Forums

WordPress › Support » How-To and Troubleshooting

2.6.2. vulnerability????? (15 posts)

  1. SleepW
    Member
    Posted 3 years ago #

    Ok here's the story.
    I upgraded to 2.6.2 when it came out.
    This week, without having made any software changes or plugins...i.e. no changes whatsoever I get error messages all over the place that tables don't exist. I try to login and I get the user table doesn't exist.

    I go into myphpadmin and notice that only 3 tables are left. The other 9 or so have mysteriously disappeared. Host claim they did nothing on their end and why should they delete selected tables only. Interestingly, the post table was not deleted. I was able to get the new posts since my last backup (2 weeks before).

    p.s. My site is a low traffic blog (5000 hits per month) so if this was a hack it obviously was a bot. I'm the only user on my site.

    Nothing else was touched on the site..coppermine, pixelpost, only 9 of the 12 WordPress tables. What gives????????????????????

  2. SleepW
    Member
    Posted 3 years ago #

    anyone?

  3. UseShots
    Member
    Posted 3 years ago #

    Strange. Why drop 9 of WordPress tables and leave 3? Could this be a bug in one of your plugins?

    Anyway, check your server for suspicious files. There could be some back-door scripts left from pre-2.6.2 time. And change passwords (ftp, db, wordpress).

  4. SleepW
    Member
    Posted 3 years ago #

    I have a handful of plugins, none of which would delete tables.
    If there was a back-door script, it never ran before..and if it did it would confirm that 2.6.2 is vulnerable, no?

  5. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 3 years ago #

    ..and if it did it would confirm that 2.6.2 is vulnerable, no?

    No.

    Something bad happened to your mysql database for WordPress but if it were an exploit then you'd get have seen other evidence such as links inserted into your posts, your existing account(s) having their passwords changed, etc.

    Just tables being dropped would seem like someone (not necessarily you) got access to your mysql installation and fooled around.

    You lost your tables, yes. Due to a WordPress exploit? Nothing you've shared indicated that. Just restore your database backup and keep an eye on your blog for further problems.

    You do have backups and know how to restore them, right?

  6. SleepW
    Member
    Posted 3 years ago #

    You do have backups and know how to restore them, right?

    I thought the toothfairy did those?
    :)

    1. There are no accounts, no users other than myself.

    2. I don't go into myphpadmin except to do backups..the export function is very different from the sql drop statement, so no I didn't drop any tables.

    3.Someone knows my password and userid? Only if they managed to install a keylogger on my PC when I wasn't watching. If I was a hacker and I had a password and userid I would have deleted all the blog content first. Then I would have deleted my forums, my pixelpost galleries, my coppermine galleries, and I would have defaced what was left over. None of that happened.

    Yes I did restore from backup - lost 1 or 2 posts which I restored manually given the content table was not touched. Given I was using 2.6.2 when I was hacked, all I can do now is wait for the next hack. I will be checking my raw log files this time.

    If you hear hoof beats, you should look for horses, not zebras.

  7. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 3 years ago #

    If you hear hoof beats, you should look for horses, not zebras.

    Cool! Now if you show us some horses instead of zebras, we'll talk about horses.

    In the meanwhile, your zebras have nice stripes.

  8. SleepW
    Member
    Posted 3 years ago #

    Now if you show us some horses instead of zebras, we'll talk about horses.

    Yeah, and at the same time I'll try to find a Neanderthal in the jaws of a fossil T-Rex so you'll have proof that there was indeed a Caveman vs Dinosaur War.

  9. SleepW
    Member
    Posted 3 years ago #

    Scenario 1: Hacker gets in to PC despite Hardware Firewall, Software Firewall, and up to date Virus protection. Why? Because it has to be my PC not the millions of PCs without firewalls and AV.

    Hacker installs key logger. Forgoes stealing online banking and trading passwords because it will be much more fun to break into my website instead. Forgoes all my image galleries and photographic content. Skips the forums. Skips all the databases except the blog. Goes into blog. Hmm. Should he delete the content or 9 other tables. Why not delete all 12 tables.

    Nah, he just deletes the tables that don't have content. What's the result? Error messages on the site! OMG, there are error messages all over the site. Table does not exist. I almost have a heart attack...all that work lost. Wait a minute not only is the site backed up but he/she didn't touch the content! Thank God I was hacked by a mental retard. Site is back up in 15 minutes.

    Scenario 2. Bot finds vulnerability with my WP 2.6.2 installation. Tries to delete all tables but for some reason 3 survive including the content.

    Yeah, Scenario 1 is really much more likely. But hey, what the hell let's be arrogant about it...2.6.2 can't be hacked.

  10. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 3 years ago #

    Yeah, Scenario 1 is really much more likely. But hey, what the hell let's be arrogant about it

    Sigh. I apologize if I came across as arrogant. This is a volunteer effort and you and I are both part of that crowd. My bad.

    Now here's the problem with your thread. This conversation happens all the time and can be summarized as

    "Hey, some bad thing happened to my WordPress blog. I can't explain it. I'm running <INSERT LATEST VERSION HERE>. Why can't people just admit that there is a vulnerabilty/expoit/hack/maybe martians did it?"

