mosco

Thanks! I found the problem comment, it had 4 entries in the wp_commentmeta table, two for the error and two that looked like normal akismet entries. I delete the two error entries and it seems good now.

We have the same problem with 2.5.1 on wordpress 3.0.4 but only on one blog, all the other blogs on the same server (4 of them) don’t have a problem. So that’s weird because all these blogs are running the same wordpress and akismet plugin versions.

It continually says “Akismet has detected a problem. A server or network problem prevented Akismet from checking 1 comment.” the 4 other blogs are handling comments fine, and all these blogs including the one displaying the error are receiving comments.

Is there a way to know which comment is creating the problem?

not sure if that’s exactly what’s affecting you but if you are using iis’s fastcgi for php with the wincache extension (which you should it’s blazing fast), it has a bug in the current wincache that makes it impossible to upgrade plugins (or wordpress itself) from the wordpress admin pages. You have to do the upgrades on the server by replacing the files. If you try upgrading from the wordpress admin your plugin folders may become inaccessible (iisreset will fix this.)
To see if you’re using wincache check for extension=php_wincache.dll in your php.ini

No, not if they’re inactive, they should have no impact. Not sure what else it could be, sorry.

halina23: try disabling some of your plugins, it could be one of your plugins that needs to be upgraded or is incompatible with the latest wordpress.

check what plugins you have installed (especially if it’s one for the admin pages), maybe one of them in incompatible or also needs to be upgraded.
to disable a plugin just remove its folder from the plugin directory

We got a wordpress 2.9.2 hacked about a month ago, not sure exactly how they got in, but I assume it’s due to a security hole in that older version. I don’t know how much the code base changed from 2.9.x to 3.x but I assume a lot of code stayed, so it’s quite likely a 3.x vulnerability is also present in 2.9.

wordpress is being targeted a lot by hackers to install code that will redirect visitors of an infected wordpress blog to another site (porn, fake anti-virus alert, etc..), usually the end result is your users may end up getting a virus, and your site will most likely get flagged as a source of malware/viruses. If that happens your traffic will drop significantly if you depend on google search results (since google will warn everyone to stay away from you blog until you fix it).

Also if you get hacked, you will spend ten times as long fixing it and making sure there are no backdoors left, then it would take you to do the update now.

bottom line: it’s definitely worth the (small) effort to upgrade. I manage a number of wordpress installs and know a bunch of other wordpress admin, we’ve seen an increasing number of wordpress installs hacked in the last 6 months.

It’s great that wordpress stays on top of updating, but I am getting concerned at the number of vulnerabilities and security updates. WordPress should put more effort in testing the software before it’s released or it will earn a reputation for being insecure.

There was a backdoor, we found it hidden in a plugin. And it was installed during the previous hack (when the wordpress version had known vulnerabilities) we had missed it. So it’s not a wordpress problem with the latest version.

Yes, thanks for the links, but I am familiar with all the steps. I’ve seen several other hacks before and I know what to look for and how to clean up. That’s why with this one so far it’s very strange that it keeps coming back.

But one thing is clear it is coming in through wordpress (the server itself is not compromised) and so far we can’t find any modified wordpress files or any out of place code. So it looks a lot like there is maybe a zero day hack in wordress.

I could be wrong obviously, and if we’re the only ones getting hit then most likely we haven’t cleaned up properly or we have a vulnerable plugin. So I am still looking into that too.

We are getting hit again, with latest clean install of wordpress 3.0.3
exact same symptoms as last time, the url of the hack changed just slightly, but it’s clearly the same hack

could be a plugin, or after they hacked you they might have left behind a hack inside one of the plugin files. Check that you don’t have hacked entries in your wp_options table and that your plugins don’t have any hidden base64 or eval code snipets in them. usually that’s where the hacks are hidden.

can you describe the hack in more detail, does the code get inserted inside all your posts? or do your wordpress files get infected? what does the hack code look like?

For us the 3.0.2 update so far has stopped the hacks, we were getting hit twice a day before. So I think that 3.0.2 might also have fixed an sql injection hack that they are not publicly acknowledging or might not be aware of?
The hack that was hitting us was definitely not using admin privileges or xss, we would get hacked even with the admin completely blocked off. And it was doing an sql injection (I have the sql statements logged in our database logs).
Since the 3.0.2 upgrade (2 days now) no new hack.

I think 3.0.2 fixes the exploit, we haven’t had any new hits since we upgraded.