WordPress.org

Support

Support » How-To and Troubleshooting » Major WordPress vulnerability: comment Spam, changed files & settings

Major WordPress vulnerability: comment Spam, changed files & settings

  • I’m pretty sure there’s a major security vulnerability even in the most recent version of wordpress 3.1.2.

    I experienced hacker link spam and modification of wp-settings and files on a wordpress blog. Symptoms are as follows:

    • Changed footer.php with some links to i guess turkish penis enlargement sites. well hidden with base64 and gzipinflate.
    • comment moderation deactivated
    • automatic spam comments like e.g.
      […]Craps are one of the leading free online craps guide will explaining the very basics things of games in simple strategies[…]… through trackbacks and comments every minute
    • even though comments are closed for all articles and trackbacks / pingbacks are deactivated
    • did a clean reinstall of wp 3.1.2 without any plugins after having changed mysql pw and admin pw through phpmyadmin plus wp-config keys

    This means: the wp installation is absolute clean and safe. Still we get the spam comments.

    Let’s fix this together fast and heal WordPress! Who got the same symptoms?

    Cheers,
    ff-webdesigner.de

Viewing 10 replies - 1 through 10 (of 10 total)
  • esmi

    @esmi

    Forum Moderator

    The hacks could be coming from anywhere on the server rather than through WordPress. Have you reviewed:
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    How to find a backdoor in a hacked WordPress

    Thanks esmi, i knew link one, did all that. I’m over link 2 now…but should be fine…it’s a clean reinstall with changed pws. That’s what I’m worried about.

    esmi

    @esmi

    Forum Moderator

    Check your images. As Otto points out in that second link, hackers can disguise backdoor scripts as images simply by throwing in a .jpg extension etc. Even came across what looked very like a hack yesterday that might have used a Thumbs.db file.

    Okay, whole upload dir deleted. Still: to bring a malicious hidden php code in e.g. .jpg extension would mean there has to be code added to wp core files, right? It’s a clean install with changed keys, mysql, wp admin and even ftp wps. Also checked mysql wp_users: just admin. Searched for suspicious code in mysql. No edoced. What happened? New spam 5 minutes ago…Grrrrrrr!

    esmi

    @esmi

    Forum Moderator

    Is this spam within the code (ie a hack)? Or are these spam comments?

    Mostly spam comments. But the also changed footer.php and some admin settings (no admin review of comments eg).

    The attackers may have your FTP credentials. Check your system for malware.

    esmi

    @esmi

    Forum Moderator

    Try using some anti-spam plugins such as Akismet and Bad Behaviour. Other than that, there are no security issues with 3.1.2 that I am aware of, so the prime suspect still remains your server itself.

    See above: we changed the ftp, mysql und wpadmin pws…twice before and after clean reinstall. and we’ve been using si captcha, which did a good job so far on 20 of my blogs for years. System is definitely clean.

    Problem is still the same. About 50 Pingback Spams a day, though activated captcha and disabled pingbacks for every single post and generally in discussion options.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Major WordPress vulnerability: comment Spam, changed files & settings’ is closed to new replies.