[wp-hackers] WP security breach-- may be my fault, may not be
Joey B
tunicwriter at gmail.com
Tue May 9 00:49:27 GMT 2006
There's a version 1.5.3 in Beta, I think (
http://www.tamba2.org.uk/T2/archives/2006/03/18/wp-153/ )
If I recall correctly from the little chatter I've heard about it, it
contains some security fixes, and, iirc again, you can get it from SVN
as well.
On 5/8/06, Eric A. Meyer <eric at meyerweb.com> wrote:
> Howdy all,
>
> Earlier today I got word that I had linkspam showing up in entries
> on meyerweb-- they showed up in Bloglines, for example, and also some
> people's aggregators showed recent posts as having been modified.
> It turns out someone went in and added link spam to the post
> contents of the most recent 30 or so posts. Here's an example of one
> such post, pulled from my wp-cache files:
>
> http://meyerweb.pastebin.com/706548
>
> The spam shows up at lines 83-121. Here's another:
>
> http://meyerweb.pastebin.com/706585
>
> In that case, the spam is at lines 75-113.
> I was able to remove the spam from meyerweb by manually editing
> the post contents for each affected post. In other words, the spam
> content had been added to the DB records-- this is not a wp-cache
> problem. That's just where I was able to harvest copies of the
> offending content. It's also not a comment problem; this stuff is
> injected into the actual post_content field.
> The spam always shows up after three or so paragraphs, whether
> that means the end of the post or somewhere in the middle, which
> feels like the work of a regexp or some other pattern search. I also
> tracked down the activity which stuck the spam into my records.
> That's here:
>
> http://meyerweb.pastebin.com/706549
>
> The pattern of accesses also reminds me of a script. Note there are
> two blocks of changes, temporally speaking. I'm not anywhere close
> to the IP block of the accesses in question; they're in the 207.*
> block and I'm a good deal lower than that.
> Now for the details of my WP install: I'm running 1.5, as I really
> hate the admin interface of 2.0, even with rich editing turned off.
> (If it remembered which of those cute little option boxes to leave
> expanded, I'd be a lot happier, but never mind that now.) I'm
> willing to upgrade to fix this, though I'd want to wait at least a
> few days to see if the problem happens again. The only plugins
> running that I didn't write myself are Akismet and wp-cache. The
> plugins I wrote are all content modifiers, like ordinalizing numbers
> from 1-10, outputting a slightly different monthly calendar, and
> turning off auto-formatting of posts (but not comments). I don't
> think any of them could be a doorway, but it's hard to be certain.
> I chatted with the #wordpress folks and nobody there seemed to
> know what might be happening, with the only real guess being that
> maybe my WP admin password was compromised. I changed my admin
> password after the breaches documented above, and will watch my
> access logs to see if there are any more attempts. I don't know for
> sure that my password was compromised, though if there's a log
> somewhere that I could check for admin logins, I'll gladly do so. Is
> there?
> Like I said, if this sort of thing is a known problem with 1.5,
> I'm willing to upgrade to fix it, much though I may curse the
> interface afterward. If this isn't something that's been seen
> before, I thought it was worth bringing to your attention. Thanks
> for any insights.
>
> --
> Eric A. Meyer (eric at meyerweb.com)
> Principal, Complex Spiral Consulting http://complexspiral.com/
> "CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
> "Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
Joey Brooks
Milk Carton Designs || milkcartondesigns.com
More information about the wp-hackers
mailing list