Successful WordPress Hack

Are you sure you aren’t misinterpreting the issue being presented? From what I can tell (in that short series of posts), it is likely that Google Reader simply sometimes exposes the spam links on some blogs that have already been compromised. You can do the same thing by just viewing the source code on any compromised site. I don’t think that would indicate that WordPress should collaborate with Firefox, IE(M$), Safari, and other browser developers because their browsers are capable of revealing hidden spam links on compromised WordPress sites.

The thread explores a very successful WordPress hack that places spam in Google Reader.

I suspect you are seeing the results of more than one successful compromise. These are just some people who’s attention was drawn to the matter via Google Reader. You may also find that the sites being hacked are more likely the victim of owner/admin oversight or failing to police site and server security issues and third party risks. I don’t think there is a hack(s) placing spam in Google Reader. Google Reader just sometimes sees the spam already placed on a corrupted site. -And those hacks aren’t exclusive to WordPress.

From your last post on the subject:

The thread describes how my own and others’ blogs have been successfully hacked

I don’t think anything in that discussion does that at all. I think you are simply witnessing a group of individuals who have been compromised, trying to figure out how it happened, and how to fix it.

Unless I missed something during reading, I think the only thing those folks have in common is:

A) They all have a site that was hacked for some reason, and

B) They discovered it while using Google Reader. I would be very interested to see if there was something more to it than that.

Best wishes.

Thanks for replying, Clayton. Your perspective is help to me. I’m a non-tech customer of WordPress, and what I do notice is that along with the A and B that you’ve listed, there’s a C, which is that everyone on this Google Reader Help Group thread seems to be dealing with a WordPress installation. Coincidental? I have no idea. It may indeed be that it’s a third party deal, or site security problem, or personal error, but it would be great to be able to get some help, or at least a response from someone at WordPress directly — that is my meaning in asking for collaboration, not collaboration with browser or aggregator developers. Because I cannot tell how/why I was hacked, I don’t know how to prevent it from happening, nor can I tell whether or not this is a specific WordPress vulnerability. But I am a WordPress customer. They are my supplier and I guess I would like them to consider how best to help their customers — or be in conversation with them when things like this happen, whether or not they caused the problem; and if there is a specific vulnerability, well, simply to fix it, so we can all move on.

Thanks again, for your help — it has helped me clarify my request.

Best regards

Your C is actually the same as Clayton’s A, you understand. “They all have a [WordPress] site that was hacked”. The Wordpres was understood, you see ??

And, yes, they were hacked, some from bad plugins, others from probably server security issues. Hacks happen. And the folks behind the curtain at WP do their best to plug holes when found, but if people don’t take proper precautions with regards to server security … That’d be like blaming Microsoft for your PC being stolen because you left your front door open.

See: https://codex.www.ads-software.com/Hardening_WordPress

Also I should point out that self-hosted WordPress means that you are your own tech support. If you don’t know how to do it, you either learn, or you hire someone (or pay a friend in cookies/beer). WP is free and use at your own risk. You’re not actually their ‘customer’ but their user. ??

Ipstenu, thanks for your comment, too. I do have a different perspective about customers, suppliers, and users. I do believe any company — whether it’s giving away a product/service or asking people to pay for it — has some obligation to the people who use it. We might disagree in this case where that line is to be drawn. WordPress is too big, I believe, to warrant the “use at your own risk, particularly if you get hacked,” philosophy you have identified, nor do I see any place where this philosophy is actually espoused by www.ads-software.com. I think if they did, they’d turn away many people.

There also seems to be an assumption in what you’ve written that what happened to me and others was purely because of a personal or site security issue. I have no way of knowing this. Do you? Do you know for sure this is not a WordPress issue or that there is something to be learned by WordPress folks by examining the hack? If so, how do you know this?

My perspective is not a critique of WordPress, per se; it’s a request, that’s all. I’m absolutely sure the folks at WordPress are doing their very best, and I have no criticism of them, no blame. I point to this request as a service to myself and others who are also in my situation. If that causes some questioning of assumptions — on either side — that’s a good thing, particularly if it leads to an exchange. As they say, “a market is a conversation.” Thanks again.

Best regards

There also seems to be an assumption in what you’ve written that what happened to me and others was purely because of a personal or site security issue. I have no way of knowing this. Do you? Do you know for sure this is not a WordPress issue or that there is something to be learned by WordPress folks by examining the hack? If so, how do you know this?

