WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] [closed] 2.5.1: Looks like there is still a hole (65 posts)

  1. itsrainingtonight
    Member
    Posted 6 years ago #

    Hey everyone,

    These 'I've been hacked' posts are getting out of control! Can we all weigh in on what can be done to prevent hacks? I've started a thread here.

    I can only speak for myself but seeing so many posts about being hacked (even if it is a relatively small amount of WP users and even though most of the people being hacked haven't updated) is getting a little unnerving!

    I think that a reiteration about preventative measures would be great.

    Know about any plug-ins that help?
    Should I change my password often?
    Is there anything I can do now to see if I have an 'un-activated hack' looming?

    Obviously these questions are just meant to introduce the subject. So, please pop over and weight in with your links and tips...

    See you there!

  2. pearible
    Member
    Posted 6 years ago #

    Just to be clear - I didn't need to update, mine was a recent fresh install of 2.5.1 - and I was still hacked.

    I've just deleted the xmlrpc.php file, and am hoping for the best.

  3. Joseph Scott
    Member
    Posted 6 years ago #

    @pearible -

    If you have details on how this was done? If so please send them to security@wordpress.org.

    If you aren't sure that this problem got in via XML-RPC then deleting xmlrpc.php may not have addressed the issue.

  4. rawalex
    Member
    Posted 6 years ago #

    itsrainingtonight: Plugins are NOT the answer. That is at best a bandaid solution that doesn't revolve the ongoing issue. Rather than trying to find another way to filter, restrict, and bodge another patch over problematic code, let's get the code fixed. This sort of injection / breaking / whatever you want to call it has been going on way too long with wordpress, and it needs to get fixed. All the new features in the world are meaningless if blogs are being defaced or turned into spam pages that the search engines will no longer list.

    josephscott: The password on that blog has been changed on numerous occasions, and all blog passwords were changed very recently (just about the same time as the 2.5.x upgrade cycle). While I cannot confirm the actual content of the hack POST command, I can assure you that the hack occurs via XMLRPC.

    Now, something I did notice: In the 2.5.1 version I downloaded from wordpress, the xmlrpc.php file is dated 3/14/08. It would seem that it wasn't changed from 2.5.0 to 2.5.1 (although I don't have a copy of 2.5.0 on my drive here) It is different from 2.3.3 (almost 6k more code) but I am not clear on the differences.

    Moderator: If you are going to kill posts, can you kill all the unpleasantness and not just one side? Thanks :)

  5. whooami
    Member
    Posted 6 years ago #

    I think that a reiteration about preventative measures would be great.

    Know about any plug-ins that help?
    Should I change my password often?

    1. There are more than a few plugins that help in this regard -- wp-security scan is one that immediately comes to mind.

    2. It wont hurt.

  6. Bob Smith
    Member
    Posted 6 years ago #

    what;s the best way to discover if you've been hit by this attack?

  7. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Now, something I did notice: In the 2.5.1 version I downloaded from wordpress, the xmlrpc.php file is dated 3/14/08. It would seem that it wasn't changed from 2.5.0 to 2.5.1 (although I don't have a copy of 2.5.0 on my drive here)

    I do, and you are correct, xmlrpc.php did not change between 2.5 and 2.5.1. However, there are still no known hacks via xmlrpc.php.

    BUT, if somebody can create a user on your blog through some other method, then they can use the xmlrpc to make a post. This is an easy automated way to do that sort of thing. The problem is not necessarily with xmlrpc, is what I'm saying.

    But then here's the thing: unless you can tell how it was done, it won't be fixed. Unless the hacker hits one of the several honeypots I know are out there, nobody will have the information to know how he got in. And a lot of the "hacks" I've investigated are, to my certain and absolute knowledge, exploits in other, older, backdoors that were left behind from previously hacked versions.

    In other words, if you ever got hacked before, and did not completely wipe your site clean and sanitize everything, then that's probably how they got back in. You can't simply fix up a hack without checking every line of code in every single file.

    Here's what to do after a hack:
    1. Download your WP database using the "Export" method. This doesn't preserve options and such, so it will likely be clean of any hacks.
    2. Make a backup copy of your theme and plugins. Redownload fresh copies of the plugins that you can find, and use those copies instead of the backed up ones.
    3. Delete your entire WP directory. Everything.
    4. Install a fresh WP and restore your site to it, themes, plugins, everything. This takes time.

