Suspicious files

SeLLeRoNe

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,806
Location
A Coruña, Spain
Hi,

im having a strange issue.

A customer of mine using wordpress apparently from a plugin/addon/whatever (and without his knoledge) use to create file in /dev/shm/.svn/ with some executable (that cannot be executed since nosuid noexec in tmpfs partition) files with some ips in those files.

As a workaround i use to chroot that folder and chmod 700.

Ive tryed to search in user php pages for .svn folder or filename folder (that apparently files are random named) but i didnt figure it out.

Also i did check apache log and error for that domain (and subdomains) without success so... what i can do to find out which page and which plugin do that and why?

Thanks everyone who may give 2 cents

Regards
 
The following commands will list what files have the path code.

I would search in:

/home/username/domains/domain.com/public_html/wp-content

Code: 
find /path -type f -exec grep -li '/dev/shm/.svn' {} \; -print

or

Code: 
find /path -type f -exec grep -li '.svn' {} \; -print
 
Ok, running the first right now, but, with mod_ruid2 no files would be executable as i know...

Will post result of each command once finished

For now, thanks

Regards
 
First command gave 0 results.

Seconda is giving a lot of line, including .jpg .php .rar .txt

What should i check? Every single file?

Regards
 
It would probably be in .php files only.

You could add:

Code: 
-name \*.php

but it also could of just been a temp file that was created and executed and now its gone... not sure. Make sure the wordpress is up to date and all the plugins.
 
Ok, ive created an output .txt with file listing (just .php).

I did edit one but cant fine any relation to ".svn" but just "svn" commented like this:

Code: 
 * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', 'news',
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
 * covers all common link protocols, except for 'javascript' which should not
 * be allowed for untrusted users.

Or update check like:

Code: 
        3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt

So, my question would be, what i should search for?

I did try:

Code: 
>for i in `cat /root/result_php.txt`; do grep -R ".svn" $i;done;

The only maybe wrong thing i did found is:

Code: 
function d($s,$k=''){if($

Do you think this is the bad one? What should i do?

Thanks
 
Last edited:
My antivirus program gave me a warning because of your code. I guess you'd better move it in attachment, otherwise the forums might get into ban.
 
Sorry, i did remove almost all the text, probably yes.. that was the code.. removed the page from webspace and .svn folder get no more created.

Was an old site backuped.. i would say pretty old.. customer sayd "no problem, delete it" and that's it... seems to be solved.

Thanks
 
Here is the output from:

Code: 
find /home/username/domains/domain.com/public_html/ -name \*.php -type f -exec grep -li '.svn' {} \; -print > /root/result_php.txt
for i in `cat /root/result_php.txt`; do echo $i >> /root/php.txt && grep -R ".svn" $i >> /root/php.txt;done;

