[wp-hackers] WP security breach-- may be my fault, may not be
Peter Westwood
peter.westwood at ftwr.co.uk
Tue May 9 07:32:39 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eric A. Meyer wrote:
> Howdy all,
>
> Earlier today I got word that I had linkspam showing up in entries on
> meyerweb-- they showed up in Bloglines, for example, and also some
> people's aggregators showed recent posts as having been modified.
> It turns out someone went in and added link spam to the post contents
> of the most recent 30 or so posts. Here's an example of one such post,
> pulled from my wp-cache files:
>
> http://meyerweb.pastebin.com/706548
>
> The spam shows up at lines 83-121. Here's another:
>
> http://meyerweb.pastebin.com/706585
>
> In that case, the spam is at lines 75-113.
> I was able to remove the spam from meyerweb by manually editing the
> post contents for each affected post. In other words, the spam content
> had been added to the DB records-- this is not a wp-cache problem.
> That's just where I was able to harvest copies of the offending
> content. It's also not a comment problem; this stuff is injected into
> the actual post_content field.
> The spam always shows up after three or so paragraphs, whether that
> means the end of the post or somewhere in the middle, which feels like
> the work of a regexp or some other pattern search. I also tracked down
> the activity which stuck the spam into my records. That's here:
>
> http://meyerweb.pastebin.com/706549
>
Looking at this I think your admin password was compromised as before
any changes take place there is a login attempt which I believe was
probably sucessfull looking at the next page that was loaded.
Login Attempt:
207.42.135.122 - - [08/May/2006:14:30:06 +0000] "POST
/eric/thoughts/wp-login.php HTTP/1.1" 302 5
"http://meyerweb.com/eric/thoughts/wp-login.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
And load of admin index page:
207.42.135.122 - - [08/May/2006:14:30:10 +0000] "GET
/eric/thoughts/wp-admin/ HTTP/1.1" 200 12936
"http://meyerweb.com/eric/thoughts/wp-login.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
There are then a number of POST's for post editing which would explain
the apperance of the links.
westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEYEWXVPRdzag0AcURAuwIAJ0XUla+C/5Du0Bk7DIhAfUytAlnvQCgw+SO
qHOF8yYAqzmelY2sOtDWUhs=
=SU70
-----END PGP SIGNATURE-----
More information about the wp-hackers
mailing list