Major WordPress vulnerability: comment Spam, changed files & settings

ffwebdesigner
(@ffwebdesigner)

15 years ago
I’m pretty sure there’s a major security vulnerability even in the most recent version of wordpress 3.1.2.

I experienced hacker link spam and modification of wp-settings and files on a wordpress blog. Symptoms are as follows:
- Changed footer.php with some links to i guess turkish penis enlargement sites. well hidden with base64 and gzipinflate.
- comment moderation deactivated
- automatic spam comments like e.g.
  […]Craps are one of the leading free online craps guide will explaining the very basics things of games in simple strategies[…]… through trackbacks and comments every minute
- even though comments are closed for all articles and trackbacks / pingbacks are deactivated
- did a clean reinstall of wp 3.1.2 without any plugins after having changed mysql pw and admin pw through phpmyadmin plus wp-config keys
This means: the wp installation is absolute clean and safe. Still we get the spam comments.

Let’s fix this together fast and heal WordPress! Who got the same symptoms?

Cheers,
ff-webdesigner.de

Viewing 10 replies - 1 through 10 (of 10 total)

esmi
(@esmi)

15 years ago

The hacks could be coming from anywhere on the server rather than through WordPress. Have you reviewed:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

Thread Starter ffwebdesigner
(@ffwebdesigner)

15 years ago

Thanks esmi, i knew link one, did all that. I’m over link 2 now…but should be fine…it’s a clean reinstall with changed pws. That’s what I’m worried about.

esmi
(@esmi)

15 years ago

Check your images. As Otto points out in that second link, hackers can disguise backdoor scripts as images simply by throwing in a .jpg extension etc. Even came across what looked very like a hack yesterday that might have used a Thumbs.db file.

Thread Starter ffwebdesigner
(@ffwebdesigner)

15 years ago

Okay, whole upload dir deleted. Still: to bring a malicious hidden php code in e.g. .jpg extension would mean there has to be code added to wp core files, right? It’s a clean install with changed keys, mysql, wp admin and even ftp wps. Also checked mysql wp_users: just admin. Searched for suspicious code in mysql. No edoced. What happened? New spam 5 minutes ago…Grrrrrrr!

esmi
(@esmi)

15 years ago

Is this spam within the code (ie a hack)? Or are these spam comments?

Thread Starter ffwebdesigner
(@ffwebdesigner)

15 years ago

Mostly spam comments. But the also changed footer.php and some admin settings (no admin review of comments eg).

Matt McInvale
(@mcinvale)

15 years ago

The attackers may have your FTP credentials. Check your system for malware.

esmi
(@esmi)

15 years ago

Try using some anti-spam plugins such as Akismet and Bad Behaviour. Other than that, there are no security issues with 3.1.2 that I am aware of, so the prime suspect still remains your server itself.

Thread Starter ffwebdesigner
(@ffwebdesigner)

15 years ago

See above: we changed the ftp, mysql und wpadmin pws…twice before and after clean reinstall. and we’ve been using si captcha, which did a good job so far on 20 of my blogs for years. System is definitely clean.

Thread Starter ffwebdesigner
(@ffwebdesigner)

14 years, 11 months ago

Problem is still the same. About 50 Pingback Spams a day, though activated captcha and disabled pingbacks for every single post and generally in discussion options.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Major WordPress vulnerability: comment Spam, changed files & settings’ is closed to new replies.

Major WordPress vulnerability: comment Spam, changed files & settings

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics