TamagothiNot sure that this is the right forum for it, but I hope some developers are reading here too.
In the last ten day I was the victim of a defacement attack to a WordPress 2.9.2 site and to a WordPress 3.0 site. Some folks out there don't like me. It is a hard and distributed attack, and I expect more problems in the coming days.
It is interesting how the defacement was done, I'm still analyzing further. But my current insight can show a weakness in the current WordPress versions, so I decided to publish it.
The file wp-admin/install.php was called repeatedly from a wide range of IP-adresses. The same time, a distributed denial of service was performed, mainly by GETting the feeds for every single tag, which is requested seldomly and therefore not cached by WP Super Cache. There are several thousends tags in one of the blogs, and that dDoS is a rather "good" one for me.
After some twenty hours of dDoSing and invoking the install script, my "friends" succeeded. As a result, the whole database was wiped. For me, it looks like a kind of race condition, attacking a weakness in the installer script under conditions of heavy load and memory conditions. At the moment, I do not know the way the database was cleared, it may be a SQL injection or something different. After some reading of the sources I decided to let it be inspected by someone, who better understands the concepts of the WordPress core.
My active Plugins are:
- Akismet
- Dashboard Notepad
- Embedded Video
- Follow URL
- Force Word Wrapping
- Google XML Sitemaps
- Intypo
- o42-clean-umlauts (a better replacement for german umlauts in Permalinks)
- Simple Tags
- Simple Trackback Validation
- Twitter Tools
- WP-UserOnline
- WPaudio
- WP Super Cache
- WP System Health
I don't expect one of these plugins to be the source of the vulnerability.
I use the german language file in all hacked blogs, but this shouldn't cause this kind of problem. (It consumes a lot of memory sometimes.)
The file permissions in all installations are rather restrictive, only the upload directory, the sitemap file and .htaccess is writeable for the webserver's user. All files are unchanged by the defacement, only the access to the database destroyed the contents of my blog.
If a WordPress developer reads this forum: Please have a look at this issue. It may be a fresh exploit for WordPress, which may affect many other blogs in the next weeks.
