Comments on: Damn … my VPS is being cracked

By: Eric Caldwell

Eric Caldwell — Fri, 28 Dec 2007 21:16:31 +0000

I had the same issue lately and eggdrop and mocks were dropped in because of a vulnerable PHP script. Once I found the corrupted scripts, I installed patched scripts, turned on safe mode for that account and then disabled the exec() function. Since the hacker was from Taiwan, I also took the liberty of banning the IP address range for the IPS they were using.

It really is the wild-west out there.. Glad to hear I’m not the only one whacking these weeds.

By: Eric Caldwell

Eric Caldwell — Fri, 28 Dec 2007 21:16:00 +0000

It really is the wild-west out there.. Glad to hear I’m not the only one whacking these weeds.

By: Vulnerability in WP Super Cache v0.1 | FactoryCity

Vulnerability in WP Super Cache v0.1 | FactoryCity — Fri, 09 Nov 2007 04:55:11 +0000

[...] had replied to me letting me know that Tiffany Brown was having a similar experience (though with greater consequence) and a report in the WordPress forums. Both Kristie Wells from Joyent and Donncha got back to me, [...]

By: tiffany

tiffany — Wed, 07 Nov 2007 22:24:25 +0000

Thanks Chris… I think I upgraded WP a couple of days too late. I figured it was WP related though because the only URLs they were trying were WP URLs on this blog.

I thought the XMLRPC issue had been fixed a couple of years ago.

As an extra precaution I disabled exec() — the only function the attacker tried that I hadn’t disabled before now (d’oh!). With any luck that will do it.

By: tiffany

tiffany — Wed, 07 Nov 2007 22:24:00 +0000

Thanks Chris… I think I upgraded WP a couple of days too late. I figured it was WP related though because the only URLs they were trying were WP URLs on this blog.

I thought the XMLRPC issue had been fixed a couple of years ago.

As an extra precaution I disabled exec() — the only function the attacker tried that I hadn’t disabled before now (d’oh!). With any luck that will do it.

By: Chris Heilmann

Chris Heilmann — Wed, 07 Nov 2007 22:20:49 +0000

I had a similar problem before I upgraded to 2.3.1. In my case it was the trackback and the old version of XMLRPC that was vulnerable to exec() commands and file generation.

By: Chris Heilmann

Chris Heilmann — Wed, 07 Nov 2007 22:20:00 +0000

I had a similar problem before I upgraded to 2.3.1. In my case it was the trackback and the old version of XMLRPC that was vulnerable to exec() commands and file generation.

By: tiffany

tiffany — Wed, 07 Nov 2007 20:21:12 +0000

Man, so would I . I know what they’re doing once they’re in. But I don’t know how they’re getting in.

By: tiffany

tiffany — Wed, 07 Nov 2007 20:21:00 +0000

Man, so would I . I know what they’re doing once they’re in. But I don’t know how they’re getting in.

By: Markus

Markus — Wed, 07 Nov 2007 20:05:39 +0000

I have been there before! Let me know if you need another set of eyes to look @ those server logs. I would love to know how they got in.

By: Markus

Markus — Wed, 07 Nov 2007 20:05:00 +0000

I have been there before! Let me know if you need another set of eyes to look @ those server logs. I would love to know how they got in.