WordpresZ 2.6.4

I’m in the same boat, looking at it now.

Some screenshots of the problem and a little investigation so far:

https://www.craigmurphy.com/blog/?p=874

Rgs
–Craig

Curious. I don’t get this update notification. I see if I can find the files and do a diff…

Yup.

wp-includes/pluggable.php has extra lines in it that appear to call a script on that site to ‘do stuff’ with your cookies if you have more than 5 users…

https://us.php.net/file_get_contents

Are they hoping to luck into an admin account on a large site?

@camurphy,

<meta name=”generator” content=”WordPress 2.5.1″ />

wp-includes/pluggable.php….
…’do stuff’ with your cookies…

Well, there is this…

https://www.securityfocus.com/archive/1/490887/30/0/threaded

Might be worth a read. Just one of many possibilities, mind you.

Vulnerable scripts
==================
“wp-include/pluggable.php
function wp_validate_auth_cookie($cookie)”

How do you like that? Plain as day. www.ads-software.com frontpage and download area is being spoofed at wordpresz.org. I just came from there. That takes some kinda’ nuts. (appears to be aimed directly at users who still use 2.5)

ballsy, sure. but you know what they say about ppl that dont upgrade. ??

ssshhh… you’ll let the cat out! ??

actually, thats pretty slick, i wanna grab that zip and peek inside.

inquiring minds wanna know, and besides maybe ill have s’mthing to blog about besides politics. ??

Heh, I can imagine what us “non-upgraders” get called ??

Sophos have picked up on this as Troj/WPHack-A:

https://www.craigmurphy.com/blog/?p=881

That’s interesting. How would they have managed to make a fake upgrade notification? Is the WP feed for the dashboard hacked, are the 2.5.1 users hacked? There’s nothing fishy in my 2.6.3, but I can understand that some people would fall for the notification if it does appear on their dashboard.

yeah and sophos blows. its NOT a windows hack, and their software cant remove it unless you **happen** to scan a windows server — and 99.99999% of IIS servers arent runnning any AV — theyre too memory intensive.

you asked the correct question, Gangleri, how is getting into the earlier install’s dashboard… The goal is to prevent that from happening first.

Rrright, Whoo, I don’t understand the first paragraphy of what you wrote ?? Nonetheless, it’s a dangerous thing when somehow people can edit the dashboard indeed!

Roy

well, they would need to be able to edit files, or upload malicious one(s), as far as I can tell.

CAMURPHY, did you save your wp-admin/index.php from when that was occurring? If so, whats on lines 112-118?

Did you save a copy of the WordPress installation that was causing this false notification? I’d like to know how exactly they’re doing it.

Because it seems to me that if they were able to insert malicious code into your site in the first place, then they could have totally owned you, no need to make you do a fake upgrade.

I’m trying to see the point, basically. How could they make a false notification on your system? DNS spoofing?

I’m not technical enough to add anything worthfull to the discussion, but when I look at the image in the Graig Murphy article, I would say that the attackers somehow intercepted the WP feeds/notifications (you can see both a dashboard widget saying something AND there is an update notification). The big question is of course: why only in 2.5.1?

Roy

The update notification says 2.6.3, so that may have been legit. I suspect they just replaced the feed thing somehow.

That feed comes from https://planet.www.ads-software.com/ normally. Dunno how they would have changed it. A malicious plugin or theme could do it, admittedly.