Calendar
Network
Feeds
- 61
- Sphinn It!
Went Hot: March 24, 2008 - 7:32 am
Posted By: mvandemar 122 days ago
Topic Type: News Story (Jump to http://smackdown.blogsblogsblogs.com)
Category: Blogging
19 Comments
Went Hot: March 24, 2008 - 7:32 am
Posted By: mvandemar 122 days ago
Topic Type: News Story (Jump to http://smackdown.blogsblogsblogs.com)
Category: Blogging
19 Comments
Top 10 Most Sphunn
In What's New
- How Net Promoter Score (NPS) Can Di... (21)
- On-Site Geo-Targeting and Local Sea... (20)
- Misinformation In the Blogosphere (16)
- Negative Keyword Research Tools & T... (15)
- Google's Knol Launches: Like Wikipe... (15)
- SEO Consultation Ruining Industry R... (15)
- Slagbait - The Future for SEO Blogg... (13)
- Propeller 2.0 Launches: Ditching Th... (12)
- Hollywood's Behind the Internet Tim... (11)
- “Scads:” The Next PPC Battleground?... (11)
Latest Comments
- except for the admins, I knew about 2 of the people on the list being mods …
- It is hard work Shalom, but it's certainly worth making the commitment to i…
- A list of Admins and Moderators can be found here:
- Unfortunately the search functionality was adopted from Pligg and it would …
- I don't know and don't care. Also I don't look to see who sphunn or desphun…
- even now i am still not sure who the mods are. I didn't know Tamar was a mo…
- I don't agree that an admin or moderator desphinn is more powerful than an …
- In the Google SEO world, what Matt Cutts says, anywhere, is news.
- - read more -
Save the date for:
• SMX Local & Mobile - San Francisco, CA (July 24-25) See the agenda, and register now!
• SMX Sao Paolo - Brazil - (Aug. 7-8)
• SMX China - September 23 & 24, 2008
• SMX Stockholm - September 23 & 24, 2008
• SMX East - NYC - (Oct. 6-8) Registration is now open.
• SMX London - November 4 & 5, 2008
Comments
Btw, I just moved Smackdown last night to a new server, which is when I discovered all this (on a different blog I moved, Smackdown has not been hit as of yet). If anyone is having issues viewing the site due to DNS not propogating yet please let me know, thanks. :)
It would be really helpful if people writing about "vulnerabilities" post the versions of software they are using, the hosting, the plugins, etc. because otherwise this is just scary noise. I'm not citicising this sphinn post... but the pages behind it are lacking such detail.
If you read the linked pages and the linked linked pages you still find nothing helpful... no details and some cryptic "use your brain..do your own homework.. I know but I'm not telling" comments from a so-called security person. Puhleeze.
By the way it looks like this will be another situation that would have been blocked by mod_security, so if your sever is not secured yet here's another reason to run mod_security. There are numerous web pages on hardening a Wordpress install though mod_security.
WP version info is available here (but not plugins) --
http://www.google.com/search?q=inurl%3A%22wp-content%2F1%2F%22&num=100
I am running mod_security and still got hacked and penalized. Here is a way to catch it early:
http://sphinn.com/story/35962
It's usually more important to keep your environment updated than the specific copy of WP. For example all of osCommerce venerabilities were connected to earlier copies of PHP4x.
Everyone should be running PHP5x these days (3yrs old now) so I would check that on your host.
As John says, mod_security can help a lot but it depends on the rules you set up. As John says, there is a lot written on WP and mod_security. This is a good PDF on the subject:
http://blogsecurity.net/projects/wordpress-modsecurity-paper.pdf
HTH
Reporting this to Sphinn is one thing, but does WordPress know about it yet? I don't see any acknowledgement of it on WP's main site.
I got hit with this....pharma links at the bottom of every page, and it's displacing my footer. I'm using WP 2.3.3 with php5.
It would be really helpful if people writing about "vulnerabilities" post the versions of software they are using, the hosting, the plugins, etc.
John, I was reporting on something that hit thousands of websites, I have no idea what they were all running. On one install I have PHP5 and just these plugins:
Akismet
Hello Dolly
http:BL WordPress Plugin 1.4
Login LockDown
SimpleTags
@tamar - It's been reported on the forums. It apparently started about a week ago.
