[wp-hackers] WP security breach-- may be my fault, may not be
mark.wordpress at txfx.net
Thu May 11 08:07:38 GMT 2006
On May 8, 2006, at 8:29 PM, Eric A. Meyer wrote:
> I chatted with the #wordpress folks and nobody there seemed to
> know what might be happening, with the only real guess being that
> maybe my WP admin password was compromised. I changed my admin
> password after the breaches documented above, and will watch my
> access logs to see if there are any more attempts. I don't know
> for sure that my password was compromised, though if there's a log
> somewhere that I could check for admin logins, I'll gladly do so.
> Is there?
Eric, WordPress 1.5 (and even 1.5.2) has security issues that could
allow someone to change your WP password without your knowledge.
Did you just go into WordPress and change the password, or did you
log out and see if the password had been changed? See, the way one
of the attacks works (the one I'm thinking it could have been), is
that you are tricked into visiting a page that uses devious methods
to submit a form (on your behalf, using your WP cookie) that changes
your password. If done right, you won't even realize this has
happened because your WP login cookie will be updated with the hash
of the new password, and so your access to your blog won't be
interrupted. It is possible that this happened, and that when you
changed your password, you weren't changing it from what you
thought... it may have already been changed without your knowledge.
Grep your access log for all POSTs to /wp-admin/profile.php ... note
that the IP you'll be looking for is your own, but the referer will
be blank or from an external site.
grep -i 'POST /eric/thoughts/wp-admin/profile\.php' access_log
Or, maybe you picked a relatively simple password and they guessed
it... but that'd definitely show up in the logs as suspicious. What
I'd recommend doing immediately is upgrading to http://
svn.automattic.com/wordpress/branches/1.5/ This has several CSF
fixes, and will at least prevent people from being able to just
change your password. Long term, I'd start looking into upgrading to
the 2.0 branch.
More information about the wp-hackers