 |
|
|
|
|
|
|||||||
| Register | FAQ | Calendar | Radio and TV | NP Shop | Search | Today's Posts | Mark Forums Read |
| Blogging Forum Blogging Discussion Forum, links and tools. |
 |
 |
|
 |
|
|
LinkBack | Thread Tools | Display Modes |
04-26-2008, 10:20 AM
|
#1 (permalink) | |
|
Those with the biggest egos are insecure
Join Date: Jan 2003
Location: near Cape Cod, Massachusetts
Posts: 9,147
Points: 1,196
|
Word Press Exploit
This is seemingly affecting a lot of people. So far 1 of my blogs was hit but I've got it all fixed, I believe.
Has Your WordPress Been Hacked Recently? | WordPress Philippines Serious vulnerability affecting most versions. Please check your files/logs. __________________
Quote:
 |
|
|
|
|
04-26-2008, 11:01 AM
|
#2 (permalink) |
|
hdpornstreams.com
Join Date: Jul 2005
Location: ICQ: 231 414 913
Posts: 20,074
Points: 3,660
 |
Thanks for info Pam!
I will check my blogs right now! __________________
  High definition exclusive contentMultiple video formats and sizes availableTotally customizable feeds
|
|
|
|
04-26-2008, 11:21 AM
|
#3 (permalink) |
|
Niche Marketing
Join Date: Feb 2008
Location: Europe
Posts: 2,624
Points: 60
|
I think i had some similar hack problem on my mainstream blog :/
__________________
||||| Exchange Links With Me Here! ||||| High Converting Sites (amateur, solo, milf, facial,anal...)|Facials,Cumshot,Squirt |50$ for 1$trial!!| |
|
|
|
|
04-26-2008, 12:22 PM
|
#4 (permalink) | |
|
Those with the biggest egos are insecure
Join Date: Jan 2003
Location: near Cape Cod, Massachusetts
Posts: 9,147
Points: 1,196
|
I went into phpmyadmin and deleted their spam comments that don't show in your comments area. There was also a user named Word Press with no information and that was deleted. Some people claim to have extra plugins but I can't find any.
I deleted a ton of .giff and .pngg and ._old and ._new files. So far no wp-info.txt on any of my servers __________________
Quote:
|
|
|
|
|
|
04-26-2008, 12:25 PM
|
#5 (permalink) |
|
I like Adult Job
Join Date: Apr 2008
Location: near CCCP
Posts: 98
Points: 195
|
I don't have any problems right now, But thanx for this info...
__________________
Thunder-Ball.net - Member |
|
|
|
|
04-26-2008, 12:59 PM
|
#6 (permalink) |
|
i'm learning to blog... oh joy!
Join Date: Mar 2005
Location: Costa Rica
Posts: 2,749
Points: 6,120
|
thanks for the update Pam!
i created some blogs back in the day, but abandoned updating them.. that was back at Version (2.0.3).. lol just upgraded from (2.0.3) to (2.5.1).. yeeehaw! __________________
 - Reading can help your $$$ status |
|
|
|
|
04-26-2008, 01:06 PM
|
#7 (permalink) | |
|
If you see a good move,find a better one
Join Date: May 2005
Location: usa
Posts: 570
Points: 165
|
Quote:
i've been deleting the comments and extra users as well. Were do you see the .giff, .pngg, files? |
|
|
|
|
|
04-26-2008, 01:11 PM
|
#8 (permalink) | ||
|
Those with the biggest egos are insecure
Join Date: Jan 2003
Location: near Cape Cod, Massachusetts
Posts: 9,147
Points: 1,196
|
Quote:
I also had several _old_php. files as well as _new_php files. One install out of probably 140 ... so I shouldn't complain. __________________
Quote:
|
||
|
|
|
|
04-26-2008, 01:16 PM
|
#9 (permalink) |
|
If you see a good move,find a better one
Join Date: May 2005
Location: usa
Posts: 570
Points: 165
|
ok thanks. this is a major pain in the ass.
it would be nice to have a program that manages all your blogs and tells you when something is changed or added, because now I'm going to be going through all of my databases on a regular basis to make sure stuff like this doesn't happen. can the search engines see those comments that we are deleting in the comments database table? |
|
|
|
|
04-26-2008, 02:13 PM
|
#10 (permalink) |
|
God grant me patience...
Join Date: Mar 2008
Location: Newfoundland, Canada
Posts: 455
Points: 90
|
Thanks for the heads up Pam. I'm gonna check this out immediately. This is part of the game I still have to educate myself about.