Code: 
/home/username/domains/domain.com/public_html/parianapoli/sito/wp-includes/formatting.php
		$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
/home/username/domains/domain.com/public_html/parianapoli/sito/wp-includes/formatting.php
		$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
/home/username/domains/domain.com/public_html/parianapoli/sito/wp-includes/version.php
/home/username/domains/domain.com/public_html/parianapoli/sito/wp-includes/version.php
/home/username/domains/domain.com/public_html/parianapoli/sito/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
	$allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
/home/username/domains/domain.com/public_html/parianapoli/sito/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
	$allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
/home/username/domains/domain.com/public_html/parianapoli/quellichelanotte/wp-includes/formatting.php
		$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
/home/username/domains/domain.com/public_html/parianapoli/quellichelanotte/wp-includes/formatting.php
		$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
/home/username/domains/domain.com/public_html/parianapoli/quellichelanotte/wp-includes/version.php
/home/username/domains/domain.com/public_html/parianapoli/quellichelanotte/wp-includes/version.php
/home/username/domains/domain.com/public_html/parianapoli/quellichelanotte/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
	$allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
/home/username/domains/domain.com/public_html/parianapoli/quellichelanotte/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
	$allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ajs.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ajs.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/afr.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/afr.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/fc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/fc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/tjs.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/tjs.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ag.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ag.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ti.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ti.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/alocal.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/alocal.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/spc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/spc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ac.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ac.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/lg.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/lg.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/dxmlrpc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/dxmlrpc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/apu.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/apu.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ai.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ai.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/avw.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/avw.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ck.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/ck.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/al.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/al.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/spcjs.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/spcjs.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/axmlrpc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/axmlrpc.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/tv.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/ads/www/delivery/tv.php
 * checkout sourcecode from the svn repository, do a necessary changes inside
/home/username/domains/domain.com/public_html/parianapoli/harem/wp-includes/version.php
/home/username/domains/domain.com/public_html/parianapoli/harem/wp-includes/version.php
/home/username/domains/domain.com/public_html/parianapoli/harem/wp-admin/includes/update.php
		return sprintf( '| '.__( 'You are using a development version (%s). Cool! Please <a href="%s">stay updated</a>.' ), $GLOBALS['wp_version'], 'http://wordpress.org/download/svn/' );
/home/username/domains/domain.com/public_html/parianapoli/harem/wp-admin/includes/update.php
		return sprintf( '| '.__( 'You are using a development version (%s). Cool! Please <a href="%s">stay updated</a>.' ), $GLOBALS['wp_version'], 'http://wordpress.org/download/svn/' );
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-content/plugins/google-sitemap-generator/sitemap-core.php
	var $_svnVersion = '$Id: sitemap-core.php 246875 2010-05-29 07:22:02Z arnee $';
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-content/plugins/google-sitemap-generator/sitemap-core.php
	var $_svnVersion = '$Id: sitemap-core.php 246875 2010-05-29 07:22:02Z arnee $';
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-content/plugins/google-sitemap-generator/sitemap-ui.php
				echo '<p>Plugin version: ' . $this->sg->GetVersion() . ' (' . $this->sg->_svnVersion . ')';
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-content/plugins/google-sitemap-generator/sitemap-ui.php
				echo '<p>Plugin version: ' . $this->sg->GetVersion() . ' (' . $this->sg->_svnVersion . ')';
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-includes/formatting.php
		$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-includes/formatting.php
		$protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn');
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-includes/feed.php
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-includes/feed.php
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
	$allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
/home/username/domains/domain.com/public_html/parianapoli/tequilaeventi/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
	$allowed_protocols = wp_parse_args( $allowed_protocols, apply_filters('kses_allowed_protocols', array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn') ));
/home/username/domains/domain.com/public_html/cucina/wp-content/themes/cucinaweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/cucina/wp-content/themes/cucinaweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/cucina/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/cucina/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/cucina/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/cucina/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/cucina/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/cucina/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/cucina/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/cucina/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/cucina/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/cucina/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/cucina/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/cucina/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/themes/ideeregaloweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/themes/ideeregaloweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/ideeregalo/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/ideeregalo/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/ideeregalo/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/ideeregalo/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/ideeregalo/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/ideeregalo/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/ideeregalo/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/wp-content/themes/usernamenetwork-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/wp-content/themes/usernamenetwork-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/moda/wp-content/uploads/slideshow-gallery/jquery.tipsy.php
/home/username/domains/domain.com/public_html/moda/wp-content/uploads/slideshow-gallery/jquery.tipsy.php
/home/username/domains/domain.com/public_html/moda/wp-content/languages/jquery.droppy.php
/home/username/domains/domain.com/public_html/moda/wp-content/languages/jquery.droppy.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/scripts.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/scripts.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/best-winter-2010/ac_runactivecontent.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/best-winter-2010/ac_runactivecontent.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/sisley-donna-ai-2011-2012/combinedHomepage.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/sisley-donna-ai-2011-2012/combinedHomepage.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/louis-vuitton-pe-2012/validate.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/louis-vuitton-pe-2012/validate.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/tuttosposi-2011-sfilata-signore/League_Gothic_400.font.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/tuttosposi-2011-sfilata-signore/League_Gothic_400.font.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/patrycja-gardygajla-per-peuterey-pe-2012/planner.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/patrycja-gardygajla-per-peuterey-pe-2012/planner.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/museum-cappotti-donna/lazyload.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/museum-cappotti-donna/lazyload.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/fred-mello-uomo-ai-2011-2012/themefunctions.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/fred-mello-uomo-ai-2011-2012/themefunctions.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/pocket-napoli-dicembre-2010/Bebas_400.font.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/pocket-napoli-dicembre-2010/Bebas_400.font.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/guess-borse-ai-2012/md5-min.php
/home/username/domains/domain.com/public_html/moda/wp-content/gallery/guess-borse-ai-2012/md5-min.php
/home/username/domains/domain.com/public_html/moda/wp-content/themes/modaweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/themes/modaweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/contextual-related-posts/timthumb/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/contextual-related-posts/timthumb/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/wordpress-popular-posts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/wordpress-popular-posts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/quick-adsense/Twitluv.php
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/quick-adsense/Twitluv.php
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/redirection/models/htaccess.php
		$text[] = '<Files .htaccess,.svn>';
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/redirection/models/htaccess.php
		$text[] = '<Files .htaccess,.svn>';
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/moda/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/moda/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/moda/wp-includes/Text/Diff/jquery.scrollTo.php
/home/username/domains/domain.com/public_html/moda/wp-includes/Text/Diff/jquery.scrollTo.php
/home/username/domains/domain.com/public_html/moda/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/moda/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/moda/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/moda/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/moda/wp-admin/network/jstarget.php
/home/username/domains/domain.com/public_html/moda/wp-admin/network/jstarget.php
/home/username/domains/domain.com/public_html/moda/wp-admin/images/screenshots/jcaption.min.php
/home/username/domains/domain.com/public_html/moda/wp-admin/images/screenshots/jcaption.min.php
/home/username/domains/domain.com/public_html/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/calcio/wp-content/themes/deliciousmagazine/thumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/calcio/wp-content/themes/deliciousmagazine/thumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/calcio/wp-content/themes/deliciousmagazine/functions/thumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/calcio/wp-content/themes/deliciousmagazine/functions/thumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/calcio/wp-content/plugins/google-sitemap-generator/sitemap-core.php
	var $_svnVersion = '$Id: sitemap-core.php 440117 2011-09-19 13:24:49Z arnee $';
/home/username/domains/domain.com/public_html/calcio/wp-content/plugins/google-sitemap-generator/sitemap-core.php
	var $_svnVersion = '$Id: sitemap-core.php 440117 2011-09-19 13:24:49Z arnee $';
/home/username/domains/domain.com/public_html/calcio/wp-content/plugins/google-sitemap-generator/sitemap-ui.php
				echo '<p>Plugin version: ' . $this->sg->GetVersion() . ' (' . $this->sg->_svnVersion . ')';
/home/username/domains/domain.com/public_html/calcio/wp-content/plugins/google-sitemap-generator/sitemap-ui.php
				echo '<p>Plugin version: ' . $this->sg->GetVersion() . ' (' . $this->sg->_svnVersion . ')';
/home/username/domains/domain.com/public_html/calcio/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/calcio/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/calcio/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/calcio/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/calcio/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/calcio/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/travel/wp-content/themes/travelweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/travel/wp-content/themes/travelweb360-template/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/travel/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/travel/wp-content/plugins/only-tweet-like-share-and-google-1/tweet-like-plusone.php
	<script src="http://analytics-api-samples.googlecode.com/svn/trunk/src/tracking/javascript/v5/social/ga_social_tracking.js"></script>
/home/username/domains/domain.com/public_html/travel/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/travel/wp-content/plugins/timthumb-vulnerability-scanner/class-cg-tvs-plugin.php
    $tmp_filename = download_url( 'http://timthumb.googlecode.com/svn/trunk/timthumb.php' );
/home/username/domains/domain.com/public_html/travel/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/travel/wp-content/plugins/jquery-slider-for-featured-content/scripts/timthumb.php
	3. Check-out the latest version of CutyCapt with the following command: svn co https://cutycapt.svn.sourceforge.net/svnroot/cutycapt
/home/username/domains/domain.com/public_html/travel/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/travel/wp-includes/formatting.php
 *		Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' if not set.
/home/username/domains/domain.com/public_html/travel/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/travel/wp-includes/functions.php
		$protocols = array( 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet', 'mms', 'rtsp', 'svn' );
/home/username/domains/domain.com/public_html/travel/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This
/home/username/domains/domain.com/public_html/travel/wp-includes/kses.php
 * 'irc', 'gopher', 'nntp', 'feed', 'telnet, 'mms', 'rtsp' and 'svn'. This