    Of course, simply keeping backups every so often removes the need for this drastic action, but still, it's the only way to be sure nothing was left behind. These automated hacking programs are smart, they leave themselves ways in, even after you remove the original one.

  8. pearible
    Member
    Posted 6 years ago #

    @Otto42:

    In other words, if you ever got hacked before, and did not completely wipe your site clean and sanitize everything, then that's probably how they got back in.

    I keep seeing this, but considering that my site was a brand-new, fresh install of 2.5.1 in every way (new host, new server, etc.) and received the *exact same* hack - I don't think it's the issue you're describing.

    BUT, if somebody can create a user on your blog through some other method, then they can use the xmlrpc to make a post.

    There were no new users added to my site - the first post was just hacked with:

    <span style="overflow: hidden; position: absolute; height: 0pt; width: 0pt;"><a href="http://kvantservice.com/">компютри втора употреба</a></span>

    And everything after the "more" tag was gone.

  9. Joseph Scott
    Member
    Posted 6 years ago #

    @rawalex -

    While I cannot confirm the actual content of the hack POST command, I can assure you that the hack occurs via XMLRPC.

    That statement seems to contradict itself. If you don't know the content of the HTTP POST, then how are you sure that it happened via XML-RPC?

    The unwanted content may have been added via XML-RPC, that does not mean that's how your blog was compromised though. This is the point Otto42 was making.

    @pearible -

    In order to fix an issue we need have enough information to re-create, other wise we won't be able to confirm that code changes actually fix the situation. Please send the needed details to security@wordpress.org.

  10. rawalex
    Member
    Posted 6 years ago #

    otto, everything on the site(s) in question is fine. Files are swept, checked, compared... themes checked for back doors, file CMOD status checked, etc.

    As a side note, I don't use image uploads (it is a sin to have a directory set to 777... ). I have no additional users on these blogs that have permission to do anything (they cannot log in and post, therefore they should not be allowed to do it with XMLRPC either). As with Pearable, the first post on the site was attacked, defaced with a hidden link, and reposted, but only to the more tag. This is a clear indication that they don't have access and aren't actually editing the post, but rather using an exploit (because a full edit would re-include the entire text of the message).

    At the end of the day, all the preventative measures in the world cannot make up for software with a security hole or exploit - it is always better to have a secure door rather than trying to use digital duct tape to cover over the holes.

  11. itsrainingtonight
    Member
    Posted 6 years ago #

    I'm a little confused...

    First of all, KVANTSERVICE.COM seems like a fairly established (I don't mean to imply legitimate) business. Their website has been around since 2002 and for the record was designed by ebpw.net who have been around since 1988.

    If all of these WP sites are pointing towards that domain wouldn't the risk of being dropped by Google's index outweigh the benefit of some extra page views - especially when most of those page views aren't coming from Bulgaria?

    And speaking of Google - can't we get them to un-index KVANTSERVICE.COM? Isn't that the ultimate penalty and disinsentive?

    Also, thanks everyone for the tips!

  12. Joni
    Member
    Posted 6 years ago #

    And don't know if this is an issue, but I read somewhere else on the forums recently (and correct me if I'm wrong, but I believe that user Whooami brought it up), even if you have a plugin deactivated, there's still a risk that a hacker can enter your site via the unused/deactivated plugin. So if you have a bunch of plugins in your plugin folder and they aren't being used, the best practice is to delete them? One less open (or at least unlocked) door? ;)

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    This is a clear indication that they don't have access and aren't actually editing the post, but rather using an exploit (because a full edit would re-include the entire text of the message).

    I'm sorry, but that's simply not a clear indication of anything whatsoever.

    Unless you have details about what was done to make that edit, then you simply can not know any such thing as you are claiming.

    If you don't know that it was hacked via a hole in WordPress, then you should not claim that it was. Heck, give me the contents of your wp-config.php file, and I can make your posts say anything at all.