@DarkMatter - the link injection exploit appears to actually be a different one.
If you find this stuff interesting, take a look at the WP vulernability exposed last January as an example of how complex rooting out these things can be. If WP devs know about it, they need time to work through a solution before everyone else knows about it. When you call the locksmith to replace a broken lock, you don't tell the world until after the lock has been repaired.
Take a look at http://www.hardened-php.net/advisory_022007.141.html to see how the attacker gets admin access, and can then add whatever she wants to add to your blog. I don't know that this was ever accomplished, but it was said to have been addressed by WP devs. Just an example of how complicated it can get, yet still worthwhile for attackers to pursue.
When you call the locksmith to replace a broken lock, you don't tell the world until after the lock has been repaired.
No, John, I'm sorry, but the "we shouldn't tell anyone" philosophy simply does not apply here. This exploit is being taken advantage of by hundreds of thousands of blog spam links being pointed at these infected pages across the web. These pages are being used as phishing attempts to gain peoples Google passwords. If I discovered an attack not already in the wild, then that would be one thing. This is not the case.
@mvandemar if you know a better way to efficiently manage the Wordpress community of millions of publishers (who don't pay anything), feel free to contribute that to the Wordpress forums. In the mean time, the best way to handle an exploit is to fix it, which requires understanding.
You may call this attack "in the wild" but it's nothing compared to what would take place if someone laid out exactly how to abuse it. We're probably not talking about a simple coding error, but something that takes some thought to fix as well as exploit.
By the way I never advocated "we shouldn't tell anyone" and have never advocated security through obscurity. Thanks for not giving that impression any more. But if you think Wordpress should tell everyone "there are reports of an exploit, but we don't know what it is yet, and haven't confirmed it, but just wanted you to know" then every software publisher in the world probably fails to meet your standards.
johnandrews, thanks for the link. From that link:
Of course, that page was posted last year. But it's helpful to password-protect the wp-admin directory, so that even though they may have gotten the password, it's not just a straight walk into the admin panel.
Of course, if you do so, then you won't know that someone's gotten your admin password. So it's a good idea to change it regularly.
Thanks Michael. I guess the WP guys are too busy to come out with a patch. :(
By the way I never advocated "we shouldn't tell anyone" and have never advocated security through obscurity. Thanks for not giving that impression any more.
John, please don't be an ass. Not telling people about it to keep it from spreading is "security through obscurity". What the hell else would you call it?
This is not a case of exposing more websites to the attack... since I know nothing about how it was carried out there really isn't that much chance of that happening, now is there?
These websites aren't defaced, and they aren't just carrying spammy links... they are serving as gateways for malicious behavior. There IS a temporary solution, and that is to delete the directory if you happen to see it. But no one can do that if they don't even know to look.
Similar activity has been going on with earlier versions of WP dating back to at least the summer of 2007. The hackers may use different directories, such as the tmp directory.
But this is the first I've seen of similar activity with 2.3.3.
Another way to spot this activity (after the fact) is through Technorati. Often the hackers create splog rings, i.e, spam blogs for the purpose of pointing to the illicit HTML files on your site You could end up with 200 spam HTML files created on your blog, and then 10 made-for-hacking spam blogs each linking to every single one of the illicit URLs on your blog. The result: 2000 (10 x 200) new Technorati links overnight.
i saw your post and thought i'd give this issue some importance, because i also use wordpress and a friend told me he got hacked.
so i wrote this article about the issue
http://websecurity.ro/blog/2008/03/28/wordpress-233-probably-a-0day-exploit/
@mvandemeer if you have trouble with reading comprehension, skip my comments and read the others. I never said "we shouldn't tell anyone" and I don't advocate security through obscurity. I did say "If WP devs know about it, they need time to work through a solution before everyone else knows about it. When you call the locksmith to replace a broken lock, you don't tell the world until after the lock has been repaired." That is a very operational statement.
Read into it all you like, but I suggest keep your judgements to yourself unless they are backed by facts.
Admin Note: This comment has been edited. The comments by mvandemar are valid and do not constitute trolling.
Admin Note: Comment removed. John Andrew's accusations were not justified, although nor was this reply.
@mvandemar
Keep it civil and intelligent.