Unauthorized postings

I would be bringing this up with your host as well as here. For what it’s worth, of the tens of thousands of WordPress blogs installed over the past couple of years, I believe this is the first time I’ve heard of this. There is no documentation for this “vulnerability” because this has never been reported before, to the best of my knowledge.

Others will post with their ideas and comments soon, but to simply dump WordPress without pursuing all angles is not the answer. Like I said, report this to your host, and help us help you find an answer to this so that if indeed a vulnerability exists, we can get it patched ASAP.

WP has no such vulnerability for this event. WP, out of the box, is secure and as has been repeated here before, the weakest link in your blog security are your blog / ftp / cpanel passwords.
You say that your pw is a complicated string ? You have changed ALL your passwords today ?

I don’t recall any such issue before where it has been shown that an unknown person has got through the inherent security other than already knowing your password.
Be aware though that attacking any password system – whether you are NASA or Blogger – is always a possibility.

For now, I would ensure that new users cannot register, that the file ‘wp-register.php’ is deleted and that you alter your password to a truly random 16 multiple character sequence.

The password managers below are al highly recommended and are freeware.

AnyPassword:
https://www.romanlab.com/apw/

Oubliette:
https://www.tranglos.com/free/oubliette.html

PINS:
https://www.mirekw.com/winfreeware/pins.html

More importantly, did they ACTUALLY post as you? Is it the name field that happens to be your name, or does the actual comment come from your account? Duplicating a name is easy after all. Coming from your account would in fact mean they have your password generally — I don’t know of any other vulnerability.

If you get a bunch of bad comments, I can take a look at the actual comment data and try to see if it ‘says’ anything…

-d

Hmm. Seems I’m not the only one https://www.ads-software.com/support/topic.php?id=26532. My host is currently trying to track down what happened. Not trying to yell FIRE but taking a peek at the raw access logs and it looks to this untrained eyed like someone was able to access the wordpress directory and managed to gleen a password?

Any of this make sense to anyone? The same IP first pulled the whole /wp directory then I see this about 25 time in a row then the same (three requests) for the wp-admin.php file

[07/Mar/2005:00:54:11 -0500] “GET /wp/wp-pass.php HTTP/1.1” 302 5 “-“
“Java/1.4.2_04”

4 minutes later is the time stamp of the first of 15 spam posts, with no requests in between… I just want to find out what happened so I can plug the hole.

cross posted at:
https://www.ads-software.com/support/topic.php?id=26532

This is obviously something a dev needs to look at — they’ll likely need your logs, and more details on specifically what was done.

podz, you want to forward along (you seem to get quick responses from the dev team)?

-d

I’m beginning to wondering now if it could be as simple as a permissions thing… i.e. the famous 5 minute install for 1.5 (Fantastico did it for me…) does not set the right permissions, thus allowing unauthorized write/execute access. To a new untrained user (like me!) this could be a bad thing. Unfortunately, I can’t confirm or deny as I already went in and reset permissions.

Just a thought.

Just a couple of followups here for that the record and then it’s g’night.

podz writes:
“WP has no such vulnerability for this event.”

I might caution that rather bold claim. 1.5 is a brand new release. Weirdness happens. One thing I do understand are random passwords. Thanks for the links though.

david writes “More importantly, did they ACTUALLY post as you? Is it the name field that happens to be your name, or does the actual comment come from your account?”

They were actual posts and not comments. And they posted from my primary user account (MJ). They also (again) created a new user (with a blank name), I am unsure of what level access, as I nuked it in my anger and haste without thinking about a trail. They had not yet made any posts from that [blank] name account.

Basically, they had free reign. It’s disconcerting to say the least. Thanks all for your understanding and patience as we figure out what went wrong.

I think I may have figured out part of what happened. Could one of you support mavens who’s posted here PLEASE drop me an email? I don’t want to post the info here until I know for sure I am right.

Thanks – MJ
[email protected]

Email sent.