Tag Archives: WordPress

Cleaning up after the WordPresz 2.6.4 incident

As many of you are probably aware, earlier this week I noticed that my trusty WordPress blog was duping me into downloading and installing an essential security upgrade to version 2.6.4. At the time, I was running version 2.5.1. You’re possibly wondering why I had not already upgraded to an authentic WordPress 2.6.x release…I am after all, supposed to be setting an example. Well, a number of factors delayed the upgrade – most notably lots of travel and a few time-consuming home-life issues meant the upgrade was back-burner-ed. Via The Register, Sophos picked up on hack, classifying it as Troj/WPHack-A. I managed to record a short video of the dashboard hack, notice that I’m at WordPress 2.6.3…

That being said, a small part of me always prefers to wait a while before upgrading, i.e. I don’t like to upgrade immediately. If memory serves me, I recall a WordPress upgrade that caused me a few minor problems because I upgraded the moment it came out – it was soon followed by a further release. Anyway, I’m digressing.

Since Monday, I have upgraded to WordPress 2.6.3, twice. Naturally I used the definitive link for getting my hands on the 2.6.3 zip file. On both occasions the WordPresz 2.6.4 upgrade advice was still appearing in my dashboard. I’ve also been liaising with the good folks over at WordPress and have followed as much of their advice as I can at this stage. Huge thanks to the WordPress chaps for picking up on this issue – whilst it hasn’t affected me, I’m sure some folks have accidentally installed the fake 2.6.4 release.

My second install of 2.6.3 saw me cleaning out the various wp-admin, wp-includes, folders and then FTPing a fresh 2.6.3 set of files. I then started poking around in the WordPress database – table wp_options caught my attention. Themes tend to leave a lot of fingerprints in wp_options, as do a number of plug-ins. I cleaned out around about 40% of the wp_options records that were related to themes I no longer have installed.

After further searching, I found the field dashboard_widget_options:

As you can see, the WordPresz 2.6.4 injection text, or at least part of it, is in there. In order to remove it from my dashboard, I simply removed the entire contents of the dashboard_widget_options field, i.e. its content is empty – I did not delete the entire record. WordPress was kind enough to recreate the contents of this record.

Further poking around in wp_options revealed an RSS record: rss_412e29f6467d015b137ccc293b42bdff. Its contents were familiar:

O:9:”MagpieRSS”:17:{s:6:”parser”;i:0;s:12:”current_item”;a:0:{}s:5:”items”;a:1:{i:0;a:4:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:11:”description”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;s:4:”link”;s:21:”http://wordpresz.org/”;s:7:”summary”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;}}s:7:”channel”;a:7:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:4:”link”;s:21:”http://wordpresz.org/”;s:11:”description”;s:29:”Just another WordPress weblog”;s:13:”lastbuilddate”;s:31:”Thu, 30 Oct 2008 02:29:53 +0000″;s:4:”docs”;s:34:”http://backend.userland.com/rss092″;s:8:”language”;s:2:”en”;s:7:”tagline”;s:29:”Just another WordPress weblog”;}s:9:”textinput”;a:0:{}s:5:”image”;a:0:{}s:9:”feed_type”;s:3:”RSS”;s:12:”feed_version”;s:4:”0.92″;s:5:”stack”;a:0:{}s:9:”inchannel”;b:0;s:6:”initem”;b:0;s:9:”incontent”;b:0;s:11:”intextinput”;b:0;s:7:”inimage”;b:0;s:13:”current_field”;s:0:””;s:17:”current_namespace”;b:0;s:19:”_CONTENT_CONSTRUCTS”;a:6:{i:0;s:7:”content”;i:1;s:7:”summary”;i:2;s:4:”info”;i:3;s:5:”title”;i:4;s:7:”tagline”;i:5;s:9:”copyright”;}}

I elected to remove (delete) that record (rss_412e29f6467d015b137ccc293b42bdff and rss_412e29f6467d015b137ccc293b42bdff_ts – I would imagine your field names might look a little different to mine).

My WordPress 2.6.3 install is now looking a little healthier. However there are still a number of unanswered questions. How did the 2.6.4 information make its way into the wp_options table? Was it a WordPress or a MySQL exploit or was it something else? Has my MySQL database password been comprised in some way? What about my FTP password? Was a malicious theme responsible for this compromise? I am very close to developing a theme myself, hopefully that learning curve will help me find answers to some of these questions. Who knows the answers to these questions? Hopefully over time the truth will out, I would certainly like to know.

Whatever the case, my blog hasn’t been visibly owned as yet…I suppose time will tell. In the meantime, password changes are aplenty!

WordPresz 2.6.4 – fake?

When I logged into my admin account for my WordPress blog, I was surprised to find this waiting for me in the dashboard:

UPDATE 07/11/2008: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.

UPDATE 08/11/2008: Cleaning up after the WordPress 2.6.4 incident. Note that I did not install the fake 2.6.4, so it’s not a clean up for that scenario.

Wordpresz.org appears to be a spoof of wordpress.org. With the exception of the download link and one or two others (Facebook link, etc.) all the pages lead back to the front/home page.

I’ve just downloaded the wordpresz 2.6.4 offering to see what’s different. If I find anything, and if time permits, I’ll update this post.

22:26 UPDATE
Just looking at the respective home pages for WordPresz.org vs WordPress.org, a few differences jump out – check out items 1, 2 and 3 below.

Item 1 – the download size is too round and is incorrect, it should be about 1.4mb in this case.

Item 2 – these are randomised over at WordPress.org, but are static at WordPresz.org.

Item 3 – The real WordPress.org has a “Showcase” link included.

Indeed, the source for both home pages reveals that WordPresz.org is simply an earlier snapshot of WordPress.org.

Looking at domain data for WordPresz.org, there are a few holes here. Google hasn’t indexed this site? What about the Alexa ranking?

Whereas, WordPress.org is pretty popular with Google and has an Alexa ranking.

23:59 UPDATE
Via Clayton, this may well be part of the problem. There’s further comment on the WordPress support forum too. I’ve since upgraded to 2.6.3 via the WordPress.org download.

The moral of this story: keep on top of WordPress updates and security fixes.

**

Images grabbed using TechSmith‘s SnagIt – an essential tool for developers and bloggers alike. With thanks to Betsy Weber

Technorati Tags: ,