Security Breach in WP?

Hmm….isn’t this the third or fourth instance, has anyone looked into previous reports of this? I know nothing is 100% secure, but previous calls about db and wp being hacked have been knocked off as ludicrous and impossible.

this won’t start a panic, but it will make users worried, very worried in fact.

sorry to hear about it root, i wonder who’s next. out of sheer apranoia i’m backing everything up as i write

Root – grab your access / error logs / stats. They may be useful.

Can you share with someone your passwords / settings / anything else relevant ?

The hacker said he got in via install.php. I installed via Fantastico and had not deleted it. I normally do – I cant remember if its in the readme or is a known security loophole unless it is deleted. But it took my db down as well – I think.

I wouldn’t believe a word the fuckwit said.
Grab logs and compare times of access to the time of the entry it made.

so if install.php is still in there, and a user tries to do an install, would it overwrwite the existing one? That might explain how he got in. Most installers/blog tools I am aware of tend to auto delete the intall file after a complete install. I thought WP did the same, just deleted mine – I’m not if it’s stated in the readme. This may all just be hype but I’m pretty paranoid.

I think the logs should reveal some info. what files were access etc

I don’t remember reading that anywhere. Needless to say, I just deleted all of mine – Fantastico installs as well. I also took out the install-helper.php file just to be safe.

I’m sorry this has happened to you again, Root. Some people cannot see a fine thing without the need to desecrate it.

A word of caution guys. When I clicked on a post on Root’s blog, I received the a€?click install.php to begina€? message the first time around.

As a safety check, I’d remove install.php from your wp-admin directory. They have no function outside of the install procedure anyways.

may be something for 1.6 installer?

step x – delete the install.php and install-helper.php files or click here to let wp delete them for you

“Some people cannot see a fine thing without the need to desecrate it.”
This is off-topic and neither here or there, but the guy left a post where he sounded apologetic saying that it was curiosity rather than malicious intent. From my experiences (seeing the error message) and the language, I’m inclined to believe him/her.

If anything, this probably makes it worse. If a blog can be junked this easily, then I’d be more worried, not less.

Fantastico omits that step x. And I cant see it in readme.html

Normally, it doesn’t make a difference. Running install.php again should have no effect as it detects if an installation is already there. However, in certain situations, something goes wrong.

An off-the-cuff hypothesis: WP temporarily is unable to connect to MySQL and hence this check fails. It assumes that it’s a fresh installation. Hence, it goes on to recreate the tables, junking the whole db.

The guy now says that as I was just about to install WP but before I ran install that he did it instead. But that does not make sense because it was already installed.

ifelse those were my first thoughts – at the same time, did he have to experiment with someone else’s site, malicious or not, he did a bad thing but it’s also served as an eye opener, if his comments are true. the question should be why it isn’t deleted after an installation is made – take away the onus from the user, remember these guys are expecting the bugger to do 99% of the work for them.

@root step x was a suggestion, it doesn’t actually exist I’m afraid, and it isn’t in the readme. it’s obvious thing for someone who’s done a lot of these types of installs, but not for new users, and those that sometimes slip their minds in the midst of doing 1001 things. considered shopping this guys to the authorities?

tried the install with an existing install:

You appear to have already installed WordPress. To reinstall please clear your old database tables first.

So if they can remotely clear the tables and then run the installer that would work. but i wouldn’t know how to do that, and i;m not sure if it is possible

You do not need to delete install.php after installing, lines 80 and 81 check if WordPress has been installed already (more specifically, if there are any users in the users table) and if it is it dies right away.

Almost every other application, open or paid, requests that the install(.php) file(s) be removed after install/upgrade as the last step of the process. Just as WP, all of those applications detect if an install already exists and does not run the script again, in case someone stumbles on it, but it is still requested that it be removed, as in certain stray situations it can indeed cause a complete overwrite of the tables and run a fresh install. If the other scripts, the message boards, guestbooks, blogware, ect. all deem this an important enough step, I was personally very surprised to see those steps absent from WP install instructions. By habit, I delete all install files from any of the applications I install after I install them. WP was no exception.

It’s just one line of instructions. I think it definitely should be added.

It does not matter how sunny a month it is. Leave a lightning bolt in the middle of a grass field, and lightning will eventually strike it. More than once.

Root, terribly sorry about your repeated misfortunes. ??