Apparently i dont see any relevant security issue on those codes... does you?

Regards
 
Is wordpress updated to 3.4.2 and all the plugins? Maybe its a remote vulnerability.
 
Everything is up2date, same as plugins.

Does the pasted cose look fine (and good) to you? Does you have any other hint?

Thanks

Regards
 
Here is just a guess. Have you checked that the user does not have any old timthumb.php file in a plugin or theme? Any timthumb.php file that is older version then version 1.34 is vulnerable (unless it is patched) and very easy to hack. If you find a older timthumb.php file, I would just replace it with the newest from http://code.google.com/p/timthumb/

Here some more reading, but Google will give you more: The TimThumb Saga: http://ma.tt/2011/08/the-timthumb-saga/ TimThumb vulnerability: a big number of WordPress plugins and themes are affected: http://www.websitedefender.com/web-security/timthumb-vulnerability-wordpress-plugins-themes/

Of course, this is old news. If it is not timthumb that is the problem for your user, I am sorry. But I liked to mention it, because it is so widespread.
 
I did update all the related file to latest version from google source. But problem still persist.

In that article there was a link to a website for test vulnerability but apparently there are not...

Any other hint?

Thanks
 
It's not clear to me if you already know wich account/user that is the problem or not. But if you know wich user/account it is, and it is running WordPress, then I would ask the customer to install this plugin: http://wordpress.org/extend/plugins/better-wp-security/ and then use it to scan the WordPress install and see if it finds anything. Here is copy/paste from heading "Protect" in plugin page I linked to:

"Scan your site to instantly tell where vulnerabilities are and fix them in seconds"
 
Yes i know which account cause mod_ruid2 create those file with file owned by the user and all my investigation has been done on his home directory and all his website and subdomains.

Thanks for this link, i'll provide this to my customer right now.

Regards
 
Just a random suggestion (not sure if you've tried), but check crontab, eg:
Code: 
crontab -u [b]username[/b] -l
to make sure there are no cronjobs there.

John
 
You must log in or register to reply here.
Back
Top