[wp-hackers] WP security breach-- may be my fault, may not be

Mark Jaquith mark.wordpress at txfx.net
Thu May 11 08:07:38 GMT 2006 

On May 8, 2006, at 8:29 PM, Eric A. Meyer wrote:

>    I chatted with the #wordpress folks and nobody there seemed to  
> know what might be happening, with the only real guess being that  
> maybe my WP admin password was compromised.  I changed my admin  
> password after the breaches documented above, and will watch my  
> access logs to see if there are any more attempts.  I don't know  
> for sure that my password was compromised, though if there's a log  
> somewhere that I could check for admin logins, I'll gladly do so.   
> Is there?

Eric, WordPress 1.5 (and even 1.5.2) has security issues that could  
allow someone to change your WP password without your knowledge.

Did you just go into WordPress and change the password, or did you  
log out and see if the password had been changed?  See, the way one  
of the attacks works (the one I'm thinking it could have been), is  
that you are tricked into visiting a page that uses devious methods  
to submit a form (on your behalf, using your WP cookie) that changes  
your password.  If done right, you won't even realize this has  
happened because your WP login cookie will be updated with the hash  
of the new password, and so your access to your blog won't be  
interrupted.  It is possible that this happened, and that when you  
changed your password, you weren't changing it from what you  
thought... it may have already been changed without your knowledge.

Grep your access log for all POSTs to /wp-admin/profile.php ... note  
that the IP you'll be looking for is your own, but the referer will  
be blank or from an external site.

Something like:

grep -i 'POST /eric/thoughts/wp-admin/profile\.php' access_log

Or, maybe you picked a relatively simple password and they guessed  
it... but that'd definitely show up in the logs as suspicious.  What  
I'd recommend doing immediately is upgrading to http:// 
svn.automattic.com/wordpress/branches/1.5/  This has several CSF  
fixes, and will at least prevent people from being able to just  
change your password.  Long term, I'd start looking into upgrading to  
the 2.0 branch.

--
Mark Jaquith
http://txfx.net/

More information about the wp-hackers mailing list