When I logged into my admin account for my WordPress blog, I was surprised to find this waiting for me in the dashboard:
UPDATE 07/11/2008: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.
UPDATE 08/11/2008: Cleaning up after the WordPress 2.6.4 incident. Note that I did not install the fake 2.6.4, so it’s not a clean up for that scenario.
Wordpresz.org appears to be a spoof of wordpress.org. With the exception of the download link and one or two others (Facebook link, etc.) all the pages lead back to the front/home page.
I’ve just downloaded the wordpresz 2.6.4 offering to see what’s different. If I find anything, and if time permits, I’ll update this post.
22:26 UPDATE
Just looking at the respective home pages for WordPresz.org vs WordPress.org, a few differences jump out – check out items 1, 2 and 3 below.
Item 1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.
Item 2 – these are randomised over at WordPress.org, but are static at WordPresz.org.
Item 3 – The real WordPress.org has a “Showcase” link included.
Indeed, the source for both home pages reveals that WordPresz.org is simply an earlier snapshot of WordPress.org.
Looking at domain data for WordPresz.org, there are a few holes here. Google hasn’t indexed this site? What about the Alexa ranking?
Whereas, WordPress.org is pretty popular with Google and has an Alexa ranking.
23:59 UPDATE
Via Clayton, this may well be part of the problem. There’s further comment on the WordPress support forum too. I’ve since upgraded to 2.6.3 via the WordPress.org download.
The moral of this story: keep on top of WordPress updates and security fixes.
**
Images grabbed using TechSmith’s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber
RSS 2.0
12:38 am on November 4th, 2008 1
wp-includes/pluggable.php has extra lines in it that appear to call a script on that site to ‘do stuff’ with your cookies if you have more than 5 users…
Are they just copying cookies of large sites hoping that someone is logged in as admin somewhere?
11:03 am on November 4th, 2008 2
Hi Craig,
Excellent post. Have you considered passing this info on the The Register, they might be interested.
Cheers
Barry
2:07 pm on November 6th, 2008 3
[...] here, you may want to subscribe to my RSS feed. Thanks for visiting!Sophos are now identifying my earlier post about WordPresz 2..6.4 as [...]
3:29 pm on November 6th, 2008 4
[...] IP (209.160.33.108) with a fake online pharmacy – livepills.com. A brief summary by Sophos of Craig Murphy’s alert issued on Monday : “Craig talks about how when he logged in to his admin account in WordPress he [...]
5:28 pm on November 6th, 2008 5
[...] Read more at The Register – Fake site punts Trojanised WordPress and additional analysis at the sources blog. [...]
5:48 pm on November 6th, 2008 6
[...] and Sophos has since detected the malicious code as WPHack-A Trojan. According to posters on Craig Murphy’s Blog the Trojanised version of pluggable.php attempt to steal users cookies if you have five or more [...]
8:23 pm on November 6th, 2008 7
[...] kurze Stellungsnahme durch Sophos zur Meldung von Craig Murphy lautet wie folgt: “Craig talks about how when he logged in to his admin account in WordPress he [...]
8:33 pm on November 6th, 2008 8
Great catch Craig. All the publicity isn’t that bad either. These crafty crackers are getting annoying! I wonder how many people they fooled?
9:12 pm on November 6th, 2008 9
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
9:14 pm on November 6th, 2008 10
[...] Murphy has all the details. The fake site is offline at this moment, but this incident serves as a good reminder to keep your [...]
10:04 pm on November 6th, 2008 11
[...] Emergencia: Lo primero de todo cuidado con WordPresz.org, si con Z, es un fake con un troyano. Más información en AyudaWordpress y Craig Murphy. [...]
10:42 pm on November 6th, 2008 12
[...] is reporting via Craig Murphy on a typosquatting site that is offering a fake download version of Wordpress that could open your [...]
11:38 pm on November 6th, 2008 13
[...] seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam. It seems this attack relied on exploiting an old version of [...]
12:09 am on November 7th, 2008 14
[...] sürümünü duyurmuşlar.. Tamamen zararlı kodlar içeren bu sürümü kesinlikle kullanmayın.. Şuradan bahsi geçen sitenin görüntülerine ulaşabilirsiniz.. Siteye direkt link [...]
