gpg: Signature made Sun Dec 30 23:47:31 2012 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hello,
On Sun, Dec 30, 2012 at 11:41:34PM +0000, Ian wrote:
> Andy said:
> >Upon further investigation it appeared that around 30th November one
> >of the site's legitimate Wordpress admins had logged in from an
> >unexpected place (a Tor exit node) and had uploaded a PHP file which
> >appeared to enable full filesystem traversal, downloading of file
> >content, shell command execution as Apache user, etc.
>
> Is this something that was uploaded to the WordPress
> wp-content/upload directories or as a plugin / theme?
It was uploaded as a plugin.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
