[wp-hackers] WP security breach-- may be my fault, may not be

Joey B tunicwriter at gmail.com
Tue May 9 00:49:27 GMT 2006

There's a version 1.5.3 in Beta, I think  (
http://www.tamba2.org.uk/T2/archives/2006/03/18/wp-153/ )

If I recall correctly from the little chatter I've heard about it, it
contains some security fixes, and, iirc again, you can get it from SVN
as well.

On 5/8/06, Eric A. Meyer <eric at meyerweb.com> wrote:
> Howdy all,
>     Earlier today I got word that I had linkspam showing up in entries
> on meyerweb-- they showed up in Bloglines, for example, and also some
> people's aggregators showed recent posts as having been modified.
>     It turns out someone went in and added link spam to the post
> contents of the most recent 30 or so posts.  Here's an example of one
> such post, pulled from my wp-cache files:
>     http://meyerweb.pastebin.com/706548
> The spam shows up at lines 83-121.  Here's another:
>     http://meyerweb.pastebin.com/706585
> In that case, the spam is at lines 75-113.
>     I was able to remove the spam from meyerweb by manually editing
> the post contents for each affected post.  In other words, the spam
> content had been added to the DB records-- this is not a wp-cache
> problem.  That's just where I was able to harvest copies of the
> offending content.  It's also not a comment problem; this stuff is
> injected into the actual post_content field.
>     The spam always shows up after three or so paragraphs, whether
> that means the end of the post or somewhere in the middle, which
> feels like the work of a regexp or some other pattern search.  I also
> tracked down the activity which stuck the spam into my records.
> That's here:
>     http://meyerweb.pastebin.com/706549
> The pattern of accesses also reminds me of a script.  Note there are
> two blocks of changes, temporally speaking.  I'm not anywhere close
> to the IP block of the accesses in question; they're in the 207.*
> block and I'm a good deal lower than that.
>     Now for the details of my WP install: I'm running 1.5, as I really
> hate the admin interface of 2.0, even with rich editing turned off.
> (If it remembered which of those cute little option boxes to leave
> expanded, I'd be a lot happier, but never mind that now.)  I'm
> willing to upgrade to fix this, though I'd want to wait at least a
> few days to see if the problem happens again.  The only plugins
> running that I didn't write myself are Akismet and wp-cache.  The
> plugins I wrote are all content modifiers, like ordinalizing numbers
> from 1-10, outputting a slightly different monthly calendar, and
> turning off auto-formatting of posts (but not comments).  I don't
> think any of them could be a doorway, but it's hard to be certain.
>     I chatted with the #wordpress folks and nobody there seemed to
> know what might be happening, with the only real guess being that
> maybe my WP admin password was compromised.  I changed my admin
> password after the breaches documented above, and will watch my
> access logs to see if there are any more attempts.  I don't know for
> sure that my password was compromised, though if there's a log
> somewhere that I could check for admin logins, I'll gladly do so.  Is
> there?
>     Like I said, if this sort of thing is a known problem with 1.5,
> I'm willing to upgrade to fix it, much though I may curse the
> interface afterward.  If this isn't something that's been seen
> before, I thought it was worth bringing to your attention.  Thanks
> for any insights.
> --
> Eric A. Meyer  (eric at meyerweb.com)
> Principal, Complex Spiral Consulting   http://complexspiral.com/
> "CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
> "Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Joey Brooks
Milk Carton Designs || milkcartondesigns.com

More information about the wp-hackers mailing list