1:03 am on November 7th, 2008 15
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
1:06 am on November 7th, 2008 16
that version has a backdoor in it which is designed to install malware to your computer and steal details of the users
1:34 am on November 7th, 2008 17
[...] Tools Collection (en inglés) – Westi on WordPress (en inglés) – The Register (en inglés), y en – The Social Programmer (en inglés) Esta entrada fue escrita por FrankPereiro, el 7/Nov/2008 a las 0:33, archivado en [...]
1:43 am on November 7th, 2008 18
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
5:58 am on November 7th, 2008 19
[...] Craig Murphy – WordPress 2.6.4 Fake? [...]
8:07 am on November 7th, 2008 20
[...] seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam. It seems this attack relied on exploiting an old version of [...]
8:48 am on November 7th, 2008 21
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
9:30 am on November 7th, 2008 22
[...] Tools Collection: Fake WordPress Site Kas.07, 2008 in Wordpress news Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
9:32 am on November 7th, 2008 23
[...] seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam. It seems this attack relied on exploiting an old version of [...]
9:42 am on November 7th, 2008 24
[...] WordPresz 2.6.4 – fake? от Craig Murphy [...]
12:54 pm on November 7th, 2008 25
[...] Murphy war eines der Opfer die der Faker fast erwischt hätte: “WordPresz 2.6.4 – fake?” [...]
1:18 pm on November 7th, 2008 26
[...] dikkatli olun. Oceangray’in yazısında sitenin ekran görüntülerinin yayınlandığı bağlantı da verilmiş. Bu tuzağa [...]
2:46 pm on November 7th, 2008 27
[...] du kan lese av denne bloggposten og denne bloggposten, så kan litt kjedelige ting skje hvis du følger med i [...]
8:03 pm on November 7th, 2008 28
[...] brief summary by Sophos of Craig Murphy’s alert issued on Monday : “Craig talks about how when he logged in to his admin account in WordPress he [...]
8:15 pm on November 7th, 2008 29
[...] CraighMurphy han detectado una versión falsa de WordPress, que tiene un nombre similar, haciéndose [...]
9:30 pm on November 7th, 2008 30
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
9:36 pm on November 7th, 2008 31
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
1:29 am on November 8th, 2008 32
[...] Tools Collection: Fake WordPress Site Kas.08, 2008 in WP-RSS Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
1:29 am on November 8th, 2008 33
[...] seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam. It seems this attack relied on exploiting an old version of [...]
2:03 am on November 8th, 2008 34
[...] you may want to subscribe to my RSS feed. Thanks for visiting!As many of you are probably aware, earlier this week I noticed that my trusty WordPress blog was duping me into downloading and installing an essential [...]
10:19 am on November 8th, 2008 35
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
10:38 am on November 8th, 2008 36
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
10:41 am on November 8th, 2008 37
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
10:43 am on November 8th, 2008 38
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
10:46 am on November 8th, 2008 39
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
2:05 pm on November 8th, 2008 40
[...] 的討論區上有人提到,他在後台看到了一個RSS 訊息,要求用戶立刻升級到wordpress [...]
3:25 pm on November 8th, 2008 41
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
5:13 pm on November 8th, 2008 42
[...] “upgraded” to “2.6.4″, then you have installed a fake trojan version (more details here and here). If you’ve “upgraded” to 2.6.4, delete your wp-admin and wp-includes folders and [...]
5:18 pm on November 8th, 2008 43
[...] “upgraded” to “2.6.4″, then you have installed a fake trojan version (more details here and here). If you’ve “upgraded” to 2.6.4, delete your wp-admin and wp-includes folders and [...]
5:38 pm on November 8th, 2008 44
[...] WordPress Site Nov.07, 2008 in Wordpress Stuff Visited 10 times, 3 so far today Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
10:09 am on November 9th, 2008 45
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
3:12 pm on November 9th, 2008 46
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
9:43 pm on November 9th, 2008 47
Thanks for warning and detailed notes. Users must be warned about this malicious code site. That is offline now though.
4:21 am on November 10th, 2008 48
[...] CraighMurphy han detectado una versión falsa de WordPress, que tiene un nombre similar, haciéndose llamar [...]
