WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Question About Possible Hack of Site (162 posts)

  1. dyske
    Member
    Posted 4 years ago #

    OK. This might cause a panic, but /wp-admin//export.php is fully functional. This means that a mere subscriber can download your entire database as an XML file, including all your email addresses.

  2. whooami
    Member
    Posted 4 years ago #

    yes they should -- its actually only a 4 minute install.

    and is this entire thread about hacks to pre 2.8.4 installs???

  3. rwboyer
    Member
    Posted 4 years ago #

    @kirkpete

    actually you can just download a copy of the new wordpress into a new directory, change the wordpress config file to setup connectivity to your database, copy your wp-content directory to the new tree, fire it up and go. If there are db changes required wp will know and do them.

    RB

    ps. this is roughly what I do using automated tools and db/filesystem snapshots and test virtual machines prior to cutting over to new versions.

  4. dyske
    Member
    Posted 4 years ago #

    The double slash hack does not even require any coding. Anyone can do this. All you have to do is register as a subscriber and then type in the URL to the admin pages with an extra slash.

    I bet many spammers have already known about this for a while and they must have already visited all the popular WP blogs and downloaded their entire database. This would explain many strange user registrations in the past few weeks.

  5. whooami
    Member
    Posted 4 years ago #

    but /wp-admin//export.php is fully functional.

    Ive tested this on a 2.8.2 install (even), registered as a subscriber, and cant replicate that assertion.

    i'll happily make this install available to you to register on, if you want to test.

    (you either have plugin issues, something else going on, or dont realize that youre actually admin)

  6. kirkpete
    Member
    Posted 4 years ago #

    rwboyer, I don't understand what you just posted, but it's too late anyway, I'm halfway through the Extended Upgrade process. (I had already backed up my database and WordPress files at the beginning of this ordeal.)

  7. rwboyer
    Member
    Posted 4 years ago #

    @kirkpete -

    Just trying to get a handle on why you are having such a hard time with wordpress.

    I just looked at your hosting provider, if you have a virtual server it should be a walk in the park with nothing really in the way. What kind of account do you have? Windows? LInux?

    RB

  8. dyske
    Member
    Posted 4 years ago #

    @whooami

    I tested it on 2.8 and I just double-checked. I'm able to export.

  9. whooami
    Member
    Posted 4 years ago #

    ok, well, Ive just tested it on the latest -- 2.8.4, and it does not work.

    since 2.8.4 is the latest, and REALLY thats where the focus ought to be, NOT on versions that shouldnt be being used anyway ..

  10. dyske
    Member
    Posted 4 years ago #

    @whooami

    Yeah, somewhere between 2.8 and 2.8.2, they must have added the line below:

    if ( !current_user_can('edit_files') )
    	wp_die(__('You do not have sufficient permissions to export the content of this blog.'));

    Basically any admin files that does not have the function current_user_can() at the top can potentially be accessed with the double slash hack.

    I checked 2.8 vs 2.8.4. The function does not exist in the former but it does in the latter.

  11. dyske
    Member
    Posted 4 years ago #

    @whooami

    It's easy for webmasters and developers to say nobody should be using the old versions, but WordPress is being used by many people whose passion and professions are NOT maintaining websites and staying informed of the latest security threats. People just want to blog. Most people feel that upgrading their software once a year is good enough. If every blogger was a webmaster, the blogsphere would be nothing but people talking about blogs.

    But this does make me think twice about recommending people to install WP. Those who do not have professional webmasters taking care of their blogs, should not install their own. They should just use the hosted version at wordpress.com.

  12. whooami
    Member
    Posted 4 years ago #

    dyske,

    youre making a point thats been made already on here dozens of times before..

    Most people feel that upgrading their software once a year is good enough. If every blogger was a webmaster, the blogsphere would be nothing but people talking about blogs.

    Ok, but most people are wrong, and theyre cheap.

    I fail to see what any of that has to do with the topic (6 pages of stuff over hacked sites that werent even running the latest version??))

    I mean no disrespect, but seriously.. clean the affected sites out, upgrade, be done.

  13. dyske
    Member
    Posted 4 years ago #

    Sorry, I just realized that the exported XML does not contain users table. It just exports all the posts, which are already public information. So, this isn't so bad.

  14. whooami
    Member
    Posted 4 years ago #

    ... and it doesnt ever contain the users table, anyway. thats not the purpose of it. it doesnt matter WHO exports it.

    --

    I love a mystery, and I, honestly, think its a good idea to know how a site was compromised, but the "catch the little bugger" stuff is really a waste of energy. these attacks are scripted, theyre done from behind chained proxies or from zombie machines, and well.. you get the point.

  15. dyske
    Member
    Posted 4 years ago #

    Yeah, I'm going to bed now.

  16. kirkpete
    Member
    Posted 4 years ago #

    @whoami,

    For bloggers who are not technologists, upgrading is an ordeal. (The magical "Automatic Upgrade" button in the dashboard has NEVER ONCE functioned for me, I always have to do it manually.) The first time I upgraded to 2.8.x a few months ago, it broke my blog, and I had to downgrade to 2.7 to recover.

