Tag Archives: The Register

Cleaning up after the WordPresz 2.6.4 incident

As many of you are probably aware, earlier this week I noticed that my trusty WordPress blog was duping me into downloading and installing an essential security upgrade to version 2.6.4. At the time, I was running version 2.5.1. You’re possibly wondering why I had not already upgraded to an authentic WordPress 2.6.x release…I am after all, supposed to be setting an example. Well, a number of factors delayed the upgrade – most notably lots of travel and a few time-consuming home-life issues meant the upgrade was back-burner-ed. Via The Register, Sophos picked up on hack, classifying it as Troj/WPHack-A. I managed to record a short video of the dashboard hack, notice that I’m at WordPress 2.6.3…

That being said, a small part of me always prefers to wait a while before upgrading, i.e. I don’t like to upgrade immediately. If memory serves me, I recall a WordPress upgrade that caused me a few minor problems because I upgraded the moment it came out – it was soon followed by a further release. Anyway, I’m digressing.

Since Monday, I have upgraded to WordPress 2.6.3, twice. Naturally I used the definitive link for getting my hands on the 2.6.3 zip file. On both occasions the WordPresz 2.6.4 upgrade advice was still appearing in my dashboard. I’ve also been liaising with the good folks over at WordPress and have followed as much of their advice as I can at this stage. Huge thanks to the WordPress chaps for picking up on this issue – whilst it hasn’t affected me, I’m sure some folks have accidentally installed the fake 2.6.4 release.

My second install of 2.6.3 saw me cleaning out the various wp-admin, wp-includes, folders and then FTPing a fresh 2.6.3 set of files. I then started poking around in the WordPress database – table wp_options caught my attention. Themes tend to leave a lot of fingerprints in wp_options, as do a number of plug-ins. I cleaned out around about 40% of the wp_options records that were related to themes I no longer have installed.

After further searching, I found the field dashboard_widget_options:

As you can see, the WordPresz 2.6.4 injection text, or at least part of it, is in there. In order to remove it from my dashboard, I simply removed the entire contents of the dashboard_widget_options field, i.e. its content is empty – I did not delete the entire record. WordPress was kind enough to recreate the contents of this record.

Further poking around in wp_options revealed an RSS record: rss_412e29f6467d015b137ccc293b42bdff. Its contents were familiar:

O:9:”MagpieRSS”:17:{s:6:”parser”;i:0;s:12:”current_item”;a:0:{}s:5:”items”;a:1:{i:0;a:4:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:11:”description”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;s:4:”link”;s:21:”http://wordpresz.org/”;s:7:”summary”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;}}s:7:”channel”;a:7:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:4:”link”;s:21:”http://wordpresz.org/”;s:11:”description”;s:29:”Just another WordPress weblog”;s:13:”lastbuilddate”;s:31:”Thu, 30 Oct 2008 02:29:53 +0000″;s:4:”docs”;s:34:”http://backend.userland.com/rss092″;s:8:”language”;s:2:”en”;s:7:”tagline”;s:29:”Just another WordPress weblog”;}s:9:”textinput”;a:0:{}s:5:”image”;a:0:{}s:9:”feed_type”;s:3:”RSS”;s:12:”feed_version”;s:4:”0.92″;s:5:”stack”;a:0:{}s:9:”inchannel”;b:0;s:6:”initem”;b:0;s:9:”incontent”;b:0;s:11:”intextinput”;b:0;s:7:”inimage”;b:0;s:13:”current_field”;s:0:””;s:17:”current_namespace”;b:0;s:19:”_CONTENT_CONSTRUCTS”;a:6:{i:0;s:7:”content”;i:1;s:7:”summary”;i:2;s:4:”info”;i:3;s:5:”title”;i:4;s:7:”tagline”;i:5;s:9:”copyright”;}}

I elected to remove (delete) that record (rss_412e29f6467d015b137ccc293b42bdff and rss_412e29f6467d015b137ccc293b42bdff_ts – I would imagine your field names might look a little different to mine).

My WordPress 2.6.3 install is now looking a little healthier. However there are still a number of unanswered questions. How did the 2.6.4 information make its way into the wp_options table? Was it a WordPress or a MySQL exploit or was it something else? Has my MySQL database password been comprised in some way? What about my FTP password? Was a malicious theme responsible for this compromise? I am very close to developing a theme myself, hopefully that learning curve will help me find answers to some of these questions. Who knows the answers to these questions? Hopefully over time the truth will out, I would certainly like to know.

Whatever the case, my blog hasn’t been visibly owned as yet…I suppose time will tell. In the meantime, password changes are aplenty!