4:23 pm on November 10th, 2008 49
[...] sites across the blogosphere are reporting a fake website that is distributing a backdoored version of [...]
4:24 pm on November 10th, 2008 50
[...] seems there has been an attempt recently to distribute a trojaned version of WordPress via some form of phishing scam. It seems this attack relied on exploiting an old version of [...]
9:17 pm on November 15th, 2008 51
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
4:22 am on November 26th, 2008 52
[...] The code is so obscure, that no static analysis tool can inspect it, or security auditor would normally take the time out to look at it, and yet it may contain an XSS or DOM injection, or it may contain malware if the download is corrupted, or a fake version comes out. [...]
9:32 am on November 26th, 2008 53
[...] sürümünü duyurmuşlar.. Tamamen zararlı kodlar içeren bu sürümü kesinlikle kullanmayın.. Şuradan bahsi geçen sitenin görüntülerine [...]
4:29 pm on November 26th, 2008 54
[...] urging users to “upgrade” to the bogus version and directing them to the bogus site. Craig Murphy explains that whole [...]
5:18 pm on November 26th, 2008 55
[...] The authors of WordPress point out that there is not and never will be a version 2.6.4! This is mentioned due to a fake WordPress version 2.6.4 that made the rounds. You can read more about that fake version on Craig Murphy’s blog. [...]
7:49 pm on November 26th, 2008 56
[...] 是由于之前有曾经有一版伪 的含有木马的WordPress 2.6.4流 [...]
9:19 pm on November 26th, 2008 57
[...] – Baccas reports. Also, The Register has it covered as well as Craig Murphy. [...]
10:28 pm on December 17th, 2008 58
[...] Craig Murphy – WordPresz 2.6.4 – fake? [...]
1:55 pm on January 2nd, 2009 59
[...] du kan lese av denne bloggposten og denne bloggposten, så kan litt kjedelige ting skje hvis du ikke følger med i [...]
7:19 pm on January 18th, 2009 60
[...] Baccas reports. Also, The Register has it covered as well as Craig Murphy. Tags: Blogging, vunrability, WordPress Filed in Meta, WordPress « COLOURlovers Making [...]
9:14 pm on February 19th, 2009 61
[...] – Baccas reports. Also, The Register has it covered as well as Craig Murphy. [...]
11:50 pm on May 31st, 2009 62
thanks. post…
11:49 am on June 3rd, 2009 63
[...] WordPresz 2 6 4 fake Posted by root 34 minutes ago (http://www.craigmurphy.com) There further comment on the wordpress support forum too i 39 ve since upgraded to 2 6 3 ip 209 160 33 108 with a fake online pharmacy livepills com weblog tools collection fake wordpress site pr amp tech the social programmer is proudly powered by wordpr Discuss | Bury | News | WordPresz 2 6 4 fake [...]
8:41 pm on July 15th, 2009 64
Very interesting article
9:02 pm on July 15th, 2009 65
Very interesting article ….
9:13 pm on July 15th, 2009 66
Very interesting article ……
1:06 pm on August 11th, 2009 67
very nice thank you…
10:28 pm on September 12th, 2009 68
thank you manyak bise bu hasta oldum
10:06 pm on September 23rd, 2009 69
tanx see you later
6:48 am on September 29th, 2009 70
This is one of the best blog i have just seen, i am really feeling honor and pleasure that i am able to post my views here in this blog, a really appreciatable work done by webmaster of this blog. Going great man! keep it up. http://www.viagra-viagra.com
10:13 am on October 1st, 2009 71
nice web page
thanks
4:34 pm on October 13th, 2009 72
nice great and thank you for sharing
12:35 am on November 1st, 2009 73
hanks bor eyel
11:29 pm on November 6th, 2009 74
If they are linking from the comment, I would consider it spam. If they post a comment, and it is on topic, be glad someone saw your blog and thought enough to post to it. mirc
8:47 am on November 12th, 2009 75
Great find! Just for the record, I’m sure I wouldn’t be fooled by it. I usually read any link carefully before clicking.
1:27 am on December 3rd, 2009 76
Baccas reports. Also, The Register has it covered as well as Craig Murphy.