[wp-hackers] WP security breach-- may be my fault, may not be
Eric A. Meyer
eric at meyerweb.com
Tue May 9 00:29:29 GMT 2006
Earlier today I got word that I had linkspam showing up in entries
on meyerweb-- they showed up in Bloglines, for example, and also some
people's aggregators showed recent posts as having been modified.
It turns out someone went in and added link spam to the post
contents of the most recent 30 or so posts. Here's an example of one
such post, pulled from my wp-cache files:
The spam shows up at lines 83-121. Here's another:
In that case, the spam is at lines 75-113.
I was able to remove the spam from meyerweb by manually editing
the post contents for each affected post. In other words, the spam
content had been added to the DB records-- this is not a wp-cache
problem. That's just where I was able to harvest copies of the
offending content. It's also not a comment problem; this stuff is
injected into the actual post_content field.
The spam always shows up after three or so paragraphs, whether
that means the end of the post or somewhere in the middle, which
feels like the work of a regexp or some other pattern search. I also
tracked down the activity which stuck the spam into my records.
The pattern of accesses also reminds me of a script. Note there are
two blocks of changes, temporally speaking. I'm not anywhere close
to the IP block of the accesses in question; they're in the 207.*
block and I'm a good deal lower than that.
Now for the details of my WP install: I'm running 1.5, as I really
hate the admin interface of 2.0, even with rich editing turned off.
(If it remembered which of those cute little option boxes to leave
expanded, I'd be a lot happier, but never mind that now.) I'm
willing to upgrade to fix this, though I'd want to wait at least a
few days to see if the problem happens again. The only plugins
running that I didn't write myself are Akismet and wp-cache. The
plugins I wrote are all content modifiers, like ordinalizing numbers
from 1-10, outputting a slightly different monthly calendar, and
turning off auto-formatting of posts (but not comments). I don't
think any of them could be a doorway, but it's hard to be certain.
I chatted with the #wordpress folks and nobody there seemed to
know what might be happening, with the only real guess being that
maybe my WP admin password was compromised. I changed my admin
password after the breaches documented above, and will watch my
access logs to see if there are any more attempts. I don't know for
sure that my password was compromised, though if there's a log
somewhere that I could check for admin logins, I'll gladly do so. Is
Like I said, if this sort of thing is a known problem with 1.5,
I'm willing to upgrade to fix it, much though I may curse the
interface afterward. If this isn't something that's been seen
before, I thought it was worth bringing to your attention. Thanks
for any insights.
Eric A. Meyer (eric at meyerweb.com)
Principal, Complex Spiral Consulting http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
More information about the wp-hackers