PDA

Bekijk Volledige Versie : Worpress aanvallen


dreamhost_nl
01/09/11, 12:22
Beste Concullegae,

We merken de laatste paar dagen een grote hoeveelheid aan aanvallen op blogs die zijn gecreƫerd via Wordpress. Is deze tendens bij jullie ook merkbaar of is dit zuiver toeval?

Vb van zo'n aanval :



xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/Nova/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/SimplePress/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/bueno/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/canvas/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:04 +0200] "GET /wp-content/themes/DeepFocus/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:05 +0200] "GET /wp-content/themes/themorningafter/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/inspire/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/sealight/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:03 +0200] "GET /wp-content/themes/OptimizePress/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:05 +0200] "GET /wp-content/themes/Apz/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:06 +0200] "GET /wp-content/themes/TheStyle/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:04 +0200] "GET /wp-content/themes/delicate/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:04 +0200] "GET /wp-content/themes/modularity/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:07 +0200] "GET /wp-content/themes/eVid/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:06 +0200] "GET /wp-content/themes/redcarpet/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:06 +0200] "GET /wp-content/themes/OnTheGo/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:06 +0200] "GET /wp-content/themes/ColdStone/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
xxx.xxx.xxx.xxx - - [01/Sep/2011:10:19:07 +0200] "GET /wp-content/themes/diarise/scripts/timthumb.php?src=/g0../0d1.gif HTTP/1.1" 404 13655 "-" "-"
systemdeveloper
01/09/11, 12:41
Zit een lekje in het timthumb script dus het zullen vast bots zijn. ( http://www.wpweetjes.nl/ernstig-veiligheidslek-in-timthumb-gebruikt-door-veel-themas/ )
Spyder01
01/09/11, 14:21
Zit een lekje in het timthumb script dus het zullen vast bots zijn. ( http://www.wpweetjes.nl/ernstig-veiligheidslek-in-timthumb-gebruikt-door-veel-themas/ )

Klopt, al diverse Wordpress installaties gezien die menig overspannen virusscanner nog verder deed stressen :) Is wel iets wat de laatste week / anderhalve week vrij actief is.
cyrano
01/09/11, 22:53
Niet alleen WP, trouwens. Ik zie ook wordlist attacks op Joomla toenemen sinds ongeveer hetzelfde moment...