WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] WordPress 3.0.1 hack or exploit? (6 posts)

  1. mosco
    Member
    Posted 3 years ago #

    I am running several wordpress blogs, all running 3.0.1
    They are all getting hacked, the exploit is inserting a <scrip src="... pointing to a malware host at the bottom of all the posts in each blog.

    So it looks like an sql injection hack (it would be impossible just by using a hacked wp-admin account, some of these blogs have 10,000+ posts and the hack shows up all at once on all of them.

    The entire wp-admin is secured (not accessible from the outside), so the hack is not going through there, and it is also not coming through ftp. None of the core wordpress files look compromised (no base64 code anywhere), and the hack still happened after replacing all the wordpress core files with a freshly re-downloaded 3.0.1 version (and checking that no additional files where left over.)

    There is only one blog that is not being hacked, and that one does not allow comments. All the others do.

    So I am wondering if there is a zero-day exploit out there on the comments system in wordpress 3.0.1

    It could also be due to a plugin, we're looking into that, but we've ruled out most of the plugins since there are only a couple of them that are common to all the hacked installations.

    Anyone else seeing something like this?

  2. mrmist
    Forum Janitor
    Posted 3 years ago #

    What's it hosted on? The platform could be vunerable.

  3. mosco
    Member
    Posted 3 years ago #

    IIS 7 fully patched, with latest php version and fastcgi, there is no command line shell available and no remote users can login.

    There are a lot other php and non-php apps on there, non are hacked, this looks very specifically like a wordpress hack, it's only inserting the code inside wordpress posts

    the only other way I would see someone doing this is using phpmyadmin, but there is no phpmyadmin installed that's accessible to outside users.

    If the host itself was compromised I would expect to see that same code inserted into other mysql table to make it show up on other parts of the hacked sites. That is not happening.

  4. eotob
    Member
    Posted 3 years ago #

    Mosco, can you confirm that you have no other sites that have comments and WERE hacked?

  5. mosco
    Member
    Posted 3 years ago #

    Yes, but that's the only one other site.
    All the hacked sites have the Akismet plugin + commeting on, the one that didn't get hacked doesn't allow comments anywhere and doesn't have Akismet enabled.

  6. mosco
    Member
    Posted 3 years ago #

    No more hacks since we upgraded to 3.0.2, we were getting hit twice a day before that.

    If that holds then I think 3.0.1 has an sql injection vulnerability that was fixed in 3.0.2 (something more serious than the xss vulnerability that was announced fixed in 3.0.2)

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.