    I mean no disrespect, but seriously.. clean the affected sites out, upgrade, be done.

    Actually, you mean NOTHING BUT disrespect, in virtually every comment you have posted on this thread. You are a troll.

  17. whooami
    Member
    Posted 4 years ago #

    kirkpete,

    For bloggers who are not technologists, upgrading is an ordeal.

    then those people should not be using wordpress. do you disagree?

    (and while we're at it, for the sake of this discussion how do you define technologist?)

    and really, an "ordeal"?

    hyperbole.

    this kind of thread has popped up countless times..

    The fact is that ALL PHP web apps MUST be upgraded and kept current. That someone is a new web master and has problems with that proccess doesnt make them immune to that fact, and doesnt provide an out should they not do it and suffer a successful attack.

    Im sorry to those that dont want to hear that, but thats a fact, and its not going to change. There will, eventually, be public exploits for wordpress 2.8x.. you can count on it. And the wordpress devs will address those issues as they become aware.

    thats ALL they can do. the rest .. like it or not.. is on you (generally speaking). You can only lead the horse to the water, you cannot make it drink.

    you CHOSE to run an insecure version of wordpress. did you not?

    I am NOT trying to be argumentative here, but youre not being intellectually honest.

  18. netslacker
    Member
    Posted 4 years ago #

    Has anyone noticed that their flash image uploader no longer works? Maybe this is a function of disabling xmlrpc.php also disables the flash image uploader?

    I went to add images to a post tonight and I get "HTTP Error" in the flash uploader when I click on "upload." If I use the html version it works just fine, w/o issue.

    I'll dig into it in the morning, just wondering what others have seen.

  19. whooami
    Member
    Posted 4 years ago #

    I read these forums every day; a 5 page thread on a hack is going to get my attention, and I read it expecting to see something about 2.8.4.

    There IS a lot of good info in this thread, even without that. That said, theres also a fair amount of virtual hand wringing, and blame-shifting, and references to things that arent possible in 2.8.4 that, frankly, needed to be corrected, and NO-ONE else was even bothering.. (see above)

    Since I have as much right as anyone to post here, Ill say it and get it off my chest.

    You cant seem to get your blog upgraded? Then GET HELP.

    There are countless people on the WWW that do upgrades for little or NO cost.

    That's what I feel has to be driven home after 6 pages.

    so there. call me a troll i really dont care. I'll be here on these forums long after youve moved on from this thread.

  20. pajamadeen
    Member
    Posted 4 years ago #

    @whooami wrote: "and is this entire thread about hacks to pre 2.8.4 installs???"

    you go, girl! yes, this entire thread is actually about bad things that happen to people who don't keep their WordPress installs current. amazing, isn't it? 5 pages of this. (thanks for sharing!)

    folks, you can't upgrade "just once a year" because you "feel like it," if you want the max protection available at any given time from WordPress. it IS your fault if you don't/can't/won't keep your installs current - whether you do them yourselves or pay someone to do them.

    it's just laziness, not to upgrade, compounded by a lack of knowledge. btw, i have about 9 blogs. they all get upgraded when there's a WP upgrade. is it a pita? yeah, kinda. but the whole thing is done in less than an hour - a small price to pay for keeping installs as safe as possible.

    @kirkpete - a troll? whooami is the most knowledgeable WP person i've ever met. whooami just wants people to _think_ and learn. has donated hundreds, if not thousands, of hours to the message boards, teaching people, etc.

  21. SteveAx
    Member
    Posted 4 years ago #

    OKay.. so I have many sites on a shared hosting account each in their own directory.. several are running wordpress installations... today a majority of thise sites got hit with this hack. I am in the procerss of upgrading all to 2.8.4 and removing the index.php files that has the code in it from each affected directory.

    Interesting thing is that many directories that do not have wordpress installed got this index.php file added to them also.

    Anyway I need to know in laymans terms what else I need to do to make sure these are secure. Can someone please spell it out so that the ones that are already affected can be made safe.

    Thank you,
    SteveAx

  22. So I've been on the case and although I can't replicate the issue on my local servers, what has been described here in this thread sounds exactly like the security issue that was addressed in WordPress 2.8.1.

    WordPress 2.8.1 was released on July 9th to address a security issue that was brought up by Core Security Technologies.

    http://wordpress.org/development/2009/07/wordpress-2-8-1/

    http://corelabs.coresecurity.com/index.php?module=FrontEndMod&action=list&type=advisory

    If you take a read through their security bulletin, especially the proof of concept, it sounds exactly like what happened to the guy who started this thread with the Subscriber role and the escalation of privileges to the admin level. But that security bulletin centers around plugins so I'm not sure if it's in use here. Also, WordPress 2.8.2 and 2.8.3 were released to fix a XSS vulnerability where comment author URLs were not fully sanitized when displayed in the admin but since the most this could do is redirect someone to a different webpage, doesn't sound like it's in action.

    However, I'd like to hear specifically from anyone running WordPress 2.8.4 who have had this attack happen to them.

