Editing triggers popup asking for username and password - security breach? (83 posts)

  1. yokima
    Posted 7 years ago #


    I'm using a WordPress 2.7.1 version and I've been holding back from upgrading because of some pending issues with Unicode (for those of you familiar with WordPress's Unicode issue: this blog was started back in the days of WP Ver 1.6 or so, the MySQL charset and pagination issues are quite complex) and I came across the below problem yesterday:

    Whenever I open up an existing post and hit the "update post" button, a window pops up with the below details:

    Title: Authentication Required
    Text: The server (our server domain, e.g. DOMAIN.COM) at Magic requires a username and password.
    Entires: User Name: ____________________ Password: ____________
    Buttons: Log In, Cancel
    Screenshot: http://www.flickr.com/photos/yonghokim/3772683834/

    I attempted entering dummy ID and password and the pop up will go away for 0.5 sec and then come back again. I suspect this is some form of trojan so I didn't enter our real password.

    When I press cancel, I am sent to /blog/wp-admin/post.php with a blank screen with a "Access Denied" message (Screenshot: http://www.flickr.com/photos/yonghokim/3772683860/ )

    This popup is triggered when I hit the "update post" or "update page" button. The fact of whether contents of the textarea actually changed or not doesn't matter - clicking the "update page" triggers the popup. It doesn't happen when I post a new post. I haven't seen the popup in other areas of the backend or frontend.

    My symptom is similar to http://wordpress.org/support/topic/247792 except I can seemingly do all tasks - logging in, posting, etc - except editing.

    More information about this WordPress install:

    I use the below plugins:
    Akismet 2.2.6
    Attachment Manager 2.0.2
    Audio player 1.2.3
    Breadcrumb 0.5.1
    Breadcrumb Navigation XT 1.7
    CountPosts 2
    Disable Revisions and Autosave
    Flickr Photo Album 1.1
    One Click Plugin Updater 2.4.13
    Search Pages 2.3
    TanTanNoodles Simple Spam Filter 0.6.2
    WordPress.com Stats 1.5
    Wordpress Automatic Upgrade 1.2.5
    WordPress Database Backup 2.2.2

    I did a major cleanup of plugins that kept obstructing the admin area with their upgrade notices, even when they were inactive plugins. I deleted a bunch of folders that belonged with the plugins; one of them was the XDRS(sp?) OpenID service framework.

    I run this WordPress install on a VPS, and there are a couple other domains running WordPress and MediaWiki hosted along. One of the other WordPress installations was hacked on October of 2008, (the hacker deleted a month worth of postings and left a notice saying "This website was hacked by Daazle(sp?)" but I changed the admin password and haven't noticed any strange behavior since then.

    I am hiding the URLs out of concern that this symptom may be the result of a scripted attack, and by giving out the affected website I may be notifying that the attack was successful, inviting for further exploits on the server.

    Any thoughts on why this could be or how to fix? I'm considering upgrading to WP 2.8.2 to see if this will overwrite my install of any compromised PHP files.

  2. deadrich
    Posted 7 years ago #

    One of my editors is reporting this same problem today. I checked the site with Safari and Firefox, but was unable to reproduce the error. Would be interested if you figure out anything else on this issue.

  3. EMG
    Forum Volunteer
    Posted 7 years ago #

    Recently within this last month, my computer's (I run Windows) anti virus caught a backdoor Trojan that had -somehow- attached itself to my SSH program/client. Additionally, it caught a random contaminated program file (not yet executed) along with it.

    I got rid of the Trojan and the questionable/Trojan/spyware/malware .exe and changed all passwords to anything related to any of my accounts on that SSH client and sent my server host a message letting them know of the possible compromisation.

    I have never experienced anything else after that that would look like an 'attack' on my WP installs or websites in general and no ad-ware or mal-ware infestations, either.

    My question to you all, therefore, is, perhaps something similar happened to you?

    A backdoor Trojan that got through your FTP/SSH/related client perhaps that is giving you these pop-ups that seem to be phishing for information?

  4. kmessinger
    Forum Moderator
    Posted 7 years ago #

    The server (our server domain, e.g. DOMAIN.COM) at Magic

    Does it show your domain? Do you have a server at "Magic"?

    Have you checked wp-login.php for additional code?

  5. yokima
    Posted 7 years ago #

    kmessinger: Yes, it shows our domain name. So if our domain was google.com, it would say "The server google.com at Magic". And no, we have no relationship with anything called Magic. Our host is RimuHosting.

    I skimmed over wp-login.php which is a long file and coulnd't find anything alarming. I ran a diff of wp-login against http://svn.automattic.com/wordpress/branches/2.7/wp-login.php and it was exactly the same. Did you mean wp-config or wp-settings? Nothing on wp-config; as for wp-setttings there's this stuff

    @ini_set('magic_quotes_sybase', 0);

    but it's just standard WordPress code as far as I'm concerned

    EMG: if the trojan had our root password, why would it phish for more? it could test out its password at the WordPress install and if it works there would be no need to reveal yourself.

