You can add me to the list of 2.5.1 sites that suffered this hack. The injection occurred on or after June 3 and was exactly as described above.
This site had been upgraded to 2.5.1 when it was released. An older version had been the subject of an injection, but I had cleaned all instances from the database and deleted the old wp-admin and wp-includes prior to updating to 2.5.1.
I have a couple of dozen WP sites, most that had not experienced a previous injection, that I am checking now.
Yup. Running 2.5.1, the latest post was edited to add the hidden link at 3:04am this morning.
It looks like it came via xmlrpc.php from a Bulgarian source IP address. Pretty clearly it’s Yet Another hole. There are no other hits from that IP address in the logs, so it’s likely a blind compromise.
78.90.14.123 – – [12/Jun/2008:03:04:22 -0700] “POST /xmlrpc.php HTTP/1.1” 200 3271 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8”
78.90.14.123 – – [12/Jun/2008:03:04:24 -0700] “POST /xmlrpc.php HTTP/1.1” 200 163 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8”
@lluad,
well, if you have my $_POST logger plugin installed you would know what was sent. I just checked 5 sites, and found one that had 3 attempts at base64 sent to xmlrpc.php. Im in the process of decoding it to see if its something new, or something old.
@whooami
You can strip all of the remote posting functionality out of xmlrpc.php completely. What you are left with is a very small file that only takes care of pingbacks. Ive done that, it works out quite well.
Do you have a link to a description of how to do this? Would be much appreciated…
I blogged on how I did it, but I wasnt real specific, so no, I would need to write something like that up.
The other thing, for those that dont want to use a plugin like $_POSTlogger.. WP is already set up for you to log all xmlrpc requests — its been available for quite some time. Theres a simple 0/1 switch inside the file. (I assume also that you might have to create the xmlrpc log file.)
whooami, you can keep the personal stuff for fighting with your friends and family. It is clear here that I am not alone, and maybe I am just a little in the front of something, rather than on the butt end. In each case that I have reported an issue, the issue has turned out to be confirmed. You may not like me (or the type of blogs I run) but you can keep the dramas for you llama, okay? (and when you total blog posts on file exceed 50k, let me know). As for any claim of “never been hacked”, I wonder how long you have run a standard unmodified wordpress install for, without additional plugins?
Now…
whooami: Adding ANOTHER plugin shouldn’t be the answer. Removing significant functionality (which I use) in order to create security defeats the purpose. I could close all my blogs, that would be really secure. That XMLRPC has been hacked over and over and over again, and once again, I am seeing a hole. I reported it, and guess what? Other people are having the same issue.
jonimueller: That list shows an incredible number of indexed pages, and when you look at the main site itself, it has tens of thousands of inlinks, many of them from blog style sites.
lluad: You are correct, this is the same basic source I am seeing, and it occurs on posts post 2.5.1 install. Most importantly for me, outside of a couple of very standard plugins, I don’t tend to put a ton of extra plusings and stuff on my blogs. Some people may suggest that plugins are the answer, but to me they are bandaids over a gaping wound.
Anyone else have any ideas?
@rawalex — you cant read? nothing Ive stated in this thread was personal in nature. Nice try though. be sure to turn on the xmlrpc logging feature I describe — youre welcome.
And if you notice, my response above, regarding removing functionality wasnt directed at you. In fact, nothing I have said has been directed at you, aside from pointing out the obvious (in passing, I might add)
Moving on …
Chill out people, whooami is trying to help you – gee wiz!
@rawalex –
What we believe is happening in most cases of a 2.5.1 install having issues is that prior to the upgrade the blog was compromised. Once compromised, if the attacker was able to collect user passwords, they’ll still be able to inject content into your 2.5.1 blog. Once they have your username & password it doesn’t matter what version of WP you are using.
This would line up with what you described. If they acquired your username and password before your upgrade to 2.5.1 then they would be able to send a perfectly legit XML-RPC request to add and edit content.
So for folks who indicated that they were compromised, upgraded to 2.5.1 and cleaned up their content, they need to add another step: change your passwords.
If you do have details on what you believe to be a new issue please send that data to security@wordpress.org. Then it can be looked at, hopefully reproduced and then fixed.
jospehscott, these are blogs that have only a single posting user (ME), and have not otherwise been compromised (ie, not extra code on pages, no scripts, no junk, no unsecure databases, no hacked or otherwise trafficed themes, etc). This happened on blog(s) that were perfectly clean without issue, and on a host that is beyond reproach (and this is why it is very easy to spot hacks, because the hosting company and myself are looking for it, not assuming it never happens).
I do not have logs beyond the fact that a post command was issues to xml-rpc from a remote site. The actions look similar to the trackback / comment spammers, but rather edits the highest post on the page inserting a hidden link into that post (and screwing the post up, in one case a post that had a “more” tag in it was chopped off at the more) which means they are getting the post by reading the blog page, not by editing, which would indicate that they don’t have password access.
If I get more information, I will forward it to the security address.
[Last 4 posts in this thread removed due to being off topic, personal attacks and my resultant loss of critical brain cells. I can’t afford many more of those losses…]
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Rawalex,
This may have been lost in this looong thread, but at anytime before or since you upgraded to 2.5.1 did you change your one password for your one account?
I’m not saying you should or must, just a request to see of you had and if you had when.
The reason I’m asking is simple. As josephscott indicated, your blogs could have been compromised in the past, just not acted on until later.
Without any logs or real data on how that junk was inserted into your posts, then that’s just what we have to go on.
[@Handy, oh sure you can; brain cells are not really critical are they?]
I just installed my WP (2.5.1) a few days ago – brand new fresh install, not an upgrade, and I got this same hack sometime this afternoon.
Can we just delete the xmlrpc.php file completely?
Can we just delete the xmlrpc.php file completely?
yes, you can.
your incoming pingbacks will break.
you will not be able to use desktop blogging applications to post to your blog.
—
I got this same hack sometime this afternoon.
I submitted the post content of something malicious, seen on a site using my plugin, to the devs this afternoon. Whether or not it’s old news, I dont know. actually, I just located what I saw on donncha’s l;atest post on this, so what I saw is old news.
Hey everyone,
These ‘I’ve been hacked’ posts are getting out of control! Can we all weigh in on what can be done to prevent hacks? I’ve started a thread here.
I can only speak for myself but seeing so many posts about being hacked (even if it is a relatively small amount of WP users and even though most of the people being hacked haven’t updated) is getting a little unnerving!
I think that a reiteration about preventative measures would be great.
Know about any plug-ins that help?
Should I change my password often?
Is there anything I can do now to see if I have an ‘un-activated hack’ looming?
Obviously these questions are just meant to introduce the subject. So, please pop over and weight in with your links and tips…
See you there!
