Security hole in wordpress 3.1.3

  • Symeon Mattes

    (@simeonmattes)


    14 years, 5 months ago

    Hi,

    two days ago My website was hacked and after restoring it I’m trying to understand the security hole of it.

    I think it has to do with wordpress because the result of the hacking (at least the obvious one) was the publishing of a new post, the changing of the whole table wp_options and the crashing of the theme pages…actually the style css has been rewritten with some html and javascript code.

    The version I had during the hack was WordPress 2.1.3. Because I’m not familiar with security holes, although it seems to be SQL injection, could you give me some hints to understand how the hacker managed to do it?

    One thing was also that during the hack the demanding of the server increased drastically, which make me restart the server.

    Does the following link has to do with that? Sql Injection in WordPress 2.1.3?

    I haven’t upgraded the wordpress due to incompatibilities of some plugins. However I have upgrade it to 2.1.4.

    Thanks in advance

Viewing 10 replies - 1 through 10 (of 10 total)
  • JusticeIsMade

    (@justiceismade)

    14 years, 5 months ago

    Well, it surely was a sql injection but why in the world were you using versions such as 2.1.3 or even 2.1.4 or anything besides latest? Upgrade your core to the current 3.2.1 as a tone of fixes were added.

    For a sql injection you only need a forgotten ; at the end of one table.

    Thread Starter Symeon Mattes

    (@simeonmattes)

    14 years, 5 months ago

    Hi JusticeIsMade,

    Thanks for your reply.

    A small correction. The version I was using was 3.1.3 and I upgrade it to 3.1.4 (Sorry for the misunderstanding).

    I’m pretty sure that it was SQL injection but I’m just trying to understand in which part of the code.

    Thanks

    Thread Starter Symeon Mattes

    (@simeonmattes)

    14 years, 5 months ago

    Moreover…what do you mean “For a sql injection you only need a forgotten ; at the end of one table.”

    Could you give me an example?

    JusticeIsMade

    (@justiceismade)

    14 years, 5 months ago

    Mhm, it’s pretty hard to explain/find. It might have been a plugin for example, that was badly written. I don’t think 3.1.3 still has issues at its default databases so my guess is that a plugin might have allowed the attack. You need to check many things but I’d recommend testing one the following plugins:

    http://wordpress.org/extend/plugins/bulletproof-security/

    http://wordpress.org/extend/plugins/wp-security-scan/

    http://wordpress.org/extend/plugins/secure-wordpress/

    These ones scan your wp instalation and find security related problems.

    Regarding the “;” (if you know sql) someone might have forgotten a ; at the end of a query in one of your databases.

    Select * from wp_users (for example)

    Some of my websites also got hacked a few years ago but, from my experience, won’t happen again. I believe these guys use some sort of script that automatically searches the web and not attacking someone in particular.

    Thread Starter Symeon Mattes

    (@simeonmattes)

    14 years, 5 months ago

    Thanks…I will check them.

    I still didn’t understand how to inject a database by just forgetting a semicolon…since it’s just for separation of sql commands…

    Never mind…I will check the plugins…Is it possible to check a php script for vulnerabilities. Are there any tools?

    Thanks again

    JusticeIsMade

    (@justiceismade)

    14 years, 5 months ago

    Well. not ending something in your databases,etc. may give others the chance to add extra parameters http://en.wikipedia.org/wiki/SQL_injection as your command is not closed. Im no hacker though and really cant fully answer questiones related to sql injections.

    Check php for vulnerabilities..check google for Cross site scripting
    or use google chrome, sometimes it says that your website has malware in its code.

    mannyreyes

    (@mannyreyes)

    14 years, 5 months ago

    I also created a thread about been hacked and got ignore. Yes is true and is out there. I have a hosting account and so far 4 of my domains have been hacked. I changed passwords, SQL passwords, email passwords, blocked IP address, etc and they still get in. I also installed Bulletproof and no luck.

    My first site was hacked directly to the root impamting a mijn some ign bank link phishing site. My other sites has been trough tinymce they inject a security.html file.

    My Hosting people keep suspending my accounts and is getting annoying and since they dont know they keep telling me I need to be sure I have the latest updates which I do.

    Thread Starter Symeon Mattes

    (@simeonmattes)

    14 years, 5 months ago

    Hi mannyreyes,

    Have noticed any strange behavior at the time you were hacked? I’m saying this because the time I was hacked the CPU/RAM level started increasing rapidly. To tell you the truth first I noticed this strange behavior of the server and then I got suspicious and I checked the site.

    I don’t think it has to do with vulnerability of the server because in the same server resides also some other websites and they were kept untouched.

    I’m trying to check the log files and any strange behavior at the time of hacking since it seems that the CPU/RAP increase is relevant.

    If you think you have any information, it would be wonderful

    Best Regards

    mannyreyes

    (@mannyreyes)

    14 years, 5 months ago

    Hey Symeon, No I didnt experience any high activity on resources on the server, I always get notify if that happens. Yes I agree is not a server hack because I do have around 25 domains and only a few got hacked. I do believe is a vulnerability since I’ve been searching around and finding few forums where people recently are complaining about the same thing, and all just happens this month.

    During that search I found this that indeed affected 2 of my sites http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

    As you know WordPress uses tinymce

    Thread Starter Symeon Mattes

    (@simeonmattes)

    14 years, 5 months ago

    Thanks for the plugin…I will check this and the others that JusticeIsMade proposed and I will come again.

    Could you please describe me the result of the hacking? What I had for instance was the following:

    • A new post was published
    • wp_options was totally changed
    • all the theme files I had had been changed. The strange thing was that the style.css had html code inside
    • Every time I was loading the front page I had javascript errors. This resulted in the browser (ie,chrome,firefox) not to respond, e.g. I couldn’t select text, or open firebug, etc

    I have kept the hacked database and files and I will try to check it this Weekend. The team which had hacked by website was called AHG-Crew and this is supposed their logo video (http://www.youtube.com/watch?v=j2QBul0RQnU).

    I will inform you if I find anything.

    Best Regards

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Security hole in wordpress 3.1.3’ is closed to new replies.