[wp-hackers] WP security breach-- may be my fault, may not be

Eric A. Meyer eric at meyerweb.com
Wed May 10 03:30:23 GMT 2006 

At 5:42 AM +0100 5/9/06, Roy Schestowitz wrote:

>I hope you have added 207.42.135.122 to yours IP deny list. I know I have.

    Not yet.  I actually want them to try again, so I can see if it's 
a password crack or something else.  (I've changed the password.) 
I'm willing to undertake the effort of cleaning up after another 
successful attack if allowing it helps figure out exactly what 
happened.  So far, no posts have been modified since I cleaned up 
after the last two attacks and changed my admin password.
    Although if they cracked the admin password, I'd like to know how. 
I haven't seen any apparent attempts to brute-force it, and I'm not 
sure how it could have been swiped-- and why would someone bother in 
the first place?  The effort needed to crack a password on a single 
blog just doesn't seem worth the payoff.
    So here's what I have found, little though it may tell anyone:

    http://meyerweb.pastebin.com/708792

That shows All of the instances where there were attempts to access 
the WP admin area and the client was redirected to the login page.  I 
highlighted the two known breakins, but there's a third that wasn't a 
breakin but interested me.  I highlighted it too-- what drew my 
attention was the "Show+Month" bit.  So I searched for all instances 
of that IP address and came up with:

    http://meyerweb.pastebin.com/708795

So if that was a breakin attempt, it failed.  I just find it 
interesting that there's been more than one attempt to get in that 
way.  It might be the same person from multiple machines, of course.
    I searched my access logs again for all "Show+Month" entries, but 
they were all either the original breakins, this now one I show 
above, or my own machines.

>There *may* be some backdoor in the handling of
>edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
>arguments are intended to achieve. Maybe bad handling of exceptions?

    I dunno.  That's why I brought it up here, just in case there was 
a previously unknown vulnerability.

>This can't do much harm /assuming/ you have not modified  much of  your code
>(I know Eric Meyer has "hacked WordPress like it was attacking his family").

    Actually, not any more.  I'm running 1.5 and all the 'hacking' is 
now in theme files, or else via plugins I wrote for myself.  The core 
itself is largely or completely undisturbed.  I did a test upgrade to 
2.0 on my local server and there weren't any hiccups in terms of the 
install running, so I suspect "completely", but it's been a long time 
since I upgraded to 1.5 and so I might have forgotten a tweak or two.

>Time-wise, it might be worth  going over the changelog for 1.5.3 and,  based
>on the log, see if it  fixes the problem at hand. It could return  to attack
>via proxies and become detrimental. The only real solution is patching.

    Unless of course whatever they're doing isn't solved by the latest 
version.  I'm assuming that all this isn't an obvious example of a 
widely known problem with the 1.5x series, though.

-- 
Eric A. Meyer  (eric at meyerweb.com)
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/

More information about the wp-hackers mailing list