Jump to content

Remote code execution


Recommended Posts

This isn't related to Processwire, but just so the PW community is aware, today we discovered several malicious files in our server (Wordpress environment). The code in the files ultimately allows for the same thing, remote code execution.

I'm guessing some security hole allowed an attacker to execute code via a plugin, which wrote a file to www.example.com/dump.php

This file contained the following code: http://pastebin.com/dsLZnbCW

After deciphering it slightly: http://pastebin.com/NiCe9ftn

I then realised it was looking for a post request variable "n59a097"

Malicious code was then being sent base64 encoded to this post variable, where it was then being decoded and run through the eval() function.

Digital Ocean alerted us of the issue, after our server had been reported to them for sending out spam email.

Just a heads up really as to the possibility of security holes allowing simple files to be written, that then allow for remote code execution.

I'm sure Processwire is far less a target than Wordpress for these types of exploits but keep an eye out.

  • Like 2
Link to comment
Share on other sites

  • 3 weeks later...
  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...