[UPHPU] phpicalendar exploit (possible WordPress exploit)

Wade Preston Shearer lists at wadeshearer.com
Wed Sep 12 09:24:57 MDT 2007 

I discovered that my server had been exploited last night. Taking  
advantage of a mistake in not securing (httpauth) a directory, a  
hacker exploited a script [1] that I was using. From all that I can  
tell, the damage done was that files were placed on the server that  
looked like they were trying to set up a web-based shell and some  
pornography links. I found the script that they were using on a  
security site:

http://downloads.securityfocus.com/vulnerabilities/exploits/php- 
iCalendar-221.upload.php


I have also been having issues with bogus accounts being created in  
WordPress this summer and interestingly discovered a very similar  
exploit written by the same author. I was fairly certain that the  
bogus accounts were being created by bots submitting the registration  
form or the hacker simply posting directly to the create-account  
script. I am curious now as to wether they might have been also/ 
instead using this exploit as well:

http://downloads.securityfocus.com/vulnerabilities/exploits/php- 
iCalendar-221.upload.php


I have closed both of the security holes (upgraded WordPress and  
secured the directory where the upload script resides), but am  
curious if some of you would mind looking at the two exploit scripts.  
Although I am fairly confident that I am aware of all of the damage  
that was done and that I have cleaned it up, I am wondering if there  
are any obvious things you can see from the script that I should  
check on (things that they likely did or tried to do).

I understand that the best option after an exploit is to wipe the  
hard drive and reinstall and that will happen as I was already  
planning on doing that. But, in the meantime, it would be good to  
check every obvious/standard spots.


[1] The script mimicks a WebDAV server and allows one to publish  
iCalendar files to the server.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2425 bytes
Desc: not available
Url : http://uphpu.org/pipermail/uphpu/attachments/20070912/8db95f20/smime.bin

More information about the UPHPU mailing list