Posted 8 months ago #
I think that my Wordpress has been hacked. I'm not a technical guy so looking at the PHP etc is not an option.
In my dashboard the second box down on the left - the one that tell me all the recent news changed it tells me to
Update WordPress 2.6.4 immediately!
and points me to a site called wordpresz.org where a suspicious download of Wordpress 2.6.4 is waiting for me.
Is my site compromised? What can I do? What other damage should I expect?
Thanks
Ken
Posted 8 months ago #
I'm in the same boat, looking at it now.
Some screenshots of the problem and a little investigation so far:
http://www.craigmurphy.com/blog/?p=874
Rgs
--Craig
Posted 8 months ago #
Curious. I don't get this update notification. I see if I can find the files and do a diff...
Yup.
wp-includes/pluggable.php has extra lines in it that appear to call a script on that site to 'do stuff' with your cookies if you have more than 5 users...
http://us.php.net/file_get_contents
Are they hoping to luck into an admin account on a large site?
Posted 8 months ago #
@CAMURPHY,
<meta name="generator" content="WordPress 2.5.1" />
wp-includes/pluggable.php....
...'do stuff' with your cookies...
Well, there is this...
http://www.securityfocus.com/archive/1/490887/30/0/threaded
Might be worth a read. Just one of many possibilities, mind you.
Vulnerable scripts
==================
"wp-include/pluggable.php
function wp_validate_auth_cookie($cookie)"
Posted 8 months ago #
How do you like that? Plain as day. wordpress.org frontpage and download area is being spoofed at wordpresz.org. I just came from there. That takes some kinda' nuts. (appears to be aimed directly at users who still use 2.5)
ballsy, sure. but you know what they say about ppl that dont upgrade. :P
Posted 8 months ago #
ssshhh... you'll let the cat out! :-)
actually, thats pretty slick, i wanna grab that zip and peek inside.
inquiring minds wanna know, and besides maybe ill have s'mthing to blog about besides politics. :)
Posted 7 months ago #
Heh, I can imagine what us "non-upgraders" get called :-)
Sophos have picked up on this as Troj/WPHack-A:
That's interesting. How would they have managed to make a fake upgrade notification? Is the WP feed for the dashboard hacked, are the 2.5.1 users hacked? There's nothing fishy in my 2.6.3, but I can understand that some people would fall for the notification if it does appear on their dashboard.
yeah and sophos blows. its NOT a windows hack, and their software cant remove it unless you **happen** to scan a windows server -- and 99.99999% of IIS servers arent runnning any AV -- theyre too memory intensive.
you asked the correct question, Gangleri, how is getting into the earlier install's dashboard... The goal is to prevent that from happening first.
Rrright, Whoo, I don't understand the first paragraphy of what you wrote :-) Nonetheless, it's a dangerous thing when somehow people can edit the dashboard indeed!
Roy
well, they would need to be able to edit files, or upload malicious one(s), as far as I can tell.
CAMURPHY, did you save your wp-admin/index.php from when that was occurring? If so, whats on lines 112-118?
Did you save a copy of the WordPress installation that was causing this false notification? I'd like to know how exactly they're doing it.
Because it seems to me that if they were able to insert malicious code into your site in the first place, then they could have totally owned you, no need to make you do a fake upgrade.
I'm trying to see the point, basically. How could they make a false notification on your system? DNS spoofing?
I'm not technical enough to add anything worthfull to the discussion, but when I look at the image in the Graig Murphy article, I would say that the attackers somehow intercepted the WP feeds/notifications (you can see both a dashboard widget saying something AND there is an update notification). The big question is of course: why only in 2.5.1?
Roy
The update notification says 2.6.3, so that may have been legit. I suspect they just replaced the feed thing somehow.
That feed comes from http://planet.wordpress.org/ normally. Dunno how they would have changed it. A malicious plugin or theme could do it, admittedly.
