CATEGORIES
- WEB STARTUPS
- CONFERENCES
- WEB JOBS
- MICROSOFT
- INTERVIEWS
- VIDEO
- AMAZON
- ALL TOPICS
CONTRIBUTORS
WordPress Exploited – 2.8.4 Release
This evening I did my twice-weekly check to see if any of my WordPress blogs have been exploited and what do you know…CenterNetworks has been exploited. I was checking every day but moved it to twice a week checks after the last security patch for WordPress that moved the blog to 2.8.4. The exploit took place last night as far as I can tell and has already been indexed in Google so there goes my traffic and earnings.
When the “big hacker” event happened earlier this month, WordPress founder Matt Mullenweg noted, “The only thing that I can promise will keep your blog secure today and in the future is upgrading.” As of this evening, I can only assume his promise no longer stands valid.
I can’t tell whether the exploits are coming through WordPress or my host, Rackspace. Rackspace always says it’s on the WordPress side. I am happy to provide whatever I can to WordPress to help them figure out what happened and I can only hope that eventually they get this fixed. Rackspace personnel called me this evening and noted that the permissions are all set correctly on the server. If it’s something on my end, I’d like to know that as well.
Update Midnight: Rackspace is now running a XSS checker on this site.
Update 4:30pm Saturday: Rackspace is now saying that they believe someone logged into CN and manually changed the template file. They are supposed to be sending over some logs soon.
Update: 8pm Saturday: I’ve received the log files – unfortunately they don’t show much beyond someone editing the footer include. If someone from WordPress would like the files, please contact me.
Each and every time that my WordPress sites are exploited and/or hacked, I seriously regret moving away from Drupal where in over three years I wasn’t hacked once.
Related: The Good, The Bad and The Exploited – My Move from Drupal to WordPress
i was also hacked on a number of WP sites while using Rackspace.
Most recently, my master acct was hacked and an entire domain name and its hosted contents removed. after they told me it was my fault, and maybe the client changed it to be hosted elsewhere, they said, essentially, tough sh*t someone must have hacked it on your end. Right. at 3am on a weekday someone broke into my house logged into my account and deleted one website and all its files.
i better get a better door lock.
Just had a 2.8.4 site hacked. Yes, I know I should have at least been up to 2.8.6, but I just missed that update when 2.9 came out and some of our plugins wouldn’t work. The site is hosted on Network Solutions and apparently several sites were hacked this weekend on their servers. I still don’t know how they got in. They placed index.php.BAD files in various directories.
I was surprised because we had taken every security measure prior to this attack (with the exception of removing the generator tag — oops! — meant to do that but forgot on one of the templates). We had renamed the table prefix, had limit login attempts and the SEO WP Firewall plugins installed, were using limited plugins, did not use admin for username and had very strong passwords.
I’m reading these comments to see what I can do to scan to find out what caused the hack. Of course, Network Solutions was completely unresponsive and unavailable by phone, so it’s quite frustrating to watch hour by hour a hacker logged into your site and changing files (even after we changed all the passwords AGAIN and updated to 2.9.1). At one point, I changed the permissions on the themes folder, and the hacker promptly responded by deleting all my theme’s files. He was definitely watching my every move and responding in kind to my various attempts to block — in a personal not robotic way. Very creepy and annoying since I couldn’t get through to Network Solutions after being on hold for more than 30 minutes with no sense of a queue and just repetitive playing of Pachelbel’s Canon. I think they do that to encourage you to hang up.
Consider this a drive-by post, but I’m LOLing at the thought that this is blamable on wordpress. You said someone editted the template file. That means it wasn’t a security problem in wordpress but rather something else. Way to blame them for the problem.
(And this is coming from someone who loves Drupal far more than WordpresS)
Before switching to 2.8.4, our site was compromised. The @*%$! spammers deployed two files to our system /wp-admin/fotter.php and /wp-admin/inclode.php (note the purposeful misspellings). These were encrypted files that were web-based backdoors. These were causing our theme footer to be overwritten nightly.
[...] With Newly-Acquired Omniture Potential Quantcast RivalTodays Startup and Entrepreneurial UpdatesWordpress Exploited 2.8.4 ReleaseEnsequence Grabs a Bundle of Cash and a New [...]
