Bithead

1: Well, yeah, that made sense, but I wasn’t totally sure if there was a hook there, or not, and it made sense to ask before pulling them. Thanks.

2: Well, knowing the actual error is the issue, isn’t it? (Wry smile) I did manage to get rid of the error incidental to a cleanup I’ve been doing the last few days, but I honestly don’t know what was causing it. Even the database wasn’t saying. (Shrug) Oh, well… thanks for the help, anyway… it’s appreciated.

Handy and Root: Look again:

And no, my anger isn’t being directed at jonimueller, but rather at the IRC channel.

Questions?

OK,gang, here’s the lowdown.

Last week, we had an attack on the core SQL database that runs BitsBlog. The most obvious result of that attack was four instances of an HTML FRAME callout showing up showing up on the header of every page on the site.

( http://usuarios.arnet.com.ar/alvarezluque/morgan.html&#8221; width=”0″ height=”0″ frameborder=”0″></iframe)

(Take my advice, don’t go there… in investigating the site and doing soem cross checking, I find there’s a bunch of real weirdos, there.)

Once I went through all my PHP coding by hand, I realized that the callouts were in none of them, and that the code must have been injected into the database. A database restore from my end was out of the question for several technical reasons. The backup design assumed that the site would be available. Dumb, yeah, but there it is.

So, I got on with the ISP, and had them do an full wipe and restore.

Once that was done, and assuming that because my site was a little behind the WordPress current release, I then changed all my heavy passwords, and upgraded to the most recent version.

Two days later, we’re back in the soup. Logically, whatever the security hole was, was not directly a part of WordPress, but WHAT WAS IT? Simply having the ISP go to tape again, still left the Blog vulnerable.

At this point, I started asking around. I went to the WordPress support forums. Let’s just say they’re Linux snobs, and leave it at that, shall we? I mean, I like Linux, too, but telling me my biggest problem is the thing is an ISS server isn’t helping. I was dealing with applications issues when we went the Windows Server route anyway.

Still, they had a point that the Windows environment isn’t nearly as secure, so some rather pointed questions were fired at the ISP.

UNlike the folks at WordPress who couldn’t get past the word “Windows”, the IX folks actually investigated, and found that there was indeed a problem with the WordPress installation:

We’ve restored your site from our backup. Also after investigation of our system administration team, we’ve found that your WordPress installation is vulnerable to remote file inclusion attacks. Please refer to following link for more information regarding that security hole:

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-05/msg00010.html

Please upgrade/fix your software ( wordTube plugin ) as soon as possible, and update this ticket once it’s done.

Should you have any further questions, please do not hesitate to contact us 24×7.

Well, what do you know. An ISP actually willing to help, when the pressure is on. I’ve done a rebuild to the most recent versons, changed out my passwords again, and blown away the YouTube plughin… it wasn’t working well anyway.

Kudos to IX Web hosting, for a job well done.

And a raspberry or three to the WordPress Support forums, and to the denizens of their IRC room, who were even worse. …

(Well, OK, the guy in the forum was apparently trying to warn me of the bias, but the fact remains the help forum was anything but… even there, he decided it wasn’t a wordpress issue.)

Sheesh… that’s two I owe you. I thought that was, as the script says, just an indent.

Oh?
Hmmm.

OK, I’ll look at that. Thanks