http://downloads.securityfocus.com/vulnerabilities/exploits/php- iCalendar-221.upload.php
I have also been having issues with bogus accounts being created in WordPress this summer and interestingly discovered a very similar exploit written by the same author. I was fairly certain that the bogus accounts were being created by bots submitting the registration form or the hacker simply posting directly to the create-account script. I am curious now as to wether they might have been also/ instead using this exploit as well:
http://downloads.securityfocus.com/vulnerabilities/exploits/php- iCalendar-221.upload.php
I have closed both of the security holes (upgraded WordPress and secured the directory where the upload script resides), but am curious if some of you would mind looking at the two exploit scripts. Although I am fairly confident that I am aware of all of the damage that was done and that I have cleaned it up, I am wondering if there are any obvious things you can see from the script that I should check on (things that they likely did or tried to do).
I understand that the best option after an exploit is to wipe the hard drive and reinstall and that will happen as I was already planning on doing that. But, in the meantime, it would be good to check every obvious/standard spots.
[1] The script mimicks a WebDAV server and allows one to publish iCalendar files to the server.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