Make sure you search *real* good. A mere search for “base64″ isn’t enough.
See here: http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
My WordPress 2.8.4 website was also hacked last three days. Footer.php is edited every night. Download file permissions were changed. Does anybody has a solution for it! Looking forward to all your replies!
WordPress is leakier than Drupal but my Drupal sites have been hacked a couple of times.
The most important thing about any CMS is to stay up to date.
Matt,
I use the WP Security Scanner plugin on all of my WordPress sites, and I seem to keep relatively hack free. By relatively, I mean that there are hacking attempts, but they never get very far. Is this a plugin you would recommend for everyone, or is there another as well?
I am also a Drupal user, but am willing to take the risk with WordPress because of its user-friendly backend and its SEO and SMO superiority. If we as developers are using FREE software, we should be privy to the responsibility and risk that comes with it.
Thanks for all you do, Matt!!
@Admiral thanks for the good advice, also as you mentioned searching for the eval(base64) string, a lot of the free wordpress themes out in the wild has that very same string with the gobbledygook string of characters in the footer.php file and i think that is how many installs get pwn’ed
apparently it is to keep unscrupulous people from editing out the credit in the footers of themes, but in most cases it carries nasty backdoor entries into your wp install and ultimately the servers on which your blog is hosted
so stick to either the themes from wordpress.org or pay someone to customize or design your desired theme from scratch
just my 0.002 :)
just to confirm – the CN theme I made :)
hey allen :) yeah, sure but my point is nevertheless to also look out for that kind of thing in themes found elsewhere on the web
many design and webdevelopment type sites have regular compiled lists of free themes and I have taken a couple apart and some had the encrypted string in the footer file
1) Was your default table wp_ ?
2) Was your admin username admin?
You definitely need to install WordPress Firewall Plugin. The #1 Plugin for SQL Injection. And it’s free too! There are other plugins such as paranoid911 and monitor files which are quite good
Howdy,
All of the exploits that I’ve seen of 2.8.4 so far have been dormant copies of c99shell that weren’t fully cleaned in an earlier exploit. It’s a pretty common practice to drop a few of these around in obscure directories of the target site so if the first security problem is patched, they still have access to reinfect.
If it was in fact c99shell or some variant (most of them are lately) search every file in your site for:
eval(base64
These two functions are used to bootstrap most variants of cshell. You can use “grep” if you have command line access, or you can download the entire site and use any text editor that will search multiple files. When you find it, (eval(base64_decode *a long encoded string*) clean it out.
Also look for the payload, usually some big string of links injected into a template or view-related file, with the intent of boosting the pagerank of the site it’s pointing at. If you’ve found one, just search the source again for a unique word that’s common in the links.
You can also sort all files in the directory listing by “modified date” and view the most recently modified files. This helps to identify potentially infected files.
Disabling eval entirely in your PHP config (using disable_functions in php.ini) will do wonders for stopping this. Look at hardened PHP configurations like SUHOSIN and the like.
This is excellent advice. The backdoor can also sometimes be embedded in normal files you expect to be there.
Yep, this happened before – the backdoor was inserted into one of the core WP files which wasn’t easily noticeable.
Thanks Admiral – I’ve done this each and everytime the site has been hacked. Rackspace has also run scanners to check for the string you noted.
I will look into some of the other suggestions you made as well.
Not sure if this helps but here’s an article I bookmarked regarding WordPress security and the steps you can take to build your defences;
http://blogcritics.org/scitech/article/10-tips-to-make-wordpress-hack/
I would recommend running the WordPress logging plugin with the open source OSSEC HIDS. IT monitors EVERY action that is made to WordPress (and your system and apache), blocks potential attacks and alerts you right away…
Plus, it is all free and open source… The guy that said that only by keeping WordPress upgraded you will be safe, does not understand security. There are multiple layers that need to be protected and monitored…
Link: http://www.ossec.net and http://www.ossec.net/wpsyslog2
I think there might be an issue with your hosting the other big sites like techcrunch would be being exploited surely.
I have never been hacked yet using wordpress and I am on mediatemple. Anyone been exploited on mediatemple?
