[wp-hackers] WP security breach-- may be my fault, may not be

Peter Westwood peter.westwood at ftwr.co.uk
Tue May 9 07:32:39 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric A. Meyer wrote:
> Howdy all,
> 
>    Earlier today I got word that I had linkspam showing up in entries on
> meyerweb-- they showed up in Bloglines, for example, and also some
> people's aggregators showed recent posts as having been modified.
>    It turns out someone went in and added link spam to the post contents
> of the most recent 30 or so posts.  Here's an example of one such post,
> pulled from my wp-cache files:
> 
>    http://meyerweb.pastebin.com/706548
> 
> The spam shows up at lines 83-121.  Here's another:
> 
>    http://meyerweb.pastebin.com/706585
> 
> In that case, the spam is at lines 75-113.
>    I was able to remove the spam from meyerweb by manually editing the
> post contents for each affected post.  In other words, the spam content
> had been added to the DB records-- this is not a wp-cache problem. 
> That's just where I was able to harvest copies of the offending
> content.  It's also not a comment problem; this stuff is injected into
> the actual post_content field.
>    The spam always shows up after three or so paragraphs, whether that
> means the end of the post or somewhere in the middle, which feels like
> the work of a regexp or some other pattern search.  I also tracked down
> the activity which stuck the spam into my records. That's here:
> 
>    http://meyerweb.pastebin.com/706549
> 

Looking at this I think your admin password was compromised as before
any changes take place there is a login attempt which I believe was
probably sucessfull looking at the next page that was loaded.

Login Attempt:
207.42.135.122 - - [08/May/2006:14:30:06 +0000] "POST
/eric/thoughts/wp-login.php HTTP/1.1" 302 5
"http://meyerweb.com/eric/thoughts/wp-login.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

And load of admin index page:
207.42.135.122 - - [08/May/2006:14:30:10 +0000] "GET
/eric/thoughts/wp-admin/ HTTP/1.1" 200 12936
"http://meyerweb.com/eric/thoughts/wp-login.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

There are then a number of POST's for post editing which would explain
the apperance of the links.

westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEYEWXVPRdzag0AcURAuwIAJ0XUla+C/5Du0Bk7DIhAfUytAlnvQCgw+SO
qHOF8yYAqzmelY2sOtDWUhs=
=SU70
-----END PGP SIGNATURE-----

More information about the wp-hackers mailing list