A couple of days ago, Google sent me an email complaining that my blog (this one) contained hidden text advertising viagra, and threatening to remove it from their index. To my surprise, they were right.
The HTML was coming from the WordPress code itself, somehow via the call to wp_footer() in the theme’s footer.php. My theme is a simple one based on the standard WordPress theme, so I don’t think the exploit is in the theme.
I wasn’t using the version of WordPress (2.1.1) that was known to be cracked, but I upgraded to the latest WordPress anyway (2.3.1). Two days later, it was cracked again. I noticed because the change broke the site, causing php errors. This time I got a diff of the change. (Ignore the missing files in plugins/. I made a mess of restoring my plugins when upgrading.)
Both times, it was trying to add HTML with a <div id=”goro”> block. wordpress.net.in seems to be involved too. Googling showed me that others (1, 2) have had the same problem, though I haven’t found any real fix to stop it happening again. I feel vulnerable.
Update: Here are some lines from the access log that seem to be relevant. I don’t know whether they are the original hack.
If it doesn’t take too long for the site to be cracked after you clean it, I think it would be worthwhile running tcpdump on the web server to capture whatever request causes the offending text to re-appear.
If I were in your position I’d be looking for new blog software about now.
“eval(base64_decode($_POST[‘file’]))” is plain dangerous. But all in all, it’s a neat hack that’s not too easy to discover. Anyway, I’d really look out for rootkits and the like now, especially since it got cracked again :(
Did you customize the software? Otherwise, just delete all of it and reinstall. Next, make sure you put the right permissions on the files. There’s no need for the software to be able to write to its own code, and if the default security is lax, tightening it will probably break automatic exploits. That doesn’t make you less vulnerable, but it does save on the hassle.
Also be sure to change all your passwords. If you have time to spend, you might want to change the code to dump the full requests to some log file; then if it happens again you can check what is going on.
Tinus, no that’s the point. This is a regular wordpress 2.3.1.
For a single blog instance, you could use serendipity (www.s9y.org)
or for more then a blog, use drupal
wordpress is a mess regarding security and patching
\sh
murrayc,
If you’re not using xmlrpc, delete the file xmlrpc.php (or set it’s permissions to 000), also try setting theme files permissions to 444 (or 644). You shouldn’t be able to edit them within wordpress.
You also may wanna look at http://blogsecurity.net/wordpress/wordpress-security-whitepaper/
best of luck
Yes, I’ve already deleted xmlrpc.php though I’m not convinced that it’s the source of the original exploit.
If you’re on shared hosting, there’s no need to even break WordPress. Twice on my DreamHost account, Russian hackers have broken into my server (hosts ~1500 sites) and modified EVERYBODY’s files. DreamHost just pretends its your fault and lets you try to clean up and tell all your relatives that your family photo site has just infected them with Russian malware. (I’m moving the hell off Dreamhost as we speak)
If you’re on a dedicated server, this is likely your fault. If shared or VPS, well… it could be anything!
It’s generally a bad idea to let the php-interpreter have write-access to areas where php-scripts may be executed. If you exploit a web app, it shouldn’t have the rights to modify itself … like you can’t overwrite /bin/bash just because you found a buffer overflow :)
Probably a dumb guess: did you reuse the same admin password as what is used in previous wordpress installation?
Abel, yes, I didn’t change the admin password. I did later though. I guess that’s a possibility.
This problem started for me when I installed 2.3. Deleting the offending code and installing 2.3.1 has fixed the problem for now (touch wood).
You might want to look at these plugins as well: http://tinyurl.com/38tkx9 and http://tinyurl.com/2npew5
And consider blocking the offending IPs through your .htaccess.
Good luck. This Russian SOB wasted a lot of my time. I say we track him down to Moscow or Queens or wherever and grind him into blintz topping.
If it’s me, I would think about reusing previous login cookie too.
I’d place my bet on the attacker remembering your password or its hash after attacking a vulnerable version of WP, instead of any new 0-day exploit. At least that’s my guess after reading your posted diff and Apache log.
there is sollution for this problem
http://blog.kakkoi.net/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-jagger-goro-class-mailphp/