Unauthorized postings

  • I apologize in advance if this has been addressed somewhere else in this forum. Unfortunately the only relevant link I found when I did a search here was broken (https://www.ads-software.com/support/19285).

    I switched from MT to WordPress 1.5 last week and in less than 24 hours I was hit with 15 unauthorized live posts, all spam ads. I thought I had found the problem (allow anyone to register toggle option?) and they had created a new user but apparently not.

    I woke up this morning to another 15 unauthorized posts, all spam ads, only this time they used MY user name to post. I find it hard to believe that somehow someone figured out my login password as it’s a complicated random string of letters and numbers.

    I’ve deleted all of the posts (except one, converted to draft) but I have to find out what’s going on asap or I am dumping wordpress this afternoon. Which is too bad, I was starting to really like it. What is going on? How is someone getting in to my blog?

    This is an unacceptable vulnerability and the lack of documentation for the non-php expert is very frustrating.

    Any help would be appreciated.

Viewing 9 replies - 1 through 9 (of 9 total)

  • I would be bringing this up with your host as well as here. For what it’s worth, of the tens of thousands of WordPress blogs installed over the past couple of years, I believe this is the first time I’ve heard of this. There is no documentation for this “vulnerability” because this has never been reported before, to the best of my knowledge.

    Others will post with their ideas and comments soon, but to simply dump WordPress without pursuing all angles is not the answer. Like I said, report this to your host, and help us help you find an answer to this so that if indeed a vulnerability exists, we can get it patched ASAP.

    WP has no such vulnerability for this event. WP, out of the box, is secure and as has been repeated here before, the weakest link in your blog security are your blog / ftp / cpanel passwords.
    You say that your pw is a complicated string ? You have changed ALL your passwords today ?

    I don’t recall any such issue before where it has been shown that an unknown person has got through the inherent security other than already knowing your password.
    Be aware though that attacking any password system – whether you are NASA or Blogger – is always a possibility.

    For now, I would ensure that new users cannot register, that the file ‘wp-register.php’ is deleted and that you alter your password to a truly random 16 multiple character sequence.

    The password managers below are al highly recommended and are freeware.

    AnyPassword:
    https://www.romanlab.com/apw/

    Oubliette:
    https://www.tranglos.com/free/oubliette.html

    PINS:
    https://www.mirekw.com/winfreeware/pins.html

    More importantly, did they ACTUALLY post as you? Is it the name field that happens to be your name, or does the actual comment come from your account? Duplicating a name is easy after all. Coming from your account would in fact mean they have your password generally — I don’t know of any other vulnerability.

    If you get a bunch of bad comments, I can take a look at the actual comment data and try to see if it ‘says’ anything…

    -d

    Thread Starter MJ

    (@mj)

    Hmm. Seems I’m not the only one https://www.ads-software.com/support/topic.php?id=26532. My host is currently trying to track down what happened. Not trying to yell FIRE but taking a peek at the raw access logs and it looks to this untrained eyed like someone was able to access the wordpress directory and managed to gleen a password?

    Any of this make sense to anyone? The same IP first pulled the whole /wp directory then I see this about 25 time in a row then the same (three requests) for the wp-admin.php file

    [07/Mar/2005:00:54:11 -0500] “GET /wp/wp-pass.php HTTP/1.1” 302 5 “-“
    “Java/1.4.2_04”

    4 minutes later is the time stamp of the first of 15 spam posts, with no requests in between… I just want to find out what happened so I can plug the hole.

    cross posted at:
    https://www.ads-software.com/support/topic.php?id=26532

    This is obviously something a dev needs to look at — they’ll likely need your logs, and more details on specifically what was done.

    podz, you want to forward along (you seem to get quick responses from the dev team)?

    -d

    Thread Starter MJ

    (@mj)

    I’m beginning to wondering now if it could be as simple as a permissions thing… i.e. the famous 5 minute install for 1.5 (Fantastico did it for me…) does not set the right permissions, thus allowing unauthorized write/execute access. To a new untrained user (like me!) this could be a bad thing. Unfortunately, I can’t confirm or deny as I already went in and reset permissions.

    Just a thought.

    Thread Starter MJ

    (@mj)

    Just a couple of followups here for that the record and then it’s g’night.

    podz writes:
    “WP has no such vulnerability for this event.”

    I might caution that rather bold claim. 1.5 is a brand new release. Weirdness happens. One thing I do understand are random passwords. Thanks for the links though.

    david writes “More importantly, did they ACTUALLY post as you? Is it the name field that happens to be your name, or does the actual comment come from your account?”

    They were actual posts and not comments. And they posted from my primary user account (MJ). They also (again) created a new user (with a blank name), I am unsure of what level access, as I nuked it in my anger and haste without thinking about a trail. They had not yet made any posts from that [blank] name account.

    Basically, they had free reign. It’s disconcerting to say the least. Thanks all for your understanding and patience as we figure out what went wrong.

    Thread Starter MJ

    (@mj)

    I think I may have figured out part of what happened. Could one of you support mavens who’s posted here PLEASE drop me an email? I don’t want to post the info here until I know for sure I am right.

    Thanks – MJ
    [email protected]

    Email sent.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Unauthorized postings’ is closed to new replies.