  23. ElectroLutz
    Member
    Posted 4 years ago #

    I found one who has the same problem with 2.8.4 -> http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

    At the end he says that...

  24. blogher8
    Member
    Posted 4 years ago #

    I had the same security breach today on my 2.8.2 site, including the same new users added since 8/30:
    MikeWink
    Miriam
    Adrianq

    But I could not find any admin user. The dashboard showed only one admin (1) = me. Looking in the wp usermeta database also yielded nothing, at least to my eyes. (I am not experienced with this stuff, but could not see anything easily.)

    Here's what I did:

    I deleted the malicious code from the permalink structure.

    I deleted old WP files, more or less leaving only theme files (NOT index.php from each theme-- of which corrupted versions were scattered everywhere you can imagine, so I replaced these), wp-config.php, and .htaccess and robots.txt.

    I reinstalled WP, upgrading to the latest 2.8.4.

    Changed FTP and MYSQL and WordPress admin passwords.

    I deleted old plugins and reinstalled each.

    IS there anything I need to do to make sure I am secure and have not let anything corrupt linger from the old site?

    Thanks!

  25. whooami
    Member
    Posted 4 years ago #

    IS there anything I need to do to make sure I am secure and have not let anything corrupt linger from the old site?

    you appear to have covered everything. the important thing is to not miss any files with backdoors in them, php shells, that sort of thing.

    deleting the files .. solves that, generally speaking. make sure that what you leave behind is clean. make sure that images are really images (often missed) -- if you took notice of the timestamps on any of the files that had been altered, you probably want to go through your entire web space and look for any other files that have close or same timestamps.

    an image file in your uploads/2009/07 directory with a timestamp from this month would be very suspicious, for instance.

  26. Having looked into this in great detail as far as I can tell this exploit does not work against 2.8.4.

    If anyone has evidence to the contrary - apache access_logs, POST data etc then please send them to us at security@wordpress.org and we will investigate.

  27. PJ Brunet
    Member
    Posted 4 years ago #

    This answers one of the questions that I posted before: Why did the hacker need to make the permalinks dysfunctional? Because this is actually the first point of entry. So, he had to.

    In other words: If your permalinks are OK right now, you were not hacked, yet.

    Thank you for the help. I am upset I lost two hours of sleep over this, especially with a broken ankle that needs rest!

    PS: I won't be using ScribeFire in the near future, not worth the risk.

  28. PJ Brunet
    Member
    Posted 4 years ago #

    "since 2.8.4 is the latest, and REALLY thats where the focus ought to be, NOT on versions that shouldnt be being used anyway .. "

    Get off your high horse dude. These presumptuous "shut up and upgrade" comments only reveal ignorance. People have good reasons to not upgrade. Matt can keep his rounded-for-IE corners! LOL.

    Read this, maybe you'll learn something - http://en.wikipedia.org/wiki/Telegard

  29. whooami
    Member
    Posted 4 years ago #

    f**k you, I presume nothing. and Im not a dude either.

    People have good reasons to not upgrade.

    yeah like broken plugins. yawn.

    "hows that plugin working out for you now that your "shit" is hacked?

    not so well huh? damn, lifes not too fair. here's a hug for you."

    Maybe you need to do a little reading?

    http://www.milw0rm.com/search.php?dong=wordpress

    those are JUST the exploits that are easily gotten.

    I dont think im the ignorant one here. My blog(s) arent hacked.

    --

    Furthermore, and heres the real issue -- having a reason doesnt make it the best choice. Instead of patting people on the back and giving out virtual hugs when they experience this, maybe, JUST MAYBE, they need to be told that they made a bad choice???? You know, so they dont continue making bad choices?

    Oh wait -- thats wrong, we dont want to hurt anyone's feelings, do we?? Instead, we can look forward to more virtual hand holding for the next 6 months, until the next round of clucks, and their friendly apologetics, pile onto the forums wondering wth happened to their blogs that they refuse to take care of.. theyre not technologists (wtf that is) .. they couldnt upgrade... they need that plugin ... they "just wanna blog" ... blah blah blah.

    Im sick of it. Youre not alone on the Web. You share it. Its called the information "superhighway" for a reason.

    Besides, I ALREADY said there was good info in the this thread -- i was talking specifically about the suggestions that were made for people that WONT, for whatever reason, upgrade.

  30. Daniel Fru?y?ski (sirzooro)
    Member
    Posted 4 years ago #

    I think that registration open to everyone is critical to this hack. You also pointed this already, that this is a first step in the sequence. But there is one more interesting thing - the file from that chinese server has following call near its end:

    update_option('users_can_register',0);

    Looks that attackers disable the registration option just after new admin is created, to prevent others from exploiting this hole too.

    One more thing: looks that this is the 1st phase of the attack. I suspect that in 2nd phase attackers will return to compromised logs, revert the permalink structure to original (or change to something valid) and start posting their spammy offers, links to other sites, badware or anything else.

Topic Closed

This topic has been closed to new replies.

About this Topic