  6. alliedpost
    Posted 7 years ago #

    I'm having the same problem here. I just went to put up a new post and received a dialog box stating "authentication required" and it also says the site says Magic. All the usual usernames and passcodes will not get me in.

  7. stefarama
    Posted 7 years ago #

    I'm having the exact thing, too. I just ran a virus scan last night (through Kaspersky) and now this morning I'm getting this pop-up from Magic.
    I have no idea who Magic is, I contacted my host server and it's not them.
    It FEELS phishy, so I didn't enter any passwords. I didn't check it in Firefox, but the error message did come up in Google Chrome and IE.
    I'm also running 2.7 and have hesitated updgrading until they slow down with the updates.

  8. stefarama
    Posted 7 years ago #

    I just checked it in Firefox and I'm getting the pop-up.
    Anyone know what this is?

  9. mrmist
    Forum Janitor
    Posted 7 years ago #

    Potentially it's a hack that's been introduced through the XSS vunerability present in versions before 2.8.2. I've not seen someone say that this has been introduced on a 2.8.2 site yet.

    However it is interesting that people are seeing this on sites where the core files have not been altered, so possibly its a hack through a plugin.

    @yokima did you check all your WordPress core files?

    Obviously upgrading would replace all the core stuff, but it wouldn't fix any hacks that had been introduced elsewhere e.g. other malicious code or database-hidden stuff.

  10. kmessinger
    Forum Moderator
    Posted 7 years ago #

    There is a server partition software called Magic but I think all of your servers running this is unlikely.

    There is a Lucky virus but it does not do what you describe.

    Of course, you can do the normal chore and turn off all plugins, switch to default theme and see if the problem goes away.

  11. stefarama
    Posted 7 years ago #

    mrmist: to upgrade, we obviously need to back up... will that bring the infection with us?

  12. mrmist
    Forum Janitor
    Posted 7 years ago #

    If you back up a hacked blog it will back up any hacks that are in your database, yes.

    So if you were to restore to that backup later, you would need to clean it out of any malicious content.

  13. stefarama
    Posted 7 years ago #

    bummer. Not being a coder, how do I find this content to clean it out? My spyware scan last night obviously didn't find it.

  14. mrmist
    Forum Janitor
    Posted 7 years ago #

    Unfortunately the scattered nature of this is making it difficult to say exactly what it is and what to do about it. Uploading a fresh wordpress zip over your existing files might help.

  15. kmessinger
    Forum Moderator
    Posted 7 years ago #

    If you have you entire site on your local computer also do a search for Magic.

    You can go to your db and do the same thing.

  16. mrmist
    Forum Janitor
    Posted 7 years ago #

    The other threads on this topic points towards the malicious file being in wp-includes, possibly in the js directory. If anyone finds anything odd please post here.

  17. alliedpost
    Posted 7 years ago #

    I have alerted my server's tech support and they were able to successfully post a test onto my blog. They suggested that I clear the cache of my browser. That did not solve the problem for me. I find it odd that they able to post successfully to my blog but I am not. I am not knowledgeable about all this stuff. But does that give a clue to anyone with a deeper knowledge of the program?

  18. alliedpost
    Posted 7 years ago #

    New FYI - I was able to successfully post by copying the post I've been trying to publish into a "new post". Then when I hit publish it did just that without the "login" dialog box. I was not able to add tags, update in any way when I was in the "main edit" section for that post. However when I went to the list of posts, found my newly published post and went into "quick edit" mode I was able to make changes, add tags etc, and update successfully. I then went back to the main edit page for the new post, made a few changes and hit the "update post" button and got the "Login" dialog box again. So for me, it's a short term fix or work-around, however it looks like I cannot make changes in the body of the new post since "quick edit" only deals with the fringes of the post...

  19. streetdaddy
    Posted 7 years ago #

    I am also having this problem in v2.6.3, with the following plugins enabled:

    (PHP v5.16)

    AddThis Social Bookmarking Widget 1.5.3
    Akismet 2.2.1
    Avatars 6.5
    Category Posts Widget 1.3.3
    Contact Form 7
    Duplicate Post 0.5
    Email Alerts 1.01
    FAQ-Tastic 1.0.9
    FeedBurnerCount 0.1
    FeedBurner FeedSmith 2.3.1
    Get Recent Comments 2.0.2
    Google Analyticator 2.2
    Google XML Sitemaps
    Gravatars2 2.7.0
    Hide Dashboard 1.3
    NextGEN FlashViewer 1.1b
    NextGEN Gallery 0.99.1
    NextGEN Gallery Widget 1.22
    Notify Admin Only 1.0
    PHP Speedy WP 0.5.2
    Platinum SEO Pack 1.2.6
    Popular Posts
    Post-Plugin Library
    Profiler 1.2.8
    Recent Posts
    Similar Posts
    Smart Youtube 2.4.1
    Subscribe2 4.11
    Subscribe To Comments 2.1.2
    Tiny Spoiler 0.2
    User Photo 0.9.4
    Viper's Video Quicktags 6.1.7
    WP-PageNavi 2.31
    WP-Polls 2.31
    WP-Polls Widget 2.31
    WP lightbox 2 0.6.3
    WP Menu Manager

