[UPHPU] phpicalendar exploit (possible WordPress exploit)
Wade Preston Shearer
lists at wadeshearer.com
Wed Sep 12 09:24:57 MDT 2007
I discovered that my server had been exploited last night. Taking
advantage of a mistake in not securing (httpauth) a directory, a
hacker exploited a script  that I was using. From all that I can
tell, the damage done was that files were placed on the server that
looked like they were trying to set up a web-based shell and some
pornography links. I found the script that they were using on a
I have also been having issues with bogus accounts being created in
WordPress this summer and interestingly discovered a very similar
exploit written by the same author. I was fairly certain that the
bogus accounts were being created by bots submitting the registration
form or the hacker simply posting directly to the create-account
script. I am curious now as to wether they might have been also/
instead using this exploit as well:
I have closed both of the security holes (upgraded WordPress and
secured the directory where the upload script resides), but am
curious if some of you would mind looking at the two exploit scripts.
Although I am fairly confident that I am aware of all of the damage
that was done and that I have cleaned it up, I am wondering if there
are any obvious things you can see from the script that I should
check on (things that they likely did or tried to do).
I understand that the best option after an exploit is to wipe the
hard drive and reinstall and that will happen as I was already
planning on doing that. But, in the meantime, it would be good to
check every obvious/standard spots.
 The script mimicks a WebDAV server and allows one to publish
iCalendar files to the server.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2425 bytes
Desc: not available
Url : http://uphpu.org/pipermail/uphpu/attachments/20070912/8db95f20/smime.bin
More information about the UPHPU