WordPress.org

Ready to get started?Download WordPress

Forums

WordPress 3.2.1 new zero day exploit? (5 posts)

  1. Ov3rfly
    Member
    Posted 2 years ago #

    A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit.

    Source: labs.m86security.com/2012/01/massive-compromise-of-wordpress-based-sites..

    Any info on how the HTML got uploaded in these 3.2.1 sites?

    See also: Hackers infect WordPress 3.2.1 blogs to distribute TDSS rootkit

  2. Not sure, but here's how to clean up the site and make sure you upgrade to the latest version.

    http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. Ov3rfly
    Member
    Posted 2 years ago #

    Thanks, my own sites are not affected.

    But as there are many 3.2.1 installs out there which can not "just upgrade" due to (still) incompatible plugins or other reasons, any info on this new(?) exploit would be very helpful.

  4. Ov3rfly
    Member
    Posted 2 years ago #

    Some more info:

    This was what happened a few days ago, when a lot of WordPress-based websites running the obsolete 3.2.1 version and two exploitable plug-ins (Spam Free and UPM Polls), were hacked using SQL injection and malicious files with random names (osgik.htm, agoku.htm, kaxyv.htm and so on), uploaded in wp-content/uploads WordPress folder

    Source: cleanbytes.net/compromised-wordpress-based-websites-leading..

    This past weekend one compromised Web site in particular caught my attention. Based on my analysis, the site was compromised because it was running an old version of WordPress (3.2.1) that is vulnerable to publicly available exploits [1] [2].

    Source: http://community.websense.com/blogs/securitylabs/archive/2012/01/30/..

    So the plugins Spam Free and UPM-Polls seem to be the problem here, not 3.2.1 alone:

    WP-SpamFree WordPress Spam Plugin SQL Injection Vulnerability
    WordPress UPM-POLLS Plugin 1.0.4 Blind SQL Injection

  5. MickeyRoush
    Member
    Posted 2 years ago #

    So is the solution, just remove those plugins until they're updated?

    Otherwise you could come up with an .htaccess RewriteRule to prevent any html files being uploaded to the uploads directory in the meanwhile.

Topic Closed

This topic has been closed to new replies.

About this Topic