Finding the worpress installation logwatch is referring to

0

Today, I got

 A total of 2 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):

    /wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=../../../../wp-config.php HTTP Response 301 
    /wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php HTTP Response 301

from Logwatch.

I did find / -name wptf-image-gallery -type d on my server to remove it but there was no result.

What should I do now? How do I find the affected wordpress installation?

Alex

Posted 2019-04-28T07:35:59.580

Reputation: 3

Answers

0

The HTTP Response 301 indicates HTTP redirection, not an actual successful response. There's more possible reasons for that than the file actually existing. Because Logwatch uses the logs (not the file system), you should grep through the logs to find the correct virtual host.

After that you can find if there's these plugins/themes installed and whether the versions are vulnerable. Or if there's even a WordPress.

Esa Jokinen

Posted 2019-04-28T07:35:59.580

Reputation: 615

Asked: 2019-04-28T07:35:59.580

Viewed: 35 times

Active: 2019-04-28T08:15:23.283