WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] 2.5.1: Looks like there is still a hole (65 posts)

  1. rawalex
    Member
    Posted 6 years ago #

    please go to yahoo, and search for link:http://kvantservice.com/

    If your site is in that list, you have been hit. Check your newest post for a hidden link (you will have to edit in HTML, because it doesn't show in the visual editor). It's only a hidden link off to this guys site, but also if you use the MORE or paging tags, your post may be cut off (his bot isn't very smart).

    Still looking for information, but it appears to have hit me 14 days after 2.5.1 was installed.

  2. rawalex
    Member
    Posted 6 years ago #

    Confirmed - link added to a post on a 2 5.1 site via some sort of XMLRPC post system.

  3. iridiax
    Member
    Posted 6 years ago #

    What plugins and what kind of hosting are you using?

  4. rawalex
    Member
    Posted 6 years ago #

    Hosting is full server on VERY secure setup. Minimal plugins (askimet, google sitemaps, both up to date). The post was modified by a direct XML-RPC update, which occurred weeks after 2.5.1 was installed. Most important was that I was able to find the cached page in google WITHOUT the hidden text, and then see it on my system as hidden text, and the cache date was long past my 2.5.1 install date.

    My host also located the injection "post" command via XMLRPC. The original post was read (up to the MORE tag) and re-submitted back to the site with and additional amount of code in it

    <span style="overflow: hidden; position: absolute; height: 0pt; width: 0pt;"><a href="http://kvantservice.com/">компютри втора употреба</a></span>

    Well done, because as a bonus, it doesn't show in the html editor.

  5. iridiax
    Member
    Posted 6 years ago #

    Is xmlrpc.php absolutely necessary for core WordPress functions?

  6. whooami
    Member
    Posted 6 years ago #

    Is xmlrpc.php absolutely necessary for core WordPress functions?

    no, and rawalex is one of those rinse and repeat "ive been hacked" posters..

    --

    You can strip all of the remote posting functionality out of xmlrpc.php completely. What you are left with is a very small file that only takes care of pingbacks. Ive done that, it works out quite well.

  7. VRocKs
    Member
    Posted 6 years ago #

    Sure, Rawalex posts about his site being hacked a lot... Because it keeps happening!

    He isn't the only one. Do a Google search and you can see that wordpress has been and still is getting hacked no matter what version we use.

    Every time you post a new version, people still hack me. It seems to be through the xmlrpc commands which you don't "own" but it keeps happening just the same.

  8. whooami
    Member
    Posted 6 years ago #

    Lots of people DONT get their sites hacked, vrocks.

    Ive NEVER been hacked, otto has never been hacked, joni has never been hacked.. on and on.

    whats the difference?

  9. Roy
    Member
    Posted 6 years ago #

    I have never been hacked either, but I definately want to see to it that it stays that way. Therefor I'm interested in threads like these. They may point to things that I might have to look at. So I'm interested in hearing what was the point of entry here. With 2.5.1 probably (hopefully) not WP, however the XMLRPC suggests as much.

  10. whooami
    Member
    Posted 6 years ago #

    well I think it speaks to something else that the same people have issues over and over again, irrespective of any potential WP flaw.

    and by the way,

    Every time you post a new version, people still hack me.

    Im not a WP developer, I dont post anything for WP, except my plugins, all of which are secure.

  11. Roy
    Member
    Posted 6 years ago #

    Sure, but I can't help thinking when reading:

    My host also located the injection "post" command via XMLRPC

    "Wasn't that an exploit in older versions?"

    And the claim:

    and the cache date was long past my 2.5.1 install date

    I'm not trembling with fear yet, but curious nonetheless, so if the posters can give some more info.

  12. whooami
    Member
    Posted 6 years ago #

    and the cache date was long past my 2.5.1 install date

    there are tons of sites that pop up exploited post upgrade -- Ive fixed 2 of them in the last 2 weeks. That doesnt say anything, especially coming from people that admit to previous problems.

    I am NOT saying that the potential for an issue isnt there; I am simply saying that 1+2!=4

    I applaud your curiosity, and your willingness to keep an open mind. Those two things are a great start to remaining among the list of those that havent been hacked :)

  13. Joni
    Member
    Posted 6 years ago #

    He isn't the only one. Do a Google search and you can see that wordpress has been and still is getting hacked no matter what version we use.

