.php+%5BR=500%5D%5B0,0,1873%5D HTTP/1.0
GET / HTTP/1.0

All of the above requests resulted in 404 errors except that last one.   GeoIP data indicates a bot-net at work (all requests were made within seconds of each other…)

  1. CA, QC, Montreal, h3e1z6, 45.500000, -73.583298
  2. SG, 00, Singapore, N/A, 1.293100, 103.855797
  3. US, DC, Washington, 20005, 38.904202, -77.031998
  4. US, MI, Detroit, 48202, 42.375500, -83.077202

Topics: Computer Technology, Problem Solving, Savannah Georgia (USA), System and Network Security, Unix-Linux-Os, Web Problem Solving, Web Technologies, Wordpress Software | Comments Off on Recent WordPress Plugin ‘scans’

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________