On Sun, Jul 03, 2011 at 01:46:30PM +0200, Marc Manthey wrote:
> hello list,
>
> Sorry this is my first post to this list because i am really worried
> about a wordpress vulnerability and someone on this list might use
> wordpress aswell
> and could give me some advice what todo.
>
> I am using wordpress since 2 years without any trouble, update
> regulary , but last friday, i got a mail from my hoster that someone
> "uploaded"
> a phishing script into my "upload folder" in wordpress and google put
> my site on the blocklists aswell.
>
> After i found out that the "contact form" module might cause the
> problem because i allways found a
> "wpcf7_captcha" directory in my "upload folder , i removed the
> module and all when fine for a day..
>
> >> http://let.de/wp-content/themes/twentyten/www1.royalbank.com/index.html
>
> Today i received another mail from rsa.com that the same script is
> still on my site just in a "theme" folder.
>
> > http://let.de/wp-content/uploads/2011/www1.royalbank.com/index.html
>
>
> I looked into the installed "phishing script"
> http://www.2shared.com/file/M9zwMVr5/www1royalbankcom.html
> it seems everything is loaded from https://www1.royalbank.com/ for
> example
> https://www1.royalbank.com/common/images/english/logo_rbc_rb.gif <
> but this is not the original banking site !!
>
> Is this a DNS manipulation ? https://www1.royalbank.com < ??? when i
> try http://www.royalbank.com it redirects me to the original banking
> site at
>
> http://www.rbcroyalbank.com !!!!
>
> After i searched for some information , i found this on the full
> disclosure list , and i am a bit concerned now....
>
> [Full-disclosure] Code Execution vulnerability in WordPress
> http://seclists.org/fulldisclosure/2011/Apr/535
>
>
> Vulnerabilities in WordPress http://www.securityfocus.com/archive/1/510274
>
> any idea what todo beside shutting my site down :)?
>
> regards
>
> Marc
>
> >> -------- Original Message --------
> >> Subject: Fraudulent site, please shut down! [RBC 11266] IP:
> >> 91.184.33.25 Domain: let.de
> >> Date: Sun, 3 Jul 2011 02:33:05 +0300
> >> From: <a...@rsa.com>
> >> To: <ab...@speedpartner.de>
> >> CC: <m...@speedpartner.de>
> >>
>
>
>
> -- Les enfants teribbles - research / deployment
> Marc Manthey- Vogelsangerstrasse 97
> 50823 Köln - Germany
> Tel.:0049-221-29891489
> Mobil:0049-1577-3329231
> blog: http://let.de
> twitter: http://twitter.com/macbroadcast/
> facebook : http://opencu.tk
Which version of Wordpress and modules you were using? Do you have logs of the
incident? I am including RBC to this email as they probably are interested of
the details. There might be other similar phishing pages active.
www1.royalbank.com has address 142.245.40.233
www.royalbank.com has address 142.245.34.203
royalbank.com has address 142.245.1.203
www.rbcroyalbank.com has address 142.245.1.15
rbcroyalbank.com has address 142.245.1.15
Whois of both domains:
---
Registrant:
Royal Bank of Canada
RBC Domain Registration
330 Front St W - 4th Flr
Toronto, ON M5V 3B7
CA
Email: rbcdomain...@rbc.com
Registrar Name....: CORPORATE DOMAINS, INC.
Registrar Whois...: whois.corporatedomains.com
Registrar Homepage: www.cscprotectsbrands.com
Domain Name: rbcroyalbank.com
Created on..............: Thu, Nov 09, 2000
Expires on..............: Sun, Nov 09, 2014
Record last updated on..: Fri, Feb 11, 2011
Administrative,Technical Contact:
Royal Bank of Canada
RBC Domain Registration
330 Front St W - 4th Flr
Toronto, ON M5V 3B7
CA
Phone: +1.4163485121
Email: rbcdomain...@rbc.com
DNS Servers:
ns4.rbc.com
ns2.rbc.com
ns1.rbc.com
ns3.rbc.com
---
Reading this bug-raport http://core.trac.wordpress.org/ticket/17969 says to me
that there is still possibility of vulnerability. I'll bet it is in one of the
modules as well.
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
