Today being another day at work for SecureLayer7 to recover our client’s defaced website, and bang I think I hit upon a nasty vulnerability of a famous plugin.
Although we successfully patched the vulnerability and we fixed the undoing of the blacklisting. On further research I stumbled upon its usage over the internet and as it turns out large number of web users online are affected, putting them to greater risk if not mitigated with a proper patch or an update.
I started my day with my regular Malware Cleanup activity and came across an interesting backdoor web shell file on the server. The server is not specific to any particular environment, it was one of the regularly updated WordPress package with the plugin RevSlider Plugin ver. 4.1.4 .
I initiated the process to detect the backdoors and web malwares, and got a hit on a malicious .htaccess file which was redirecting hxxp://m.mobi-avto.ru as shown below:
CVE-2015-0235 Ghost (glibc gethostbyname buffer overflow) Vulnerability is serious cause for all Linux servers. This vulnerability leveraged to execute remote and code execution on the victim Linux server. The vulnerability found By Qualys Researcher and patched in GNU.
What is the cause ?
The bug is in __nss_hostname_digits_dots() function of function of the GNU C Library (glibc), and location of the path is file for non-reentrant version is nss/getXXbyYY.c , which