Comments on: This hijacking is getting stupid!

By: ScottK

ScottK — Tue, 06 May 2008 23:46:13 +0000

@CR Dick, here is the listing of events on how I figured it out.

1. Alerted by mouseclone
2. Verified an iframe was within the textual source code of the web page via view source, and not a page debugger.
3. Checked the post in question, I checked it in the Wordpress post editor in code tab (This is what pissed me off, see below)
4. Having not found the iframe in the code view of the wordpress editor I checked the raw database outside of anything web or wordpress. Sure enough it was there.

So that means many Wordpress sites can be affested but not detected unless viewing the source, or checking the raw results of the database. This blog is version 2.3 and my newest blog is v 2.5 but not really popular enough to “suffer” the attacks.

Now just for an update to this story. The abuse email is invalid and returns user not found. About the time of the database injection a major break of Internet Information Servers from China was implemented.

the JavaScript archetecture of the attacks smells like what may have happened here. I was not able to find a breached IIS server to verify the JavaScript though.

To answer your question, this was a complete breach of admin security that allowed an existing post to be updated in the database. Not a third party widget or template that manipulated the DOM. I’ve always enjoyed Wordpress but it’s getting to the point that even I am thinking of just writing my own software and locking it down hard.

By: CR Dick

CR Dick — Tue, 06 May 2008 22:17:35 +0000

I am seriously seriously considering migrating my “mixed bag” blog on blogspot to wordpress and breaking it out into targeted category blogs. However I’ve had rumors that 2.5 isn’t entirely secure. This seemed like all they wanted to do was hack some pointers to theirself into your blog, but they could do a lot worse if they can do that. Even Scott Kveton (who is extremely knowledgeable) had his wordpress hacked.

People use words like iframe and injection rather liberally without really knowing what it is. Are you saying you had an iframe in a template which was fed by some external code blurp and the external code blurp had turned into something bad in the database? Do you know at what level this occurred. Was it a database row containing site blurps?

By: Chelle

Chelle — Wed, 23 Apr 2008 02:49:14 +0000

I would not even know where to begin on something like that! I have heard a lot of people are putting this stuff in themes if you download them from various sites instead of the actual theme creators…I’ve also heard it helps to change your “file attributes” - certain numbers put you at risk somehow? I don’t really understand it and unfortunately can’t find the useful how-to I originally read about it on Codex…I can change mine using Filezilla, not sure if that works for everyone though. Please let us know if you figure it out!!

By: ScottK

ScottK — Sun, 20 Apr 2008 11:55:03 +0000

@Rina, the first time this happened was only a month ago but not with iframe. If you’re on 2.5 and I’m on 2.3 then it appears to be a new security vulnerability in the Wordpress core that has just been discovered.

By: diary of a mad woman » Last Chances

diary of a mad woman » Last Chances — Sun, 20 Apr 2008 04:55:46 +0000

[...] I’ve had to clear out every last post because of yet another ridiculous iframe hack. This isn’t the worst thing in the world, but the hacks are getting ridiculous here. [...]

By: Rina

Rina — Sun, 20 Apr 2008 03:02:27 +0000

Oh, darn, belatedly… I meant to add that I AM using 2.5, and I know that the hijack wasn’t there when I upgraded, so I don’t think the version is so much the culprit THIS time. That said, can’t say 2.3 was any safer, either.

By: Rina

Rina — Sun, 20 Apr 2008 03:00:55 +0000

Oddly enough, I just now started noticing the same IP address showing up on my statusbar — retrieving data, it seems. Thank you for making a post, it helped me locate the issue.

This is actually the THIRD time I’ve been hacked in such a manner (also using Wordpress, newest version) and I’m getting frustrated enough to move the whole dang thing to Blogspot or something equally as drastic.

Anyway, cheers and thanks again!

By: Mouseclone

Mouseclone — Sat, 19 Apr 2008 20:41:10 +0000

I’m happy that you were able to get this solved. I don’t run a virus scanner at home, so if I had visited your site while at home I would have never found it. The reason I don’t run a scanner at home is because I run Linux and 90% of the viruses out there are written for windows. Guess I need to get the Linux version of NOD32, it hasn’t let me down yet, as far as I can tell.