    And if you *do* know (because you have details, or logs, or something proving it), then you should not post here at all, and should send those details to security@wordpress.org. Then it will be fixed. In fact, if there is a legitimate hole that is found/fixed, then they'll do an emergency release and get 2.5.2 out the door immediately.

  14. rawalex
    Member
    Posted 6 years ago #

    Otto42: if they were editing the post in the editor (logged on as a user) the rest of the post would not disappear after the MORE tag. However, if they are just doing a page source to get the content of the post (and the post ID number) to blindly blast at it through XMLRPC, then it is very likely that all that would get reposted would be the part before the more tag.

    Additionally, I have the POST to XMLRPC logged in the apache logs, but it does not show the passed variables of the post command so there is no way to know.

    If I give you the passwords to an FBI system, I am sure you can read some stuff over there too. That isn't the point. They don't have the content of the config file (unless wordpress is so unsecure), so what's the point?

    If I had the exact method, the exact passed POST command, I would have long hit security with it. I am posting here because I don't have it, and want to see if I am the only one seeing it (and I am not). That alone should be enough to get the programmers at least looking. Further, that it has been reported on a brand new fresh from the box 2.5.1 install without plugins, it is pretty clear there is some sort of issue.

    jonimueller: For plug ins, it is true if a plug in doesn't work (or you aren't using it) you should never leave code on your system. However, it would require first that someone is scanning your blogs for these files, and then applying any hack that might match to them. It would be important for me if I had a ton of plugins, but I don't. You should never have excess executable code on your system at any time.

    itsrainingtonight: Linking to kvantservice may just be a test of sorts, a proof of concept. I saw a couple of blogs on the yahoo list with hundreds of hidden links in their posts, so it isn't clear that this would be a hack or process limited to any one website. Google won't act, unless a number of people point out how the links are being obtained... then they might either sandbox / delist them, or just ignore the incoming hidden links.

  15. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Otto42: if they were editing the post in the editor (logged on as a user) the rest of the post would not disappear after the MORE tag. However, if they are just doing a page source to get the content of the post (and the post ID number) to blindly blast at it through XMLRPC, then it is very likely that all that would get reposted would be the part before the more tag.

    Seems like a pretty thin argument. For one thing, if I personally edit a post through XML-RPC, it does not cut off at the more tag. I use ScribeFire through the XML-RPC door all the time, it works just fine.

    Not saying that you're wrong, just saying that the two things that you're saying connect... don't. All that the cut-off at the more tag indicates is that they likely got your post content via your feed.

    That alone should be enough to get the programmers at least looking.

    Needle in a haystack, friend.

    However, it would require first that someone is scanning your blogs for these files, and then applying any hack that might match to them.

    Hacks are automated. They don't "scan" for vulnerable code. They take known attacks, plug them into their attacking engines, and then spam that attack on every site they can find, automatically. If they get a 404, then they don't care. The program simply moves on to the next one.

    You don't think there's somebody actually sitting behind a keyboard attacking blogs one at a time, do you?

  16. whooami
    Member
    Posted 6 years ago #

    Additionally, I have the POST to XMLRPC logged in the apache logs, but it does not show the passed variables of the post command so there is no way to know.

    a method of capturing those variables was already provided, in fact 2.

    I can only speak for myself, but if I were experiencing repeat attacks to my web site(s), I would employ whatever methods it took to locate the entry point

  17. rawalex
    Member
    Posted 6 years ago #

    This is enough to make me giggle, sorry guys and girls.

    Whooami: Let me start with the simple point: Adding an extra plugin (which will log and slow down all activity) onto 100+ blogs isn't something I look forward to doing, especially because like many people, I use XMLRPC tools to post remotely (rather than using the wordpress edit system) so those log files would end up rather full. Also, on that sort of volume (and with the number of people comment spamming) it is ANOTHER hole open for people to kill your system by overloading log files. I only use apache logs (bulking system) because they are backed up and then wiped every 24 hours, so that there isn't as much change of overflow. If anything, posting that you are using this sort of thing just created a vunerablity for your blogs (DoS). You might want to think about that.

    Otto: Hackers scan routinely looking for open files and open directories. Yes, they are automated, and yes, they often have a list of things they are looking for, but they are scanning site to site looking for them, often going by IP address rather than domain. No, they don't scan individual files (DUH!) but they are scanning around you system looking for them. Check your apache logs, you will be shocked.