Experience, research and the fact I am a nerdy tech sort.

Search the rest of the net, search here, search the rest of google groups. 9 times out of 10, a ‘hack’ is from bad security on your site or some cretin’s idea of jollies in a theme or a plugin that you (the user, not you specifically) downloaded and installed. Now, there is a chance that this is a ‘real’ hack, but the odds are against it. I did (and do) the research on this often enough, since I work in both IT software and security (paying gig) and I run many sites using WP and other Automatic products. As a webhost, I feel it’s my responsibility to keep up on security issues, and after 10 years of that, I feel fairly confident that I know when someone has found a real vulnerability in the core product itself, and when someone has accidentally compromised their personal site security.

Based on the thread you linked to, which I did read in full, I came to the conclusion that the most likely culprit was the r57shell script, which someone uploaded as wp-xmlrpc.php. The hacker was clever. That’s a NEARLY legit file name for WP and the casual user would never notice. BUT the file should be xmlrpc.php and it should be in your root blog directory, nowhere else.

Most likely options are these:

1. There’s a vulnerability in the actual xmlrpc.php file that permitted uploading the bad file (which if so, WordPress has shown, in the past, fast response on those issues)
2. There’s a server permission vulnerability.

That Google thread may look like a lot of people complaining about a similar problem but it’s a drop in the ocean. There’s only one post on these forums about it.

Conclusion: Site security is at fault, rather than WP itself.

Wow, thanks Ipstenu. I appreciate your credentials and the logic path you’ve expressed. Following the Google Reader Help Group Thread I checked out the wp_options file in the data-base and found exactly the same nonsense code mentioned by “Today I Read Something,” Chris Merlo, and Keith W. I did delete the nonsense code which Chris discovered contains backward php and I have changed out all my plugins, so I’m not experiencing the problem in Google Reader anymore, but I am concerned about the fact that no one has yet identified how the bad stuff got in. Could that be related to the r57shell script issue you mentioned? I’ll certainly take up the security issue with my host eventhough I do my very best to keep up on all new WP versions and also maintain recommended permissions. Thanks for your help and insight, and willingness to spend your time being of assistance!

Many best wishes…

It’s kind of discouraging to read someone come straight to the conclusion that it’s user error and there’s possibly nothing wrong at all with WP, but whatever, I know how that works.

The question remains though, how did this happen in the first place?

Would it have been a security issue with an already installed plugin or WP itself? I had not recently installed anything new on my site when it started happening.

I’ve deleted the offending code and deleted a “WordPress” user that was somehow created, but still have not found any odd files. I think my best option from here is to just backup all my posts and do clean install of WP.

I’ve deleted the offending code and deleted a “WordPress” user that was somehow created …

Unfortunately, you just tipped your hand bucky. That’s an OLD hack — a VERY old hack, so that means your site was compromised months ago and you didnt know it — OR youve been running that VERY old version of wordpress that was the chosen victim of that very old hack until recently.

In either case, that’s a prime example of ‘user error’.

Feel free to prove me wrong.

Yes, I might be a little masochistic today.

https://www.ads-software.com/support/topic/290787?replies=5

I’m slowly…. walking… away. I should have learned many years ago to always stay updated with software and stop being lazy. Thanks everyone!

meh, its not a google reader hack .. its resultant code that checks the user-agent, and displays the links if google reader is the user-agent, and prolly a few other u-a’s, as well.

similar to the “I see spam links” in my google cache problems that go around.

bucky, I looked at your google cache last night, btw.. you really were not that far behind on upgrades — if I remme correctly, google had you at 2.6.x in april (I dont reme the date).

that doesnt sound too far off the mark — but then, I didnt go confirm that with any of the release dates, and im sleepy..

the wordpress user hack is older than THAT version — it dates back to somewhere in the 2.2 range.

have you been a wordpress user for that long?

I had a client experience this problem not too long ago and two things stood out: 1) there was no wp-xmlrpc.php file; and 2) the blog *started* with WP 2.7.x (currently 2.8.x).

Two user accounts created (WordPress and one based on the admin’s Nice Name), hidden PHP code within the rss_XXXX table and internal_link_cache table, and hidden plugin files created/activated.

There were only three plugins uploaded: Akismet, Hello Dolly (both of which are bundled), and Subscribe to Comments. And the theme was default.

That said, if it’s an old hack, it might have a new spin. My 2 cents.