Support » Fixing WordPress » 2.5.1: Looks like there is still a hole

  • Resolved rawalex

    (@rawalex)


    please go to yahoo, and search for link:http://kvantservice.com/

    If your site is in that list, you have been hit. Check your newest post for a hidden link (you will have to edit in HTML, because it doesn’t show in the visual editor). It’s only a hidden link off to this guys site, but also if you use the MORE or paging tags, your post may be cut off (his bot isn’t very smart).

    Still looking for information, but it appears to have hit me 14 days after 2.5.1 was installed.

Viewing 15 replies - 1 through 15 (of 64 total)
  • Confirmed – link added to a post on a 2 5.1 site via some sort of XMLRPC post system.

    What plugins and what kind of hosting are you using?

    Hosting is full server on VERY secure setup. Minimal plugins (askimet, google sitemaps, both up to date). The post was modified by a direct XML-RPC update, which occurred weeks after 2.5.1 was installed. Most important was that I was able to find the cached page in google WITHOUT the hidden text, and then see it on my system as hidden text, and the cache date was long past my 2.5.1 install date.

    My host also located the injection “post” command via XMLRPC. The original post was read (up to the MORE tag) and re-submitted back to the site with and additional amount of code in it

    <span style="overflow: hidden; position: absolute; height: 0pt; width: 0pt;"><a href="http://kvantservice.com/">компютри втора употреба</a></span>

    Well done, because as a bonus, it doesn’t show in the html editor.

    Is xmlrpc.php absolutely necessary for core WordPress functions?

    whooami

    (@whooami)

    Member

    Is xmlrpc.php absolutely necessary for core WordPress functions?

    no, and rawalex is one of those rinse and repeat “ive been hacked” posters..

    You can strip all of the remote posting functionality out of xmlrpc.php completely. What you are left with is a very small file that only takes care of pingbacks. Ive done that, it works out quite well.

    Sure, Rawalex posts about his site being hacked a lot… Because it keeps happening!

    He isn’t the only one. Do a Google search and you can see that wordpress has been and still is getting hacked no matter what version we use.

    Every time you post a new version, people still hack me. It seems to be through the xmlrpc commands which you don’t “own” but it keeps happening just the same.

    whooami

    (@whooami)

    Member

    Lots of people DONT get their sites hacked, vrocks.

    Ive NEVER been hacked, otto has never been hacked, joni has never been hacked.. on and on.

    whats the difference?

    I have never been hacked either, but I definately want to see to it that it stays that way. Therefor I’m interested in threads like these. They may point to things that I might have to look at. So I’m interested in hearing what was the point of entry here. With 2.5.1 probably (hopefully) not WP, however the XMLRPC suggests as much.

    whooami

    (@whooami)

    Member

    well I think it speaks to something else that the same people have issues over and over again, irrespective of any potential WP flaw.

    and by the way,

    Every time you post a new version, people still hack me.

    Im not a WP developer, I dont post anything for WP, except my plugins, all of which are secure.

    Sure, but I can’t help thinking when reading:

    My host also located the injection “post” command via XMLRPC

    “Wasn’t that an exploit in older versions?”

    And the claim:

    and the cache date was long past my 2.5.1 install date

    I’m not trembling with fear yet, but curious nonetheless, so if the posters can give some more info.

    whooami

    (@whooami)

    Member

    and the cache date was long past my 2.5.1 install date

    there are tons of sites that pop up exploited post upgrade — Ive fixed 2 of them in the last 2 weeks. That doesnt say anything, especially coming from people that admit to previous problems.

    I am NOT saying that the potential for an issue isnt there; I am simply saying that 1+2!=4

    I applaud your curiosity, and your willingness to keep an open mind. Those two things are a great start to remaining among the list of those that havent been hacked 🙂

    He isn’t the only one. Do a Google search and you can see that wordpress has been and still is getting hacked no matter what version we use.

    They must have cleaned up their act in the last hour. I did a Yahoo! and a Google search for http://kvantservice.com/ as the OP instructed and I came up with nothing but stuff from that web site. So the point of searching for that was??

    I find 11.031 “inlinks” not nothing.

    I clicked on a random sampling of sites from the link you posted and there was only one 2.5.1 site on there. So while it’s always unfortunate that someone is hacked, I’m still not convinced that it isn’t because people simply aren’t upgrading when they should and that they aren’t carrying forward the bad code in the upgrade. There are waaaay too many 2.3.x and 2.5 (as opposed to 2.5.1) sites there.

    And by suggesting that 2.5.1 too is vulnerable, and that even folks who upgraded to 2.5.1 are being hacked is clouding the real issue, which has always been: If you aren’t running the very latest secure version of WP, then you are likely to be hacked. Lulling folks into thinking that they’ll be hacked even if they upgrade is sending them down a wrong path, IMHO.

    I saw three 2.5.1, but by no means I want to suggest that there’s a vulnerability. I too noticed the 2.5’s, but indeed 2.2 and a few 2.3. I did notice that most infected posts are of early june and one site is completely stuffed with spam. All sites ARE WP btw.

    In any case, it would be nice if the original posters provided some more information so that we can get an idea when (and how would be nice) they got injected.

    Btw. Did you notice it is only ONE link to kvantservice.com on every hacked website? It seems to be quite a ‘subtle’ hack, but I’m sure it makes traffic.

Viewing 15 replies - 1 through 15 (of 64 total)
  • The topic ‘2.5.1: Looks like there is still a hole’ is closed to new replies.