 __________________
Enough shovels of earth -- a mountain Enough pails of water -- a river ~Chinese Proverb~ |
|
|
|
|
04-26-2008, 04:05 PM
|
#11 (permalink) |
|
Step it up
Join Date: Aug 2005
Location: Canada
Posts: 1,673
Points: 1,355
|
I'm getting a lot of these files like these...index.php.jpgg
I'm a little confused. I deleted the above file but what other steps do I need to take to secure the site and make sure nothing else exists? __________________
Make ONE SALE and get a check with this sponsor - 387 sites to promote |
|
|
|
|
04-26-2008, 04:36 PM
|
#12 (permalink) |
|
Step it up
Join Date: Aug 2005
Location: Canada
Posts: 1,673
Points: 1,355
|
Looking into this more I've got a tonne of sites with the following problem:
"New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on." What's should my next move be after deleting all the files? __________________
Make ONE SALE and get a check with this sponsor - 387 sites to promote |
|
|
|
|
04-26-2008, 04:51 PM
|
#13 (permalink) |
|
i'm learning to blog... oh joy!
Join Date: Mar 2005
Location: Costa Rica
Posts: 2,749
Points: 6,120
|
hey there pimp'
take a look at this post on the wordpress blog about the issue you are having, it was linked to the original post: WordPress Exploit Topic the writer, who experienced the same problem, explains what he/she did.. peace __________________
- Reading can help your $$$ statusLast edited by PornBlogger : 04-26-2008 at 04:52 PM. Reason: added more info |
|
|
|
|
04-26-2008, 06:18 PM
|
#14 (permalink) |
|
Right or wrong, I´m the one with the gun
Join Date: Apr 2006
Posts: 153
Points: 765
|
I hate this stuff, I just found my oldest blog destroyed. Totally gone, just a new installation in its place. My password didn´t work anymore... I´m getting tired of this! This will be a long night of hard work.
|
|
|
|
|
04-26-2008, 06:31 PM
|
#15 (permalink) | |
|
Those with the biggest egos are insecure
Join Date: Jan 2003
Location: near Cape Cod, Massachusetts
Posts: 9,147
Points: 1,196
|
Go into phpmyadmin and look at the users. If there is one named WordPress with no information, no pass, nothing, delete it.
Go through your comment tables and look for spam Change the admin password and if you have a wp-info.txt file, change everything on your entire server -- every password, every login. __________________
Quote:
|
|
|
|
|
|
04-26-2008, 07:16 PM
|
#17 (permalink) | |
|
Poom Poom Rule!
Join Date: Dec 2006
Location: Old Blighty
Posts: 3,106
Points: 345
|
Quote:
__________________
It's all bullshit... |
|
|
|
|
|
04-26-2008, 08:08 PM
|
#18 (permalink) | |
|
Those with the biggest egos are insecure
Join Date: Jan 2003
Location: near Cape Cod, Massachusetts
Posts: 9,147
Points: 1,196
|
What's interesting is now to look at my error logs for today and see the IPs trying to exploit the exploit I removed
__________________
Quote:
|
|
|
|
|
|
04-27-2008, 02:29 AM
|
#19 (permalink) |
|
Getting back into the biz
Join Date: Apr 2004
Location: Back in the Belly of the Beast
Posts: 2,173
Points: 2,545
|
Sigh... just finished dealing with everything but the added entries to the databases. Two mainstream blogs got him, though it seems that there are no wp-info files. For some reason my new server has trouble with phpMyAdmin too.
I hate this sort of shit. I could have had a productive evening... now I get to clean up script-kiddie spoor. |
|
|
|
|
04-27-2008, 05:03 PM
|
#20 (permalink) |
|
Getting back into the biz
Join Date: Apr 2004
Location: Back in the Belly of the Beast
Posts: 2,173
Points: 2,545
|
 Bumping and some more info. From what I have read this exploit has at least partially compromised wp from 1.5.2 up to and including the new 2.5.1. It works by writing out php files, often disguised as .jpgg, .giff or .pngg, but sometimes adding the code to your php files as well. If you chmod your directories to 755 and files to 644, it seems that might harden against this exploit. Also, this exploit is known to attempt to access outside of the user home directory, you may wish to ensure you have open_basedir protection and that nothing is writable by user "nobody" unless it must be (example, .htaccess if you are having wp rewrite your urls). This seems like it could be a very nasty one. As far as I have seen its full scope is not known, it loads encrypted files onto your server, and attempts to pop a javasc ript on your users. In both of my wp's which were compromised there was data I needed to remove from the database itself with phpMyAdmin. This included a phantom user "wordpress" and two phantom plugins on one account, one on the other. Removing these phantom plugins from the database stopped wp from falsely reporting it was version 2.5; so far everyone I have heard of reports that other versions are erroneously listed as 2.5 if they've been hit. On my 1.5.2 mainstream blog it appeared the user "wordpress"'s full name was an attempt to pop a scr ipt. To check your wp, see if it reports its version 2.5 when its not. Look for files ending in .jpgg, .giff, .pngg, or with _old or _new as part of their name. Look at file update dates. I did not fine the wp-info files on my box, ymmv. Also, if you try to change a post's author and see user wordpress, then you've been hit. Most of what I've learned about it came from the previously referenced links, if you have not checked them out and you run wp, you should. |
|
|
|
|
| Thread Tools | |
| Display Modes | |
|
|
 |
 |
Linear Mode
