WordPress 2.1.1 – Dangerous Download



A week ago, I read about the release of WordPress 2.1.1 and 2.0.9. Since it only required a few files to be upgraded or overwritten, I immediately upgraded my WordPress installation. Now, if you were like me who upgraded to WordPress 2.1.1, please read this:

Short explanation:

If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation:

This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers WordPress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we”re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we”ll know immediately if something goes wrong for any reason.

Read full story

After I read this, I immediately upgraded my installation to 2.1.2. I’m posting about this to warn those who have their blogs running WordPress 2.1.1 about the security exploit and I strongly suggest that you spend time to upgrade ASAP.

Download WordPress 2.1.2

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Google+, Facebook or Twitter.

13 Comments

  1. JP Habaradas

    March 5, 2007 at 4:59 AM

    @benj – I'm not really sure but it could be the most likely reason unless you have a recently posted entry that's popular.

    Yeah, thanks for the tip! :D

  2. benj

    March 5, 2007 at 12:47 AM

    Spam bots? Wow, I feel so special!

    You liked my tip? Should I expect your dollars on my paypal account?

    wahahaha.

    Kidding.

  3. JP Habaradas

    March 4, 2007 at 9:46 AM

    @benj – Thanks for mentioning about FireStats. I've downloaded and installed it here. I'm loving it! I use it together with SlimStats, hopefully there would be no conflicts between the two plugins.

    Bout the sudden increase in hits, could it have been because of spam bots?

    Yeah, atleast their visit could have been more beneficial to you and your blog. Hehe :D

  4. benj

    March 4, 2007 at 8:37 AM

    Firestats tracks IP, country of origin, referrer etc. but it doesn't store the date. It just keeps the 24 hour tally and running tally (all-time). It peaked at 1100 unique hits in 24 hours. It has since normalized to 150.

    hay. they could've at least clicked on you know whats while they were in my site. hehe

  5. JP Habaradas

    March 4, 2007 at 8:08 AM

    @benj – I see. I'm not sure coz I haven't used Fire Stats and Stat Traq. Is there a way to see the specific details of your recent visitors or referrers? But I don't think an increase in hits means your site was hacked but then, I could also be wrong. Most probably it's those investigators who are visiting your blogs. Hehe :D

    @ade – That's good. Better safe than sorry. So you have many haters? Hehe :D

  6. ade

    March 3, 2007 at 7:36 PM

    Am upgrading now. i don't want my haters to learn hacking overnight. :P

  7. benj

    March 3, 2007 at 4:41 PM

    Yup, unique hits. I use Fire Stats and Stat Traq. My suspended account at Pinoy Top Blogs also reflected the insane jump.

    Either I'm getting hacked or Chiz Escudero's paid investigators are watching me… from the States. hehe

    Can't wait for 2.1.3!!! wahahaha

  8. JP Habaradas

    March 3, 2007 at 3:18 PM

    @Riz – You're welcome! I'm not really sure where Dreamhost get's their files but I'm assuming that all WP 2.1.1 files are infected except for these in the Subversion repository. If you're not running WP 2.1.1, there's no need for you to upgrade. :)

    Thanks for dropping by! :D

    @christian – I know. It does get annoying sometimes but then your blog's security is more important. Just like you said, no choice but to upgrade. Hehe :D

    @benj – You mean unique hits to your blog? What do you use to track your site stats?

    It only looks intimidating but as you have proved, it's just a piece of cake, right? Hehe :D

    @K – Which version are you talking about? There's been several versions released in less than 2 months. Yeah, that's part of the responsibilities and tasks that you have when you have your own domain. I'm not quite sure I understand what you mean bout the cut and paste option in CSS coz I don't really do much with my WordPress.com account.

    You're not alone, I have a Master's degree in copying & pasting. Hehe :D

    Thanks for the compliment!

  9. benj

    March 2, 2007 at 9:38 PM

    I did it! woohooo! Piece of cake! hah!

    *shakes dust off sleeve*

  10. K

    March 2, 2007 at 7:49 PM

    I heard the new wp upgrade is not stable yet?

    That's the thing with having your own domain, the "upgrading" stuff & security issues. But does this mean, the new upgrade comes handy with an autoinstaller that you don't need to use copy and paste option in your css? I'm using a free wp.com account and can't even tell if it's upgraded or that changing a simple header image can make it look a little nicer.

    See, I'm a cut and paste person so as much as possible leave that up to the tech guys like yourself. Your site always looks good, Jaypee.

  11. benj

    March 2, 2007 at 7:22 PM

    Does a gargantuan increase in hits relate to "hacking"? My hits jumped ten-fold in the past 24 hours. o_0

    I just saw the upgrade instructions and I got intimidated. haha

  12. christian

    March 2, 2007 at 3:03 PM

    It's so annoying that I have to upgrade my three plus one WP installations every now and then. But I don't have a choice but to upgrade them as I don't want somebody to hack my site.

  13. Riz

    March 2, 2007 at 12:47 PM

    Hi JP, nice of you to drop by my site :)

    I haven't upgraded mine yet, but was thinking about it. Would you know if this apply to one-click installs that Dreamhost provides?

    Haha, oh well, nde ko nalang muna upgrade to be sure. Hehe.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.