WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Security Breach in WP? (23 posts)

  1. Root
    Member
    Posted 9 years ago #

    My blog / mysql has just been hacked and trashed. Completely. WordPress isnt secure.

  2. Jinsan
    Member
    Posted 9 years ago #

    Hmm....isn't this the third or fourth instance, has anyone looked into previous reports of this? I know nothing is 100% secure, but previous calls about db and wp being hacked have been knocked off as ludicrous and impossible.

    this won't start a panic, but it will make users worried, very worried in fact.

    sorry to hear about it root, i wonder who's next. out of sheer apranoia i'm backing everything up as i write

  3. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Root - grab your access / error logs / stats. They may be useful.

    Can you share with someone your passwords / settings / anything else relevant ?

  4. Root
    Member
    Posted 9 years ago #

    The hacker said he got in via install.php. I installed via Fantastico and had not deleted it. I normally do - I cant remember if its in the readme or is a known security loophole unless it is deleted. But it took my db down as well - I think.

  5. Mark (podz)
    Support Maven
    Posted 9 years ago #

    I wouldn't believe a word the fuckwit said.
    Grab logs and compare times of access to the time of the entry it made.

  6. Jinsan
    Member
    Posted 9 years ago #

    so if install.php is still in there, and a user tries to do an install, would it overwrwite the existing one? That might explain how he got in. Most installers/blog tools I am aware of tend to auto delete the intall file after a complete install. I thought WP did the same, just deleted mine - I'm not if it's stated in the readme. This may all just be hype but I'm pretty paranoid.

    I think the logs should reveal some info. what files were access etc

  7. vkaryl
    Member
    Posted 9 years ago #

    I don't remember reading that anywhere. Needless to say, I just deleted all of mine - Fantastico installs as well. I also took out the install-helper.php file just to be safe.

    I'm sorry this has happened to you again, Root. Some people cannot see a fine thing without the need to desecrate it.

  8. ifelse
    Member
    Posted 9 years ago #

    A word of caution guys. When I clicked on a post on Root's blog, I received the “click install.php to begin� message the first time around.

    As a safety check, I'd remove install.php from your wp-admin directory. They have no function outside of the install procedure anyways.

  9. Jinsan
    Member
    Posted 9 years ago #

    may be something for 1.6 installer?

    step x - delete the install.php and install-helper.php files or click here to let wp delete them for you

  10. ifelse
    Member
    Posted 9 years ago #

    "Some people cannot see a fine thing without the need to desecrate it."
    This is off-topic and neither here or there, but the guy left a post where he sounded apologetic saying that it was curiosity rather than malicious intent. From my experiences (seeing the error message) and the language, I'm inclined to believe him/her.

    If anything, this probably makes it worse. If a blog can be junked this easily, then I'd be more worried, not less.

  11. Root
    Member
    Posted 9 years ago #

    Fantastico omits that step x. And I cant see it in readme.html

  12. ifelse
    Member
    Posted 9 years ago #

    Normally, it doesn't make a difference. Running install.php again should have no effect as it detects if an installation is already there. However, in certain situations, something goes wrong.

    An off-the-cuff hypothesis: WP temporarily is unable to connect to MySQL and hence this check fails. It assumes that it's a fresh installation. Hence, it goes on to recreate the tables, junking the whole db.

  13. Root
    Member
    Posted 9 years ago #

    The guy now says that as I was just about to install WP but before I ran install that he did it instead. But that does not make sense because it was already installed.

  14. Jinsan
    Member
    Posted 9 years ago #

    ifelse those were my first thoughts - at the same time, did he have to experiment with someone else's site, malicious or not, he did a bad thing but it's also served as an eye opener, if his comments are true. the question should be why it isn't deleted after an installation is made - take away the onus from the user, remember these guys are expecting the bugger to do 99% of the work for them.

    @root step x was a suggestion, it doesn't actually exist I'm afraid, and it isn't in the readme. it's obvious thing for someone who's done a lot of these types of installs, but not for new users, and those that sometimes slip their minds in the midst of doing 1001 things. considered shopping this guys to the authorities?

    tried the install with an existing install:

    You appear to have already installed WordPress. To reinstall please clear your old database tables first.

    So if they can remotely clear the tables and then run the installer that would work. but i wouldn't know how to do that, and i;m not sure if it is possible

  15. Matt Mullenweg
    Troublemaker
    Posted 9 years ago #

    You do not need to delete install.php after installing, lines 80 and 81 check if WordPress has been installed already (more specifically, if there are any users in the users table) and if it is it dies right away.

  16. neon
    Member
    Posted 9 years ago #

    Almost every other application, open or paid, requests that the install(.php) file(s) be removed after install/upgrade as the last step of the process. Just as WP, all of those applications detect if an install already exists and does not run the script again, in case someone stumbles on it, but it is still requested that it be removed, as in certain stray situations it can indeed cause a complete overwrite of the tables and run a fresh install. If the other scripts, the message boards, guestbooks, blogware, ect. all deem this an important enough step, I was personally very surprised to see those steps absent from WP install instructions. By habit, I delete all install files from any of the applications I install after I install them. WP was no exception.

    It's just one line of instructions. I think it definitely should be added.

    It does not matter how sunny a month it is. Leave a lightning bolt in the middle of a grass field, and lightning will eventually strike it. More than once.

    Root, terribly sorry about your repeated misfortunes. :(

  17. ifelse
    Member
    Posted 9 years ago #

    Unfortunately Matt, I saw the same situation as described by the "hacker" on Root's site. Navigating to Root's blog (on one occasion only) bought up the "Are you ready to install message".

    Now, here's what could have happened. MySQL could have incorrectly reported the results for select count(*) from wp_users (corruption in datastream, db server flakiness, incorrect retrieval of values from config file for table prefix, whatever).

  18. ifelse
    Member
    Posted 9 years ago #

    Hmmm... going to root's blog, I just saw the install message again. Clicked refresh and it's gone i.e. usual blog entries.

  19. Matt Mullenweg
    Troublemaker
    Posted 9 years ago #

    Something could have happened to Root's database that caused install.php to think there was no blog, but there is nothing in install.php that could have deleted anything. It sounds like there is a problem with his host or something strange. We should wait until he can send full logs and messages to the dev team to see if there's anything amiss here. It could also be operator error.

  20. ifelse
    Member
    Posted 9 years ago #

    Matt, I agree completely. Apologies for the wild suppositions.

  21. Jinsan
    Member
    Posted 9 years ago #

    If the db was trashed, and it's started from scratch it shouldn't still carry any need for a fresh install?

  22. chuckblue
    Member
    Posted 9 years ago #

    hmm. my webhost recently redid some php commands, like chr, on the server side, to block attacks.

    one domain owner had reported a problem of someone breaking into his blog, and the web host took down the php server side and fixed chr and a number of others.

    sorry, I don't have a list handy.

  23. Matt Mullenweg
    Troublemaker
    Posted 9 years ago #

    The chr vulnerability was related to phpBB. I'm going to close this thread since it's just all speculation at this point. If Root (or anyone) thinks they've found a security vulnerability with WordPress please send a message to security@wordpress.org and we'll examine it carefully and if necessary respond appropiately with a new release, patch, or announcement.

    Root, if you have more information and want me to re-open the thread, drop me a note.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.