Word Press Exploit

[thebes]

Bumping and some more info.

From what I have read this exploit has at least partially compromised wp from 1.5.2 up to and including the new 2.5.1. It works by writing out php files, often disguised as .jpgg, .giff or .pngg, but sometimes adding the code to your php files as well. If you chmod your directories to 755 and files to 644, it seems that might harden against this exploit. Also, this exploit is known to attempt to access outside of the user home directory, you may wish to ensure you have open_basedir protection and that nothing is writable by user "nobody" unless it must be (example, .htaccess if you are having wp rewrite your urls).

This seems like it could be a very nasty one. As far as I have seen its full scope is not known, it loads encrypted files onto your server, and attempts to pop a javasc ript on your users.

In both of my wp's which were compromised there was data I needed to remove from the database itself with phpMyAdmin. This included a phantom user "wordpress" and two phantom plugins on one account, one on the other. Removing these phantom plugins from the database stopped wp from falsely reporting it was version 2.5; so far everyone I have heard of reports that other versions are erroneously listed as 2.5 if they've been hit. On my 1.5.2 mainstream blog it appeared the user "wordpress"'s full name was an attempt to pop a scr ipt.

To check your wp, see if it reports its version 2.5 when its not. Look for files ending in .jpgg, .giff, .pngg, or with _old or _new as part of their name. Look at file update dates. I did not fine the wp-info files on my box, ymmv. Also, if you try to change a post's author and see user wordpress, then you've been hit.

Most of what I've learned about it came from the previously referenced links, if you have not checked them out and you run wp, you should.

[pam]

I haven't found the phantom plugins on the one site affected. I have locked down every upload directory so far and that seemed to have been the point of entry from all I've read.

[BizChick]

Found only one of mine infected - also had the upload directory set to 777, and it was an old site I haven't used in forever. Phantom user present, but no config file data was saved that I can see, although I'm changing all my info just to be sure.

Be sure you also check your posts table for an attempted insertion with attachments on or about 4/20. That seems to be how they're determining if a blog is vulnerable to this exploit. It would be a phantom entry (only shows in the table, not on the actual blog) and mine had no text but an attachment named rzf.php.giff (it's called rzf.txt in the wp-posts table). Make sure you find and delete that entry and file as well.

[pam]

I'm going through everything again to be safe, though I can see from my error logs they are trying to exploit but can't.

I noticed I am user ID 1 and the ID 15 was WordPress so had deleted a few spams by that author as well as a few posts.

They hit the blog that's been around for nearly 4 years so has a *lot* of posts -- even with backups I am SO glad I didn't lose anything.

[pam]

In the table_plugins I found an extra plugin. I don't think anyone can exploit it for various reasons, including I've removed the user, all giff/pngg/etc files are gone ... but I'm removing it in any case.

A category was added -- "children" which I deleted

Now, under post_meta I see a reference to another site I have, but WP isn't installed there and the directories they are looking for and the file they are calling (rssphp) isn't there. The only thing on the domain is a full-page ad with a link to a site of mine ...

[Mihx]

I just received an email from one of my hosts, warning about this exploit. It does sound like a rather nasty one.

I'm updating my blogs right now - and being thankful that I only have a select few blogs left to update these days .
I'm often just as thankful that I didn't go with a CMS or custom script for my review site either, but just used a simple template system. "Going scriptless" can really save you some headaches now and then (though admittedly also give you a few others ), particularly when it comes to security.
I had both CuteNews and my click tracking script hacked when I used those the first couple of months on my site.

[slaxxx]

Quote:

Originally Posted by thebes

Bumping and some more info.

From what I have read this exploit has at least partially compromised wp from 1.5.2 up to and including the new 2.5.1.

2.5.1 is still affected by this?

[thebes]

Quote:

Originally Posted by slaxxx

2.5.1 is still affected by this?

I have read a report suggesting that, yes. I do not know that first hand. It would have been something on the wordpress discussion linked to earlier probably.

The phantom plugins I found were in the wp_options table in the option_value field where the option_name was active_plugins.

[AbsolutePorn]

Shit, this isnt good.

[pam]

Came in and saw 456 (so far) 404 errors ... every time my POTD loaded, it was empty. I checked and all images *are* there, but the exploiter put the ownership elsewhere so I could not even overwrite them. Had to change ownership to myself so I could get that done.

No new files or images in the POTD script folders, just permissions changed on each image

[thebes]

Quote:

Originally Posted by AbsolutePorn

Shit, this isnt good.

No, but at this time it seems that the exploit only works if you have publicly writable webspace. Ie, the permissions on a file are 666 or 777, if you set permissions to 644 (and 755 for folders and anything executable) it does not seem that this exploit works.

You would need to be sure to do this for any webspace that your wordpress's php can access, so its important to have open_basedir restrictions in place and secure anything inside the permitted area. Also, unfortunately in means that wordpress itself can't write to that space either, so you must upload images via ftp and make template changes outside of the wordpress admin area- unless you open those permissions up again and close them when you are done. Also, be aware that there are many php options and a few would still allow the exploit.

[MMarko]

Quote:

Originally Posted by Mihx

I'm often just as thankful that I didn't go with a CMS or custom script for my review site either, but just used a simple template system. "Going scriptless" can really save you some headaches now and then (though admittedly also give you a few others ), particularly when it comes to security.

You can make pretty simple custom cms like scripts which can be checked throughly for security issues.

[rogue]

so what exactly is this exploit doing?

[baX]

Got the email from my hosting provider yesterday and after the whole day of checking files on the server I couldn't find anything strange. I should start updating my WP's just to be safe.

[dimitar]

Thanks for the share pam

[MMarko]

Quote:

Originally Posted by rogue

so what exactly is this exploit doing?

It seems it explotis Wordpress to upload perl spam bot. I noticed that for hacked Wordpress install.

It was pretty easy to track it down and remove it completely.

[tigermom]

My server admin ran some sort of a scan to look for their files (based on the strings described in reports). He found a bunch of infected blogs and cleaned them up for me. It's annoying, but at least I didn't have to waste too much time on it. If anyone needs an excellent server admin, PM me and I'll send you over to him. It costs money, but worth so much!

[Rofl]

Thanks to marko.

The hacked install was mine, and he grep'd and searched and cleaned it up in a jiffy

[pam]

Quote:

Originally Posted by tigermom

My server admin ran some sort of a scan to look for their files (based on the strings described in reports). He found a bunch of infected blogs and cleaned them up for me. It's annoying, but at least I didn't have to waste too much time on it. If anyone needs an excellent server admin, PM me and I'll send you over to him. It costs money, but worth so much!

How did this admin have access to the original images?