    As for cutting off at the MORE point, please understand: 2.5.1 RSS no longer pays any attention to the more tag, so they can't be using RSS to source the posts. If you access a post (pull it down) and then edit and return it, you would have the full post information. They only have what would show on page 1 of a post, so therefore they very likely got it from just scanning the page (raw html) looking for the first post. That is also how you get the post ID number (so you can directly screw with it).

    I leave this in the hands of TPTM. Having a junior high school debate isn't going to fix it.

  18. whooami
    Member
    Posted 6 years ago #

    rawalex,

    Whether or not you choose to do anything to further substantiate what you are saying is, of course, up to you. Keep in mind, though, that you are the one suggesting that you would need to add the plugin to 100+ blogs -- I have not indicated anything of a kind. I find it odd, at best, that you see that as an all or none proposition, though. But that's your gig.

    There are some people that are willing to "go the extra mile" as it were, to help the community. Then there are people like you. (I dont mean that as an insult, it's just a distinction)

    If anything, posting that you are using this sort of thing just created a vunerablity for your blogs (DoS). You might want to think about that.

    And I guess you havent discovered yet that Apache has mechanisms for dealing with these. Alas. I guess we are best to leave the web mastering to the web masters and the network/systems administration to people thats actually administer networks.

    Lastly, I cant help but laugh at you calling **this** a jr. high School debate -- one of the people that you have been having that debate with is a member of the dev team and an Automattic employee -- Im fairly confident he's out of Jr. High too.

    That someone, anyone, asks for more info, or for more clarification, or god forbid, might even disagree with you doesnt make their point of view any less valid than yours.

    You may very well be correct in what you are saying -- but insulting ppl that dont automatically agree with you ..

    meh.

  19. rawalex
    Member
    Posted 6 years ago #

    whooami, I hate getting into anything with you, because you some from an attitude of being superior, of claiming "nothing happening here". I don't come to this board with piffling little issues, I don't spend time here discussing why my text won't align or the like. When I come to a support board (apparently run by the company) I am hoping to deal with someone from the company, and not a third party that may or may not know what all is going on. I appreciate your comments in some ways, but as you are a plugin designer, I would suspect that your answer would more than likely be to add a plugin. That's your gig, enjoy it.

    If I am going to log stuff, I would have to log everything. These guys aren't always going to come back and hit the same few blogs I have seen this on so far, but they are rather likely to hit any of the other ones. Basic thoery, if you have 100 potential targets and 5 have been hit, you are 19 times more likely to have one that wasn't hit to see it next rather than one that was already hit. So I can randomly set up your plugin on 1 domain and hope they get around to it, or put it on all over them and hope to catch something. That is very, very basic stuff.

    This all becomes a jr high school debate when it is about piffling matters rather than the issue at hand. If Otta is a developer, I am surprised that he isn't aware that the MORE tag no longer affects the RSS feeds, comsidering that not only has it been in threads here, but also apparently in the dev areas (and not surprisingly the solution to the issue is yet another plug in.... *sigh*). I am trying to stay focused on the key issue (Some people and I have all reported the same basic issue with 2.5.1, and I have logs that show it was done using a post command to xlm-rpc). If there is a hole, it needs to be looked for, checked, and considered.

    No, I don't have enough information to point to a single method, but I would suspect that the method is VERY similar to previous injection / edit tricks. This has happened on a few different versions so far, and makes it pretty clear that the code in that area of wordpress may not be the best and perhaps should be addressed overall, rather than worrying about patching what has already been patched at least 3 times that I am aware of in the last six months.

    As for insults, well, honestly, you started it. Try to turn down your arrogance a little bit, you don't know everytihng ine world. You would probably do a much better job of helping people out if you did.

  20. mrmist
    Forum Janitor
    Posted 6 years ago #

    If I am going to log stuff, I would have to log everything. These guys aren't always going to come back and hit the same few blogs I have seen this on so far, but they are rather likely to hit any of the other ones. Basic thoery, if you have 100 potential targets and 5 have been hit, you are 19 times more likely to have one that wasn't hit to see it next rather than one that was already hit. So I can randomly set up your plugin on 1 domain and hope they get around to it, or put it on all over them and hope to catch something. That is very, very basic stuff.