  20. whooami
    Posted 7 years ago #

    one of steph's sites is clearly hacked.

    anyone else got links to this wordpress blog in their source:

    http://www.cahp.girl-wonder.org/ (this place is obviously hacked as well)

    specifically links that go to pages like this:

    http://www.cahp.girl-wonder.org/wp-admin/ images/.svn/tmp/prop-base/franz-ferdinand.html

    url is broke on purpose

  21. Morfsx
    Posted 7 years ago #

    Just had this reported on one of our sites.

    There was spam link injection in the footer that came from a php file uploaded to wp-content/uploads/2009/01 called fonction.php and wp-links.php (These are base64 encoded, haven't looked at them yet)

    The blog is running 2.7.1

    Installed Plugins:

    Akismet 2.2.4
    All in One SEO Pack 1.5.7
    Category Replacement Widget 0.5
    Get-a-Post R1.4
    Homepage recent entry 1.0
    MailPress 1.9.1
    Secure and Accessible PHP Contact Form v.2.0WP B20080731
    Sticky Menu 1.41
    wp-Table 1.52
    WP Shopping Cart 3.6.8 RC1

  22. Morfsx
    Posted 7 years ago #

    Just found that ALL the main plugins files have a code injected as the first line, again encoded.

  23. physlab
    Posted 7 years ago #

    I'm having the same problem. I just went to put up a new post and received a dialog box stating "authentication required" and it also says the site says "Magic". All the usual usernames and passcodes will not get me in.

    Are users who are running WordPress 2.8.2 having this problem?

  24. physlab
    Posted 7 years ago #

    "Just found that ALL the main plugins files have a code injected as the first line, again encoded."

    I looked at my plugins and all see to have a long code inserted at the beginning. I uploaded a new copy of one plugin and found this coding was not present. It would appear as if the Trojan is corrupting all plugins.

    I deactivated all my plugins and I still cannot get past the Authentication Required block to editing and posting new blog entries.

  25. danceadvantage
    Posted 7 years ago #

    I had the problem too. I know very little about all of this stuff but I changed my password, did a backup, and upgraded to 2.8.2 and I'm no longer getting the alert box. Hopefully this will be enough. If there is more news or other things I need to do, please post what you know! Thanks!

  26. physlab
    Posted 7 years ago #

    I also upgraded to 2.8.2 and that seems to have solved the problem. I will be uploading new plugins as all mine contained corrupted code in the first line. I would certainly check on the plugins before reactivating old ones.


  27. rchusid
    Posted 7 years ago #

    I was already using WordPress 2.8.2 when I encountered this. I clicked Upgrade (under tools) from the Dashboard, and then Re-Install Automatically. This fixed the problem for now but I fear whoever added the Trojan in the first place could do it again. Hopefully there will be a security fix for this soon. To be safe I also changed the passwords for the accounts with Administrative access.

  28. williscreative
    Posted 7 years ago #

    I’m having the same problem, which first appeared about 16 hours ago. See description and screenshot. So far, it’s appeared only on one of my WP sites, all hosted by Bluehost. I’m using WordPress version 2.6.1 with these plugins:

    creative commons license widget 0.5
    Sidebar Page (and other) Sections
    Twitter Tools
    Viper's Video Quicktags 5.4.4
    WordPress.com Stats 1.1.1

    I haven’t added or updated a plugin in several months. After I breathe into a paper bag, I’ll try the initial trouble-shooting steps discussed here. I look forward to further suggestions/solutions.

  29. tstalcup
    Posted 7 years ago #

    Encountered the "Magic" problem with a client using v2.5.1 this morning. We, at least temporarily, solved the problem by reverting the wp-includes directory to a backup copy.

    We did a diff on the two directory and found that the vars.php file contained the infected code.

  30. yokima
    Posted 7 years ago #

    tstalcup yes! that worked for me! Everyone: I obtained the 2.7 version vars.php from http://svn.automattic.com/wordpress/branches/2.7/wp-includes/vars.php - replace the 2.7 there with your version number and replace the file with the one in your wordpress installation. if you open the current vars.php, you will see there is a huge chunk of hashed text that starts with

    eval (gzinflate(base64_decode(^M

    The clean vars.php is supposed to start right off with

    * Creates common globals for the rest of WordPress

    But, just in case there's more code stuck in between, you may want to overwrite the file instead of manually removing it.

Topic Closed

This topic has been closed to new replies.

About this Topic