    They must have cleaned up their act in the last hour. I did a Yahoo! and a Google search for http://kvantservice.com/ as the OP instructed and I came up with nothing but stuff from that web site. So the point of searching for that was??

  14. Roy
    Member
    Posted 6 years ago #

    I find 11.031 "inlinks" not nothing.

  15. Joni
    Member
    Posted 6 years ago #

    I clicked on a random sampling of sites from the link you posted and there was only one 2.5.1 site on there. So while it's always unfortunate that someone is hacked, I'm still not convinced that it isn't because people simply aren't upgrading when they should and that they aren't carrying forward the bad code in the upgrade. There are waaaay too many 2.3.x and 2.5 (as opposed to 2.5.1) sites there.

    And by suggesting that 2.5.1 too is vulnerable, and that even folks who upgraded to 2.5.1 are being hacked is clouding the real issue, which has always been: If you aren't running the very latest secure version of WP, then you are likely to be hacked. Lulling folks into thinking that they'll be hacked even if they upgrade is sending them down a wrong path, IMHO.

  16. Roy
    Member
    Posted 6 years ago #

    I saw three 2.5.1, but by no means I want to suggest that there's a vulnerability. I too noticed the 2.5's, but indeed 2.2 and a few 2.3. I did notice that most infected posts are of early june and one site is completely stuffed with spam. All sites ARE WP btw.

    In any case, it would be nice if the original posters provided some more information so that we can get an idea when (and how would be nice) they got injected.

    Btw. Did you notice it is only ONE link to kvantservice.com on every hacked website? It seems to be quite a 'subtle' hack, but I'm sure it makes traffic.

  17. MyGoToOffice
    Member
    Posted 6 years ago #

    You can add me to the list of 2.5.1 sites that suffered this hack. The injection occurred on or after June 3 and was exactly as described above.

    This site had been upgraded to 2.5.1 when it was released. An older version had been the subject of an injection, but I had cleaned all instances from the database and deleted the old wp-admin and wp-includes prior to updating to 2.5.1.

    I have a couple of dozen WP sites, most that had not experienced a previous injection, that I am checking now.

  18. lluad
    Member
    Posted 6 years ago #

    Yup. Running 2.5.1, the latest post was edited to add the hidden link at 3:04am this morning.

    It looks like it came via xmlrpc.php from a Bulgarian source IP address. Pretty clearly it's Yet Another hole. There are no other hits from that IP address in the logs, so it's likely a blind compromise.

    78.90.14.123 - - [12/Jun/2008:03:04:22 -0700] "POST /xmlrpc.php HTTP/1.1" 200 3271 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"
    78.90.14.123 - - [12/Jun/2008:03:04:24 -0700] "POST /xmlrpc.php HTTP/1.1" 200 163 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8"

  19. whooami
    Member
    Posted 6 years ago #

    @lluad,

    well, if you have my $_POST logger plugin installed you would know what was sent. I just checked 5 sites, and found one that had 3 attempts at base64 sent to xmlrpc.php. Im in the process of decoding it to see if its something new, or something old.

  20. StrangeAttractor
    Member
    Posted 6 years ago #

    @whooami

    You can strip all of the remote posting functionality out of xmlrpc.php completely. What you are left with is a very small file that only takes care of pingbacks. Ive done that, it works out quite well.

    Do you have a link to a description of how to do this? Would be much appreciated...

  21. whooami
    Member
    Posted 6 years ago #

    I blogged on how I did it, but I wasnt real specific, so no, I would need to write something like that up.

    The other thing, for those that dont want to use a plugin like $_POSTlogger.. WP is already set up for you to log all xmlrpc requests -- its been available for quite some time. Theres a simple 0/1 switch inside the file. (I assume also that you might have to create the xmlrpc log file.)

  22. rawalex
    Member
    Posted 6 years ago #

    whooami, you can keep the personal stuff for fighting with your friends and family. It is clear here that I am not alone, and maybe I am just a little in the front of something, rather than on the butt end. In each case that I have reported an issue, the issue has turned out to be confirmed. You may not like me (or the type of blogs I run) but you can keep the dramas for you llama, okay? (and when you total blog posts on file exceed 50k, let me know). As for any claim of "never been hacked", I wonder how long you have run a standard unmodified wordpress install for, without additional plugins?