    If it's basic stuff then why aren't you acting on it?

    You've presented an argument that does not allow any progress. People have suggested that you should attempt to glean more information by loging your xml requests and basically you've put up a blocker to that by saying it's not worth doing on one blog and too much effort to do on 100. I guess in the end that is up to you, but noone else is likely to be able to magically discover how your blogs were compromised.

    Incidentally you can either have an argument akin to your 19:1 theory or you can have an argument that the same block will get hit more than once. Using both arguments is contradictory. In fact based on your 19:1 idea on your blogs that have already been hit you should just do nothing.

  21. Boris
    Member
    Posted 6 years ago #

    Time for a cold shower everybody. There'd be a lot less chaos in the world if people would listen to each other and to people actually knowing what they're talking about...

  22. rawalex
    Member
    Posted 6 years ago #

    mrmist: It isn't just a question of 1 or 100... it is a question that logging XML requests on that scale could in itself leave the site open for a DoS attack (every one of those comment spammers uses XMLRPC... I have blogs that gets hundreds of those a day). Open end logging isn't a good thing, that is for sure. I don't intend to create myself another 8 hour a day job reviewing wordpress logs looking for a single hacker request in a sea of comment spams and other XMLRPC abuse attempts. The 19:1 is to make a point, neither you nor I would know what a hacker would do next. We don't know is this is just some script kiddie running someone else's tool. We don't know how long their list of blogs is that they are checking. Anyway, the point is I don't want to spend the time and the effort (and open my servers up to a DoS attack) by opening up 100 log files. Cherie offers answers that seem simple, but have many implications beyond the obvious.

    travel-junkie: Unfortunately, the answers that come on a free for all board is tons of noise, and bunch of denials, and a solid amount of finger pointing... all without accepting the basic concept that more than one person is reporting an issue. I hope that a more complete log of one of these attacks is found, so that the developers can get to fixing the issue rather than running a milti-page thread that really doesn't accomplish anything.

  23. whooami
    Member
    Posted 6 years ago #

    1.

    whooami, I hate getting into anything with you, because you some from an attitude of being superior, of claiming "nothing happening here".

    actually, i haven't said any thing of a kind -- in fact, every time the opportunity to say that has arisen, Ive gone out out of my to make allowances, and say that it's possible -- JUST to avoid you accusing me of that.

    I said:

    ..irrespective of any potential WP flaw.

    the above doesnt mean there isnt one.

    I said:

    I am NOT saying that the potential for an issue isnt there; I am simply saying that 1+2!=4

    That ought to be self-evidential

    I said:

    you may very well be correct in what you are saying.

    How many more different ways do you need me to reiterate that the possibility exists that you are right?

    2.

    If Otta is a developer...

    I never indicated who it was .. and I dont see that it matters when my larger point should have been that regardless of who you deal with, you owe them the same respect -- employee or not.

    I am hoping to deal with someone from the company..

    You should have remembered from your last, similar experience that wordpress developers do not frequent these forums. It's been reiterated time and time again on these forums. That is why they have an e-mail address -- that is why there are mailing lists.

    3.

    but as you are a plugin designer, I would suspect that your answer would more than likely be to add a plugin.

    I am also an enduser, so that's a facetious argument. I just happen to have written a plugin that does the work.

  24. rlparker
    Member
    Posted 6 years ago #

    Heck, give me the contents of your wp-config.php file, and I can make your posts say anything at all.

    Never a truer word was written, and I've seen this time and time again when cleaning up behind miscreants who have exploited unmaintained ("Upgrade? UPGRADE!? I don't need no stinking upgrade!) WP installations.

    Not to mention those that do a fresh install but reuse previously exploited passwords, or those exceptionally bright folks that not only use the same password for their admin WP user, but use the same credentials for the database user and their ftp user.

    These people can't be helped, at all, until they start to use some common sense password management techniques. A new install of a "bullet-proof" version of anything is pointless if you re-use passwords from previously exploited blogs, or have those same passwords set for your database or ftp user.

