Within 12 hours of installation, I captured a hacking attempt! The first entry with the suspect IP was:
file = ZWNobyAnYmxpYV9ibGlhX2pvb3AnOyBleGl0Ow==
The second was:
file = [an impossibly long string of characters]
There were two other attempts immediately following the one I looked at, with the same IP; I did not investigate, or even compare the character strings.
I will divulge the [impossibly long string of characters] to anybody who can prove they are full member of the WordPress development team, but if I could capture it within 12 hours, I suspect that those who need to know about it are way ahead of me!
Putting the string through an on-line base64_decode() utility resulted in the unveiling of an "outer hack" and an "inner hack".
The "inner hack" simply sets the variable $fake to a base64 encoded version of what appears (to my untrained eye) to be an innocuous RSS feed. The "outer hack":
- defines some nasty looking constants
- Sets "$txt=get_option('rss_f541b3abd05e7962fcab37737f40fad8');"
- Performs other operations
- Incorporates (or replaces?) $txt with $fake
- Calls "update_option('rss_f541b3abd05e7962fcab37737f40fad8',base64_decode($txt));"
- Runs "$wpdb->query("UPDATE $wpdb->users SET
I have 14 of these funny 'rss_XXX' options in my wp_options table, but I do not have any 'user_login' = 'WordPress' in my wp_users table, so I'm not sure what's going on with that one.
Anyway ... I'm deleting all the "rss_XXX" entries from my 'wp_options' table, in accordance with this post. But I would like to be assured that
- filenames of such extreme length are rejected by an editor prior to doing anything
- I will be notified by the WordPress software of such attempts in future versions of the software