sec.php Exploit

General questions pertaining to how certain issues can be resolved. This forum is closed with effect from February 2019. Please post future requests on https://github.com/sayontan/suffusion.
Forum rules
This forum is closed with effect from February 2019. Please post future requests on https://github.com/sayontan/suffusion.

1. No offensive language and no mocking
2. Please do a thorough search before you post something. Trust us, there is a high probability that the question you are asking has been asked previously.
3. No soliciting. You cannot post here soliciting bids for people offer you quotes, or even offer money to people for some work. You will be moderated if you do so. If you are looking for help, please post your request on http://jobs.wordpress.net or http://codepoet.com
4. Please be reasonable. You are getting software and support. For free. Complicated requests from a general purpose theme are not welcome and some volunteers might lose patience with you.
5. Please do your due diligence. If you posted a query and we answered with a link, take the trouble to go through the link contents.
6. Please post with complete information. Requests for help MUST be accompanied with your URL, particularly if you are asking something like "Why am I seeing a blank space?"
Locked
adsparmar
Posts: 35
Joined: 09 Aug 2011, 06:48

sec.php Exploit

Post by adsparmar » 09 Aug 2011, 06:57

Hi,

My domain: http://www.g4menation.com

I recently shifted from Godaddy servers to Hostgator on 1st Aug 2011. Everything was working fine today until the time I went for a coffee break, came back, refreshed my site and everything was just gone. I immediately caught hold of the tech support guy from Hostgator who told me that sec.php was used to delete all my content from my website. He said that this url can be opened from anywhere in the world to remove content if someone wishes to.

Example:

http://www.domain.com/sec.php

What's interesting is that he told me to stay away from Suffusion as sec.php was installed by the theme itself and did not exist before that. What I want to know is whether this is true or not? Also, I've attached my entire chat log with the tech support rep for your scrutiny.

I've lost my entire website and now I have to reinstall wordpress from scratch and build everything again. My 7-8 pages worth of content is gone, my hits are gone and I'm back to square one.
Attachments
Welcome to GatorChat.zip
Chatlog
(10.14 KiB) Downloaded 166 times

Colin
Posts: 5066
Joined: 27 Oct 2009, 10:46

Re: sec.php Exploit

Post by Colin » 09 Aug 2011, 09:38

I have just checked 2 of my wp installs that have Suffusion as the theme and neither has sec.php anywhere on the site. Maybe Hostgator is just blowing smoke. I know that they have some serious issues running Wordpress on their servers. Checkout the Wordpress forums for more information.

sayontan
Site Admin
Posts: 10210
Joined: 15 Sep 2009, 16:39
Location: Houston, Texas
Contact:

Re: sec.php Exploit

Post by sayontan » 09 Aug 2011, 10:28

Colin wrote:Maybe Hostgator is just blowing smoke.
HostGator is definitely blowing smoke.

You can validate this by looking at the source of the theme: http://themes.svn.wordpress.org/suffusion/. This is the source that is distributed from WP. Take a look at any branch that you want and see if you can spot anything that looks remotely fishy. You will see neither sec.php nor sym in there.

Also note that every theme distributed via the WP repository (http://wordpress.org/extend/themes/) is thoroughly checked for issues such as this. There is no way a theme you got from there could have this exploit. Every theme is checked for existence of calls such as "fopen" or "file_get_contents" or "base64_encode" or "base64_decode" - the first 2 can be exploited by hackers, and the last 2 indicate a hack in several cases. Suffusion has none of these.

So how did you get it? Quite a few ways are possible. Recently there was a vulnerability that was exposed in TimThumb. If any of your installed themes has TimThumb (your themes don't have to be activated - just being installed makes TimThumb accessible), then a hacker might have exploited it. Depending on the potency of the installed script, it is possible that somebody else's account on your host's server was infected and that person managed to write a script to your account.

Another way to get this exploit is if you downloaded the theme from a site other than WordPress.org. There is enough literature on the web warning people to not download themes from sites offering them for free.

adsparmar
Posts: 35
Joined: 09 Aug 2011, 06:48

Re: sec.php Exploit

Post by adsparmar » 09 Aug 2011, 11:09

Thanks for your replies Colin and Sayontan!

The problem is, I'm not that good with php and so easily got fooled by a random reason thrown at me. As far as suffusion is concerned, this is not the first time i've used it. Never before has such a thing ever happened. In fact, my sister's website is running on suffusion as well. I've always downloaded it from wp-admin panel's inbuilt theme search. I'm not aware if any plugin caused this but then, I never download plugins from anywhere else but Wordpress.org

Thanks for pointing me in the right direction. I'm going to reinstall suffusion whether they like it or not and I'll make sure all the other default themes and useless plugins are deleted altogether. It sure will take some time but I guess this is how I'm gonna stick it to them.

Cheers!
Aman

sayontan
Site Admin
Posts: 10210
Joined: 15 Sep 2009, 16:39
Location: Houston, Texas
Contact:

Re: sec.php Exploit

Post by sayontan » 09 Aug 2011, 11:18

On shared hosting sites you might consider quite a few things:
1. If you are installing your site anew, create a new user for it and install it there.
2. For each site you own do the installation for a new user.

Note that if there are infected users on the same hosted server, that itself can cause issues - I once spotted a file in my directories that had somebody else's name set as the creator, indicating some major hole in the server's security. Also see if this post applies to you in terms of security tightening: viewtopic.php?f=4&t=5133&p=21215#p21933.

User avatar
ganddy
Posts: 20
Joined: 22 Feb 2015, 10:44

Re: sec.php Exploit

Post by ganddy » 03 Oct 2015, 10:47

Additionally, even if Wordpress install is finished, it doesn't mean everything is done. You need to run a penetration test to your site so you would know the possible exploits. Hackers today actually target Wordpress sites. Lot's of plugins mean lots of possible exploit.

Locked