  25. rawalex
    Member
    Posted 6 years ago #

    rlparker: it is one of the reasons why during the upgrades I did from 2.3.3 to 2.5.1 that all admin passwords were changed, because in most cases admin is the only actual user on most of the sites. Going through the process and upgrading passwords is always a good thing. Not allowing the same passwords on multiple items is also a very good idea (and rather obvious). Good hosting companies won't allow simplistic passwords, but no matter what you do, you cannot stop people from being stupid about security.

    Sadly, replacing the lock on the door when the window next to it is wide open doesn't change anything. All of the XMLRPC hacks have been completely independent of any password requirements or security levels.

    Whooami: I could go into it long and hard with you, but I have respect for the people who provide this forum. I congratulate you on writing a plug in that is in itself a potential DoS target, but hey, you know that already, right?

    1+2+X=4. I don't know X for sure, but I can make a strong guess.

    My frustrations with this forum is known. I think it is horrible that WordPress puts up a forum, calls it "support" and then it turns out that it is mostly the somewhat less blind leading the totally blind. That isn't support, that is just a community of like minded people and inflated egos. All I have ever asked you to do is leave my threads alone. I don't go peeing on your threads (and some of them are so tempting... ) please don't do it on mine.

    Oh yeah, meanwhile, there is still a potential open hole in XMLRPC. But that isn't as important as proving that you are superior, now is it Cherie?

  26. whooami
    Member
    Posted 6 years ago #

    As Ive already stated, you're not going to stop me from posting anywhere...

    and Im curious, what do you think you are gaining by calling me by my name? I make no secret of it -- Its on my "about" page, and I refer to myself by name in my blog at least 5 or 6 times.

    Youre not accomplishing anything, other than making yourself look really childish.

    Shall I start calling you Alex, Alex?

    --

    Edit :

    Oh yeah, meanwhile, there is still a potential open hole in XMLRPC. But that isn't as important as proving that you are superior, now is it Cherie?

    what does a potential hole have to do with what I do or dont do?

    Dont answer, I dont expect you are able to.

    So far, every personal accusation you have made against me, I have been able to prove wrong.

    1. you immediately accused me of making personal attacks on you in this thread -- but could provide no evidence when asked for it.

    2. Youve accused me twice now, of telling you that you are wrong -- I pointed out how off-base you were on that already. And of course, you leapt right over that.

    When you actually have a conversation that doesnt rise and fall on your being able to make baseless statements -- then and only then, will I be interested in any of your "answers".

  27. rawalex
    Member
    Posted 6 years ago #

    I prefer names to handles or nicknames... in the end I like to know who I am talking to, not someone hiding behind a name, which is why name nick is really just my name anyway. I also want you to understand that I am not making stuff up on the fly, I have gone to look at your stuff closely and understand where you are coming from. Do you understand that your logging plugin is a security risk?

    I am not telling you to stop posting, I am asking nicely.

  28. whooami
    Member
    Posted 6 years ago #

    Do you understand that your logging plugin is a security risk?

    Any plugin that creates content is a security risk -- do YOU understand that?

    is that the point of this thread? After all, you already said you wouldnt be using it.

    Dont bother answering -- Im sure you cant. Again.

  29. Joni
    Member
    Posted 6 years ago #

    My frustrations with this forum is known. I think it is horrible that WordPress puts up a forum, calls it "support" and then it turns out that it is mostly the somewhat less blind leading the totally blind.

    Unbelievable. It's free software offered under the GPL. What do you propose be done? Set up a phone bank somewhere? Have the devs chained to their computers answering asinine questions all day? Because there's more of THOSE kind of questions being asked than legitimate pleas for help.

    I am not telling you to stop posting, I am asking nicely.

    What hubris.

  30. whooami
    Member
    Posted 6 years ago #

    @ joni

    some people seem to live by that "the loudest chick gets the worm" credo. You would think, for someone so incredibly frustated and angry, and let's not forget, unwilling to do much of anything, there would be other, "better" software out there that would be calling his name.

    I hear the Joomla forums are looking for people.

    OH, wait, thats had about 10 or so public exploits come out in the last month or so. Nevermind.

Topic Closed

This topic has been closed to new replies.

About this Topic