Why am I suddenly seeing attacks against the WordPress imgmanager plugin?

• August 8, 2015
• technology  
• hackers  
• security  
• wordpress  

In the past three days I’ve seen multiple attacks against an ancient (i.e., 2.5 year old) security hole in the Joomla imgmanager plugin you can find documented here. The attacks came from a Thailand ISP and a Russian cloud service provider. The attacks start with a request similar to this one:

POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1

The POST content attempts to create a file named bogel.gif that contains a PHP program that was compressed, rot13 encoded, then base64 encoded.

It amazes me that hackers are wasting time on ancient security flaws with a low probability of succeeding. It’s amazing because doing so tells the world the source of the attack should be blacklisted thus making it useless for more productive attacks. Perhaps that says something about how bad the defenses are for the typical web site. Personally, I have a zero tolerance, one strike and your blacklisted for three months, policy. And the three month interval restarts every time I see another request from the source. If more sites had similar policies it might exert some pressure on ISPs and VPS/cloud computing providers to actually deal with malware.

I’m also extremely pissed off that WordPress doesn’t report a meaningful error when a bogus plugin request is handled. I say bogus because in every case I’ve seen it’s been to a plugin that isn’t installed on my system. So I’m just going to blacklist all attempts to POST /index.php (as well as any other path ending in /index.php). If and when I ever install a plugin that I want to allow POSTing to I’ll explicitly whitelist it.