Posted 7 months ago #
@whooami - re: wp-admin/index.php - I could pull the 2.5.1 version from a backup, however even after a 2.6.3 upgrade, the dashboard is still showing the injected hack.
I too find it disturbing that the dashboard can be attacked in this way - whilst I'm technically savvy, I've not spent a lot of time tracing how this might happen. Lines 112-118 reveal little more than blank lines and closing divs - definitely wp-admin/index.php, yes?
Since the injected content is still there, I'm backing up my install just now.
camurphy - I just emailed you.
camurphy: Zip up a copy of that backup and email it to me, if you would be so kind. I'd like to see where the hack is and possibly how it got there. Database content too. otto at ottodestruct com. You can leave out the wp-content/uploads directory and such, if it's just got image files and similar in it.
Posted 7 months ago #
I'm like CAMURPHY.
I was running 2.6.3 when my dashboard maliciously changed.
No new plugins.
No new themes.
No other suspicious activity.
I re-installed 2.6.3 and the fake link was still there.
I manually changed it back but I'm as nervous as hell.
Posted 7 months ago #
I've got a 2.6.3 Wordpress install that's been hacked as well. I've got different symptoms though.
My RSS feeds all have the following after the closing rss tag:
vpn Which of course creates an invalid feed.
And a number of suspicious files have shown up in my root Wordpress directory. Files named: trex_5.php and 8.php that don't belong there.
Desperately need some help here.
Posted 7 months ago #
@kenpeace - the fake link in the dashboard appears via entries in wp_options. I appreciate from your earlier post that "PHP is not an option", however hopefully my clean up notes here aren't too technical:
http://www.craigmurphy.com/blog/?p=896
My dashboard is now "normal" after I cleared out the records mentioned in my post.
Apart from looking at new themes, I too had no new plug-ins and have a fairly strict read-only policy on my server folders.
I'm concerned that you noted "no new themes" - I had been checking out around 20 new themes over the last 14-21 days, many of which were for another blog folder on the same folder. I had initially thought that it was a dodgy theme that had got the better of me (assuming it's possible for a theme to do such things).
HTH
Rgs
--Craig
Just as an extra note, it may not be true, but it seems that this hack uses the snoopy vulnerability that was fixed in 2.6.3. If that is the case, everybody upto 2.6.2 should pay extra attention.
Posted 7 months ago #
The diff I ran against the compromised code was against WP2.6.3.
The only difference was the one I stated above. I just re-ran it to confirm.
BTW, it's not number of users > 5 it's:
if ($user_id > 5)
It looks like it creates a log with the domain, cookies and cookie expiration of a logged in user for later review...
Still curious about the update notification!
Q
Still curious about the update notification!
A?
WordPress uses Snoopy to fetch the feeds shown in the Dashboard.
October 23, 2008
WordPress 2.6.3
By Ryan Boren. Filed under Releases.
A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If you don’t want to download the whole release to get the security fix, you can download the following two files and copy them over your 2.6.2 installation.wp-includes/class-snoopy.php
wp-includes/version.php
Which lead me to the conclusion stated in the previous post.
See also:
http://westi.wordpress.com/2008/11/06/wordpresz/
"westi" is one of the lead WP devs.
Posted 7 months ago #
I see. Thanks Moshu.
I'm not sure that they necessarily used the Snoopy hole. That bug was not easily remotely exploitable as far as I can see, and if exploited it gave a shell access, not a database access.
I got ahold of a copy of the db from Craig, and the basic "hack" here was that the dashboard links widget has the URL changed to http://www.wordpresz.org/rss/ (now a dead site). This is how they got the link to appear for him.
I'm still at a loss as to how they got that option to change though.
Posted 7 months ago #
May some body tell me kindly, how can I get full posts published on my website instead of 2/3 lines. Thanks in advance.
Rajesh
@desirachh,
start your own topic - don't post to unrelated threads. And most of all: read the documentation that was written for beginners like you. (scroll up > Docs)
You must log in to post.
