WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Blog post replaced by spam (23 posts)

  1. morshus
    Member
    Posted 6 years ago #

    A few minutes ago I discovered that an extra post had been added to my WordPress blog by 'admin' yesterday evening, titled "1" with viagra spam as content. But even worse was that the content of my most recent post, which I had posted as 'admin', had also been replaced by this spam.

    Has anyone any idea of what is happening here? Have I been hacked, or is someone maybe exploiting the "Post via e-mail" function? (which I have disabled now, just in case)

  2. Jeremy Clark
    Moderator
    Posted 6 years ago #

    A check of your server logs should show you how it was done. First check your mail server logs for any messages sent to the wordpress account. Then check your web server logs for any suspicious activity.

  3. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Also, regardless of what happened, change all the passwords. The WordPress passwords, the passwords on the database, your FTP account passwords, everything.

  4. Len Kutchma
    Member
    Posted 6 years ago #

    Search your blog carefully as I found more. Take a look at the post Merry Christmas from Dec28, 2006 and then look at the source code.

  5. whooami
    Member
    Posted 6 years ago #

    I would love a full list of your plugins (the actual names of the plugins), your plugin directory is browsable but some of them are unidentifiable.

    Someone, somewhere, has to start looking at the commonalities between the recent 2.3.2 attacks. Ive even been tempted to set up a wordpress honeypot.

    If you follow jeremy's advice, the output of this would also be helpful:

    cat access_log | grep -r 'wp\-*?\?*?=http://'

    and youre really only interested in the last 10 or so lines of output if there happens to be alot.

  6. morshus
    Member
    Posted 6 years ago #

    Thanks for the quick replies. Although I am not good at reading these access.logs, it seems like somebody with a russian speaking version of Firefox has been inside my wp-admin area, posting and editing posts.

    213.184.224.30 - - [30/Jan/2008:18:09:06 -0800] "GET /wp-admin/post.php?action=edit&post=19 HTTP/1.1" 200 5390 "http://www.morshus.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"

    Gee thanks LenK - I was actually wondering why that post (19) was mentioned in the access log!

    I have these plugins activated: Akismet 2.1.3, Executable PHP widget 1.0, Extended Comment Options 1.1, FAlbum 0.7.1, Google Sitemaps 2.7.1, , wp-cache 2.1.2

  7. whooami
    Member
    Posted 6 years ago #

    thats a start, if you like I would LOVE a copy of your access logs.. ANYHTHING you have available.

    Ill go through them with a fine tooth comb.

    Feel free to zip them up and send them off to whoo AT whoo.org

  8. morshus
    Member
    Posted 6 years ago #

    thanks whooami, the log from that particular day should be in your inbox by now. I unfortunately don't know how to do that cat access_log thing.

  9. whooami
    Member
    Posted 6 years ago #

    yes I got it thanks.. Ill email you back privately with anything I find, and obviously let anyone else know if theres something that looks specifically "WP suspicious"

  10. whooami
    Member
    Posted 6 years ago #

    fwiw, theres nothing in those logs that point to HOW your password was retrieved, ie, there arent any odd gets or posts, or calls to unusual files.

    I suspect that there might be more info in the previous logs..

    and also, that IP .. its a proxy, not surprisingly.

  11. morshus
    Member
    Posted 6 years ago #

    FYI, my admin password was the one I got from the system when I created the blog. Old, but not incredibly easy to figure out.

  12. Jonathan Landrum
    Member
    Posted 6 years ago #

    I don't keep the password it gives. It only uses lower-case letters and numbers. Create a new one with something odd, like spaces or punctuation. Make it a complete sentence, or even a mathematical formula.

  13. whooami
    Member
    Posted 6 years ago #

    Otto, so Im looking through 5 days of logs, I see 2 attempts at RFI attacks.. the server returns a 503 on both

    seconds later, theres a hit to /wp-login.php?action=register with no additonal http_gets tacked on, and then a few seconds after that a hit to /wp-login.php?action=lostpassword

    all the same IP, another proxy.

    sure would like to know what the content of the http_post was.

    this person looked around too, browsed the images, spent about 5 minutes on the site.

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Forward me the relevant piece of the log, whoo. otto at ottodestruct.

  15. morshus
    Member
    Posted 6 years ago #

    By the way, I don't think it has anything to do with the "Post via e-mail" function. I forgot when writing the initial post here, that my "Post via e-mail" address also forwards to another e-mail address of mine, which has received no e-mails lately. I tried to send a test e-mail right now, and yes it forwarded it as expected.

  16. whooami
    Member
    Posted 6 years ago #

    fwiw, I have started logging ALL $_POST variables sent to my blog (with some obvious filtering of sensitive data).

    IF there is something being sent that way, Im sure to catch it.

  17. Jonathan Landrum
    Member
    Posted 6 years ago #

    What do we need to do to secure our sites, since it's not an issue of password strength?

  18. whooami
    Member
    Posted 6 years ago #

    Im secure :) Always have been (she says, tempting fate)

  19. Jonathan Landrum
    Member
    Posted 6 years ago #

    Yeah, I've always looked up to you in this area. Your ideas are different, and they seem to be working. Mind shooting me an email with some pointers? Pretty please?

  20. whooami
    Member
    Posted 6 years ago #

    I misread your post, I saw this,

    What we need to do to secure our sites, ...

    So I was agreeing :)

    As far as tips, I'm just anal as hell, and I watch everything. my mod_security logs are tailed, and read daily.

    I try to lock down stuff I dont need.

    Ive removed the possibility of anyone getting path info, something WP handles horribly.

    Ive blogged about that.

    I dont EVER display MySQL errors.

    Ive renamed my users table to something completely unique. And I dont use wp_ as a prefix, ever :)

    Theres a host of things you can do that can sit in the way of a successful attack.

    I log and see 100s of attempts a day, I cant stop the attempts, but I can improve my odds.

  21. morshus
    Member
    Posted 6 years ago #

    Right, almost a week has past and my site still looks OK. My host (Dreamhost) suggested that this could have been an SQL injection error, and WordPress has since then released version 2.3.3, patching "that a specially crafted request would allow a user to edit posts of other users on that blog". I of course upgraded as soon as possible, from 2.3.2 to 2.3.3

    So for now, I think I'll tag this topic as resolved. Thanks everybody for your help, it is good to see that the community and WordPress responds so fast and thoroughly.

  22. Jonathan Landrum
    Member
    Posted 6 years ago #

    @whooami Gracias.

  23. morshus
    Member
    Posted 6 years ago #

    By the way, the WordPress Podcast Episode 34 mentions this about the security bug that WordPress 2.3.3 should fix: "The security bug affects only blogs that allow users to register".

    My blog did allow anyone to register, so I immediately changed this. Just in case.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags