If you’re running a WordPress blog on your servers that isn’t version 2.8.4 you’re strongly advised to upgrade immediately to the latest version of the software to avoid an ongoing attack. WordPress.com hosted blogs are not affected.
The issue was first reported by Lorelle on WordPress after it was discovered that an attack is exploiting security holes in previous versions, creating a hidden Admin account and drilling right down to the database level.
Lorelle writes:
There are two clues that your WordPress site has been attacked. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.
All Wordpress users are advised to upgrade to the latest version of WP (2.8.4). Those already affected will likely need to export all content with the built-in XML WordPress exporting utility, uninstall and reinstall WordPress and re-import the content.
5 Responses to “Serious Wordpress Vulnerability Issue”
Leave a Reply
Categories
Our Top Posts
Follow @Web_Forensics
Recent Comments
- delicious50 on Using Your Photos in New Ways
- Deals_Vista on When Coupons Meet Web 2.0
- Charlene Dechert on The “Making money with Google” scam
- Gus Snarr on Registry cleaning
- Coffee Makers on So What Your New Year’s Resolution?
Wired.com
- Prison Mobile Phone Debate Jammed Up in the SystemOn paper, it's a no-brainer: Prisoners have mobile phones they are using to run gangs, call friends, and intimidate witnesses. It's technically possible to jam the phones, but the 1930s law setting up the nation's telecommunications bureaucracy makes this illegal -- and a bill that would allow it is in legislative limbo. […]
- Twitter CEO Launches @Anywhere to Tepid Audience ReactionTwitter CEO Evan Williams announces a plan to bring status updates to a variety of other websites. His keynote presentation at SXSW does not get a wow from his audience, Many critics weigh in on -- ironically -- Twitter. […]
- FCC to Release Ambitious, Pragmatic National Broadband PlanThe FCC is to present the first ever national broadband plan to Congress Tuesday. It's an ambitious, carefully crafted plan, but it lacks the revolutionary zeal some had hoped for. […]
- You're Leaving a Bacterial Fingerprint on Your KeyboardThe communities of bacteria on your skin may transfer to your keyboard and mouse, creating a unique, living marker of your identity. […]
Delicious
- 5 Advanced CSS Pseudo Classes that will Save your Day | DevSnippets
- Data Compression Explained
- Good Artists Copy, Great Artists Steal « What I Couldn't Say…
- Homemade Potato Chips Recipe | Savory Sweet Life - Easy Recipes from an Everyday Home Cook
- “Call to Action” Buttons: Guidelines, Best Practices and Examples | Web 2.0
Tags
Wolfram Alpha
Our Friends
TechnoratiWebsiteForensics
What We Tell The World
- About this server
- The hostname: websiteforensics.com
- This server address: 209.237.150.20
What You Tell The World
- Your IP address: 38.107.191.99
- Your hostname: 38.107.191.99
- Your country domain: .99
- You came from:
- Requested URL: /wordpress/wordpress-vulnerability/comment-page-1/
- Browser INFO: CCBot/1.0 (+http://www.commoncrawl.org/bot.html)
September 6th, 2009 at 10:52 am
“Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.” Source: Wordpress.org
September 6th, 2009 at 10:53 am
A firsthand experience : ” Numerous times yesterday I noticed via my web analytics spy that your beloved ReynoldsFTW category pages were being hit by this so-called worm via the strange URL above in (1). Which goes to show it’s pretty prevalent out there! This is not a drill! “
October 5th, 2009 at 9:41 pm
<p>”Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.” Source: <a href=”http://wordpress.org/development/2009/09/keep-wordpress-secure/” rel=”nofollow”>Wordpress.org</a></p>
October 21st, 2009 at 10:57 am
In version 2.8.5 that issue is fixed.
October 21st, 2009 at 6:27 pm
I want to thank you for this great article. It very appreciated for answering our questions about wordpress.
steroids
February 2nd, 2010 at 6:58 am
How to Check the Update Status of Your WordPress Plugins …: WordPress Plugins are especially vulnerable as many … http://bit.ly/9V0yR0