Re: [wp-hackers] WP security breach-- may be my fault, may not be

[Roy Schestowitz <r@xxxxxxxxxxxxxxx>]

___/ On Tue 09 May 2006 01:49:27 BST, [ Joey B ] wrote : \___

> On 5/8/06, Eric A. Meyer <eric@xxxxxxxxxxxx> wrote:
> > Howdy all,
> >
> >     Earlier today I got word that I had linkspam showing up in entries
> > on meyerweb-- they showed up in Bloglines, for example, and also  some
> > people's aggregators showed recent posts as having been modified.


I didn't notice that over here (just re-checked this to confirm). Oddly,
however, a recent item of yours ("Flummmoxed By Frameworks") did now show
up as new, although it *should* have. I am using RSSOwl if that matters.


> >     It turns out someone went in and added link spam to the post
> > contents of the most recent 30 or so posts.  Here's an example of one
> > such post, pulled from my wp-cache files:
> >
> >     http://meyerweb.pastebin.com/706548
> >
> > The spam shows up at lines 83-121.  Here's another:
> >
> >     http://meyerweb.pastebin.com/706585
> >
> > In that case, the spam is at lines 75-113.
> >     I was able to remove the spam from meyerweb by manually editing
> > the post contents for each affected post.  In other words, the spam
> > content had been added to the DB records-- this is not a wp-cache
> > problem.  That's just where I was able to harvest copies of the
> > offending content.  It's also not a comment problem; this stuff is
> > injected into the actual post_content field.
> >     The spam always shows up after three or so paragraphs, whether
> > that means the end of the post or somewhere in the middle, which
> > feels like the work of a regexp or some other pattern search.  I also
> > tracked down the activity which stuck the spam into my records.
> > That's here:
> >
> >     http://meyerweb.pastebin.com/706549


I hope you have added 207.42.135.122 to yours IP deny list. I know I have. I
still run a modified copy of Mingus (1.2) on a few sites. Use of old version
increases the need for caution.

Judging by the patterns, e.g.:

207.42.135.122 - - [08/May/2006:15:24:15 +0000] "GET
/eric/thoughts/wp-admin/edit.php?m=200512&submit=Show+Month HTTP/1.1" 200
19104
"http://meyerweb.com/eric/thoughts/wp-admin/post.php?action=edit&post=699";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"

207.42.135.122 - - [08/May/2006:15:24:21 +0000] "GET
/eric/thoughts/wp-admin/post.php?action=edit&post=698 HTTP/1.1" 200 24473
"http://meyerweb.com/eric/thoughts/wp-admin/edit.php?m=200512&submit=Show+Month";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

There *may* be some backdoor in the handling of
edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
arguments are intended to achieve. Maybe bad handling of exceptions?


> > The pattern of accesses also reminds me of a script.  Note there are
> > two blocks of changes, temporally speaking.  I'm not anywhere close
> > to the IP block of the accesses in question; they're in the 207.*
> > block and I'm a good deal lower than that.
> >     Now for the details of my WP install: I'm running 1.5, as I really
> > hate the admin interface of 2.0, even with rich editing turned off.
> > (If it remembered which of those cute little option boxes to leave
> > expanded, I'd be a lot happier, but never mind that now.)  I'm
> > willing to upgrade to fix this, though I'd want to wait at least a
> > few days to see if the problem happens again.  The only plugins
> > running that I didn't write myself are Akismet and wp-cache.  The
> > plugins I wrote are all content modifiers, like ordinalizing numbers
> > from 1-10, outputting a slightly different monthly calendar, and
> > turning off auto-formatting of posts (but not comments).  I don't
> > think any of them could be a doorway, but it's hard to be certain.
> >     I chatted with the #wordpress folks and nobody there seemed to
> > know what might be happening, with the only real guess being that
> > maybe my WP admin password was compromised.  I changed my admin
> > password after the breaches documented above, and will watch my
> > access logs to see if there are any more attempts.  I don't know for
> > sure that my password was compromised, though if there's a log
> > somewhere that I could check for admin logins, I'll gladly do so.  Is
> > there?
> >     Like I said, if this sort of thing is a known problem with 1.5,
> > I'm willing to upgrade to fix it, much though I may curse the
> > interface afterward.  If this isn't something that's been seen
> > before, I thought it was worth bringing to your attention.  Thanks
> > for any insights.
>
> There's a version 1.5.3 in Beta, I think  (
> http://www.tamba2.org.uk/T2/archives/2006/03/18/wp-153/ )
>
> If I recall correctly from the little chatter I've heard about it, it
> contains some security fixes, and, iirc again, you can get it from SVN
> as well.


This can't do much harm /assuming/ you have not modified  much of  your code
(I know Eric Meyer has "hacked WordPress like it was attacking his family").
Time-wise, it might be worth  going over the changelog for 1.5.3 and,  based
on the log, see if it  fixes the problem at hand. It could return  to attack
via proxies and become detrimental. The only real solution is patching.

With kind regards,

Roy

--
Roy S. Schestowitz
http://Schestowitz.com  |  GNU is Not UNIX  ¦     PGP-Key: 0x74572E8E
 5:35am  up 11 days 12:32,  8 users,  load average: 0.85, 0.74, 0.77
     http://iuron.com - proposing a non-profit search engine