[clue] WordPress login scanners?
Bruce Ediger
bediger at stratigery.com
Thu May 23 11:13:53 MDT 2013
On Wed, 8 May 2013, Michael J. Hammel wrote:
> On Wed, 2013-05-08 at 11:09 -0600, Bruce Ediger wrote:
>> I see the WordPress scanners "logging in", and then accessing the fake
>> dashboard with cookies that my login page sets, but they don't do any
>> more than that wp-admin access.
>
> I'm guessing, but a scanner just looks for attack vectors. They collect
....
Just for the sake of closure, I was able to change my WordPress honeypot
to WordPress 2.9.2, instead of 3.latest. I haven't seen a
theme-uploader attempt on it since then, but I did see a
plugin-uploader. I caught a copy of the WSO PHP shell. If you google
for "mod_gogle.php" or "mod_gogle.zip" you will find a copy. Interesting
piece of work. The PHP code in WSO is somewhat better than malware code
I've looked through in the past. WSO actually works.
I'd still like to get a copy of the plugin-uploader or theme-uploader,
if anyone has that. Or any of the WordPress or phpMyAdmin scanners.
It looks to me like most of the WP or PMA scanners won't actually turn
up any exploitable sites, as they don't manage cookies correctly, so I'd
like to look at the source.
More information about the clue
mailing list