[wp-hackers] WP security breach-- may be my fault, may not be

Tue May 9 00:29:29 GMT 2006

Howdy all,

    Earlier today I got word that I had linkspam showing up in entries 
on meyerweb-- they showed up in Bloglines, for example, and also some 
people's aggregators showed recent posts as having been modified.
    It turns out someone went in and added link spam to the post 
contents of the most recent 30 or so posts.  Here's an example of one 
such post, pulled from my wp-cache files:

    http://meyerweb.pastebin.com/706548

The spam shows up at lines 83-121.  Here's another:

    http://meyerweb.pastebin.com/706585

In that case, the spam is at lines 75-113.
    I was able to remove the spam from meyerweb by manually editing 
the post contents for each affected post.  In other words, the spam 
content had been added to the DB records-- this is not a wp-cache 
problem.  That's just where I was able to harvest copies of the 
offending content.  It's also not a comment problem; this stuff is 
injected into the actual post_content field.
    The spam always shows up after three or so paragraphs, whether 
that means the end of the post or somewhere in the middle, which 
feels like the work of a regexp or some other pattern search.  I also 
tracked down the activity which stuck the spam into my records. 
That's here:

    http://meyerweb.pastebin.com/706549

The pattern of accesses also reminds me of a script.  Note there are 
two blocks of changes, temporally speaking.  I'm not anywhere close 
to the IP block of the accesses in question; they're in the 207.* 
block and I'm a good deal lower than that.
    Now for the details of my WP install: I'm running 1.5, as I really 
hate the admin interface of 2.0, even with rich editing turned off. 
(If it remembered which of those cute little option boxes to leave 
expanded, I'd be a lot happier, but never mind that now.)  I'm 
willing to upgrade to fix this, though I'd want to wait at least a 
few days to see if the problem happens again.  The only plugins 
running that I didn't write myself are Akismet and wp-cache.  The 
plugins I wrote are all content modifiers, like ordinalizing numbers 
from 1-10, outputting a slightly different monthly calendar, and 
turning off auto-formatting of posts (but not comments).  I don't 
think any of them could be a doorway, but it's hard to be certain.
    I chatted with the #wordpress folks and nobody there seemed to 
know what might be happening, with the only real guess being that 
maybe my WP admin password was compromised.  I changed my admin 
password after the breaches documented above, and will watch my 
access logs to see if there are any more attempts.  I don't know for 
sure that my password was compromised, though if there's a log 
somewhere that I could check for admin logins, I'll gladly do so.  Is 
there?
    Like I said, if this sort of thing is a known problem with 1.5, 
I'm willing to upgrade to fix it, much though I may curse the 
interface afterward.  If this isn't something that's been seen 
before, I thought it was worth bringing to your attention.  Thanks 
for any insights.

-- 
Eric A. Meyer  (eric at meyerweb.com)
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/