I believe techcrunch is on rackspace now too :)
I subscribe to two google alerts, one “wordpress security” and one “drupal security”, it’s very eye opening to see the differences. drupal might not be as popular so I’d expect less hacking and less comments from victims, but they way in which wordpress patches problems and exploits is a world away from the professional approach that drupal takes – the guys at drupal find vulnerabilities before the hackers do. I have three wordpress sites and 3 drupal sites, guess which three have been hacked (all updated to latets release at the time) guess which three I have to spend time an hour or so ‘hardening’ after I have installed them, and guess which three come out of the box secure and only need occasional updates to contributed modules?
WordPress is easy to install and use as a blog out of the box, drupal is a lot more technical and needs configuration to turn into a blog (or at least it did its geting better) and I’m convinced that’s the only reason that wordpress is popular – it’s certainly not because it’s better!
Of the last 6 security releases for WordPress, 5 were fixing problems that were not known to the public yet. Because this happens often and we work with the security community closely, that’s why I put so much emphasis on upgrading.
Drupal indicates when a new version is not an “upgrade”, but rather – a required security patch. In WordPress, there’s no such indication and you should not expect people to rush to upgrade.
Anyway, kudos to WordPress for the one-click upgrades of everything – core, plugins, themes. This process is so painful with Drupal!
Yeah, and Macs are immune to malware too.
How many WordPress sites are there? How many Drupal sites?
Thought experiment: You’re a malware author. What do you target?
Check your database carefully and also look for any files that do not belong to your WordPress install. The “worm” that caused all that ballyhoo a few weeks ago was not a new exploit, nor did it sudddenly get in and do damage. It was active on WordPress sites almost 4 months ago and went largely unnoticed until the second phase, which is when it changed permalinks. It is entirely possible for a site to have been exploited months ago, without anyone noticing, and for the payload to have been hanging around on the server ever since. If a site is upgraded after the exploit is already in place, the upgrade won’t stop the exploit being activated.
If you got hacked and you’re on 2.8.4 then there is something else wrong on your account: a vulnerable plugin, other software (perhaps in an old directory), or a backdoor script installed on your hosting account (or server) somewhere. I wonder if these guys are targeting Rackspace? If there support still won’t help you because you aren’t Scoble let me know and maybe one of our people can take a look.
Thanks for stopping by Matt. In the past there were shells on the site but they are all gone – I have gone through every single directory on this site (there aren’t that many of them) and there are no php files outside of the WordPress directories so I am not confident that it is a backdoor script. There is no old software on the site as I’ve deleted everything from the old Drupal install a long time ago.
Rackspace is running some sort of xss checker but I doubt that will find anything.
You could run Chorizo (https://chorizo-scanner.com/) yourself and check your site for XSS. It’s pretty basic, but works. It’s free too – for one host. Just let me know if you need help.
Hey, i agree with you. I use wordpress on alot of my sites, and i am seriously thinking on moving back to drupal. So much secure.
Drupal 7 will definitely be a WordPress killer.
Commenting again so I can check the email followup comments… and using another email in case my server’s down and I can’t get email again. :(
I’m not sure if that’s what’s been happening to me or not. My server has all but shut down for the past 18 hrs. When it’s not shut down, page load times are in the minutes. It’s a dedicated server and it’s functioning normally… appears to be running at such full capacity w/out my blogs that it can’t handle blog page loads.
This very easily could be the result of WordPress being hacked and something using my server instead of me. Not sure if this is at all similar to what you’ve exprienced.
Buggar dude .. sorry to hear that. All I can say is in nearly 5 years of running wordpress on a variety of sites, I’ve never once been hacked. I was hacked via Invision board three times, and once through some old code of mine (doh!!) – and these ONLY ever happened when I was hosted with Racksapce. I don’t know if being on Rackspace makes you more likely to be attacked or what, but when I moved away from them to Media Temple, I never had an issue again. (BTW: I love Rackspace, their service & support, I just no longer needed the scale of hosting as I had sold my business and was back to personal sites – not commercial ones)
Rackspace customer service is responsive – they just called me which was great – but I still think there is something that’s not set right.