    Now...

    whooami: Adding ANOTHER plugin shouldn't be the answer. Removing significant functionality (which I use) in order to create security defeats the purpose. I could close all my blogs, that would be really secure. That XMLRPC has been hacked over and over and over again, and once again, I am seeing a hole. I reported it, and guess what? Other people are having the same issue.

    jonimueller: That list shows an incredible number of indexed pages, and when you look at the main site itself, it has tens of thousands of inlinks, many of them from blog style sites.

    lluad: You are correct, this is the same basic source I am seeing, and it occurs on posts post 2.5.1 install. Most importantly for me, outside of a couple of very standard plugins, I don't tend to put a ton of extra plusings and stuff on my blogs. Some people may suggest that plugins are the answer, but to me they are bandaids over a gaping wound.

    Anyone else have any ideas?

  23. whooami
    Member
    Posted 6 years ago #

    @rawalex -- you cant read? nothing Ive stated in this thread was personal in nature. Nice try though. be sure to turn on the xmlrpc logging feature I describe -- youre welcome.

    And if you notice, my response above, regarding removing functionality wasnt directed at you. In fact, nothing I have said has been directed at you, aside from pointing out the obvious (in passing, I might add)

    Moving on ...

  24. hotkee
    Member
    Posted 6 years ago #

    Chill out people, whooami is trying to help you - gee wiz!

  25. Joseph Scott
    Member
    Posted 6 years ago #

    @rawalex -

    What we believe is happening in most cases of a 2.5.1 install having issues is that prior to the upgrade the blog was compromised. Once compromised, if the attacker was able to collect user passwords, they'll still be able to inject content into your 2.5.1 blog. Once they have your username & password it doesn't matter what version of WP you are using.

    This would line up with what you described. If they acquired your username and password before your upgrade to 2.5.1 then they would be able to send a perfectly legit XML-RPC request to add and edit content.

    So for folks who indicated that they were compromised, upgraded to 2.5.1 and cleaned up their content, they need to add another step: change your passwords.

    If you do have details on what you believe to be a new issue please send that data to security@wordpress.org. Then it can be looked at, hopefully reproduced and then fixed.

  26. rawalex
    Member
    Posted 6 years ago #

    jospehscott, these are blogs that have only a single posting user (ME), and have not otherwise been compromised (ie, not extra code on pages, no scripts, no junk, no unsecure databases, no hacked or otherwise trafficed themes, etc). This happened on blog(s) that were perfectly clean without issue, and on a host that is beyond reproach (and this is why it is very easy to spot hacks, because the hosting company and myself are looking for it, not assuming it never happens).

    I do not have logs beyond the fact that a post command was issues to xml-rpc from a remote site. The actions look similar to the trackback / comment spammers, but rather edits the highest post on the page inserting a hidden link into that post (and screwing the post up, in one case a post that had a "more" tag in it was chopped off at the more) which means they are getting the post by reading the blog page, not by editing, which would indicate that they don't have password access.

    If I get more information, I will forward it to the security address.

  27. Chris_K
    Member
    Posted 6 years ago #

    [Last 4 posts in this thread removed due to being off topic, personal attacks and my resultant loss of critical brain cells. I can't afford many more of those losses...]

  28. Rawalex,

    This may have been lost in this looong thread, but at anytime before or since you upgraded to 2.5.1 did you change your one password for your one account?

    I'm not saying you should or must, just a request to see of you had and if you had when.

    The reason I'm asking is simple. As josephscott indicated, your blogs could have been compromised in the past, just not acted on until later.

    Without any logs or real data on how that junk was inserted into your posts, then that's just what we have to go on.

    [@Handy, oh sure you can; brain cells are not really critical are they?]

  29. pearible
    Member
    Posted 6 years ago #

    I just installed my WP (2.5.1) a few days ago - brand new fresh install, not an upgrade, and I got this same hack sometime this afternoon.

    Can we just delete the xmlrpc.php file completely?

  30. whooami
    Member
    Posted 6 years ago #

    Can we just delete the xmlrpc.php file completely?

    yes, you can.

    your incoming pingbacks will break.
    you will not be able to use desktop blogging applications to post to your blog.

    --

    I got this same hack sometime this afternoon.

    I submitted the post content of something malicious, seen on a site using my plugin, to the devs this afternoon. Whether or not it's old news, I dont know. actually, I just located what I saw on donncha's l;atest post on this, so what I saw is old news.

Topic Closed

This topic has been closed to new replies.

About this Topic