    See http://wordpress.org/tags/hacked for much more examples. Currently this is my favorite recent example of an informative thread.

    If you have some real proof or can show HOW this happened to you, then you can post it here, or at least e-mail the security@wordpress.org address with the details. Log data would be helpful or even "Hey I figured it out and here's how it happened to me".

    Yes, you have dropped WordPress tables. Yes, your other software such as coppermine was fine. Did I miss anything?

    Evidence of a compromise happens when files get placed in your blog filesystem or your database. You don't have spammy links in your blog, you don't say that files were installed as a result of an exploit. But you do have dropped WordPress tables.

    Missing tables is annoying, so are error messages. Not exactly evidence of a "hack".

    ...2.6.2 can't be hacked.

    Now who is being arrogant? Re-read what I actually typed. Something bad happened to your blog but until you present something indicating what caused what happened, I'm not going speculate or play guessing games.

  11. whooami
    Member
    Posted 3 years ago #

    "Hey, some bad thing happened to my WordPress blog. I can't explain it. I'm running <INSERT LATEST VERSION HERE>. Why can't people just admit that there is a vulnerabilty/expoit/hack/maybe martians did it?"

    and lest we forget, that's a very common thread areound here.

  12. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 3 years ago #

    Snort, Akismet just spammed my latest comment. Now I know how you feel Whoo :)

    It's probably not related, but Hang on Snoopy, Hang on.

    If I could execute remote code, then mysql databases would be my second target. I just upgraded using

    svn sw http://svn.automattic.com/wordpress/tags/2.6.3

    Easy as pie.

  13. SleepW
    Member
    Posted 3 years ago #

    Missing tables is annoying, so are error messages. Not exactly evidence of a "hack".

    Ok and let's leave the martians out of this, they're always getting a bad rap.

    First, I'm not your grandmother. I build computers from scratch and I program. I know my way around a database and I don't drop tables, not the binary kind.

    Second, I was nowhere near my databases. Had not touched my site since upgrading several weeks before.

    You still with me? If it wasn't me, if it wasn't my host, then who the hell dropped those tables. You're not curious because it did not happen to you, but I am.

    The damage was inconsequential, but I want to know what the hell went on. How can the blog be up one day and down the next without any intervention on my part?

    Think about it. Or did you just conclude that I"m making this shit up because I'm bored.

  14. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 3 years ago #

    Okay. I'm going to offer some advice then I'm walking away from this thread. I'm juvenile but not enough to get into a pointless pissing match especially when I'm not the one getting pissed off here.

    The martian line was a good start, but seriously lay off the humor. I mean, really, grandmother jokes?

    Here goes. Your blog, is it running on Apache? I'm asking because apache on a *NIX platform keeps it's logs usually /var/log/apache2. My background is with *NIX so that's my point of reference.

    You can double check by looking in your Apache conf file for something like

    ErrorLog /var/log/apache2/error_log
CustomLog /var/log/apache2/access_log combined

    You've got a good backup so that gives you a time frame to start from. Look through your access_log and error_log for entries past that time. The search engine bots usually have easy to spot user agent so you can ignore those.

    Look in both files for anything abnormal. You know what your blog URLs look like so ignore those. Look for anything that looks like it has embedded scripts in the URL request.

    That'll cover the web server.

    Now look in your mysql server's my.cnf file and find log and log-error file locations. Look for anything that indicates any problem. I don't use phpmyadmin so I can't point you to where that would log it's actions.

    Take a dump of your database and comb through the wp_posts and wp_comments tables. Make sure that some spammy links or code did not get inserted there.

    Now head to the filesystem. Take the file listing of the http://wordpress.org/latest.zip and compare that with your files on your blog. Aside from the portions you've uploaded in wp-content, does anything stick out as "Hey what's that php file doing there?"

    That's it. If you can't tell what happened after examining your own system, or you can't find anything to add to this thread, then odds are really good no one else will be able to.

  15. SleepW
    Member
    Posted 3 years ago #

    Now that's a more useful post.

    I do have access to my raw log files but parsing through them is quite a chore and I don't necessarily know what I'm looking for. Most of the requests seem to be GET and I didn't see any .exe but again I have no clue what strings to look for..and yes there were several .ru's but they are probably spam attempts.

    Aside from the db backup I also have a mirror of my site locally (WAMP) the file number and dates match where they should, but I have not gone to the point to compare the contents of the files - which can be done with certain utilities such as FolderMatch.

    Injection attacks are fairly easy to troubleshoot as they usually break the CSS - either way, a quick look at the page source will reveal the extra code.

    I'm curious about what happened not as a retrospective..but rather to proactively be able to identify the likely point of entry and seal it up. For example, I don't allow user registration, if I remove that functionality by modifying the code will it seal a point of entry.

    Every hacker knows where the front door is - I'd like to lock it permanently or at least make it harder than my neighbor's.

    Finally, I was never pissed off and my jokes were meant as jokes, nothing more.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.