Question About Possible Hack of Site

Viewing 15 replies - 121 through 135 (of 161 total)

  • yes they should — its actually only a 4 minute install.

    and is this entire thread about hacks to pre 2.8.4 installs???

    @kirkpete

    actually you can just download a copy of the new wordpress into a new directory, change the wordpress config file to setup connectivity to your database, copy your wp-content directory to the new tree, fire it up and go. If there are db changes required wp will know and do them.

    RB

    ps. this is roughly what I do using automated tools and db/filesystem snapshots and test virtual machines prior to cutting over to new versions.

    The double slash hack does not even require any coding. Anyone can do this. All you have to do is register as a subscriber and then type in the URL to the admin pages with an extra slash.

    I bet many spammers have already known about this for a while and they must have already visited all the popular WP blogs and downloaded their entire database. This would explain many strange user registrations in the past few weeks.

    but /wp-admin//export.php is fully functional.

    Ive tested this on a 2.8.2 install (even), registered as a subscriber, and cant replicate that assertion.

    i’ll happily make this install available to you to register on, if you want to test.

    (you either have plugin issues, something else going on, or dont realize that youre actually admin)

    rwboyer, I don’t understand what you just posted, but it’s too late anyway, I’m halfway through the Extended Upgrade process. (I had already backed up my database and WordPress files at the beginning of this ordeal.)

    @kirkpete

    Just trying to get a handle on why you are having such a hard time with wordpress.

    I just looked at your hosting provider, if you have a virtual server it should be a walk in the park with nothing really in the way. What kind of account do you have? Windows? LInux?

    RB

    @whooami

    I tested it on 2.8 and I just double-checked. I’m able to export.

    ok, well, Ive just tested it on the latest — 2.8.4, and it does not work.

    since 2.8.4 is the latest, and REALLY thats where the focus ought to be, NOT on versions that shouldnt be being used anyway ..

    @whooami

    Yeah, somewhere between 2.8 and 2.8.2, they must have added the line below:

    if ( !current_user_can('edit_files') )
	wp_die(__('You do not have sufficient permissions to export the content of this blog.'));

    Basically any admin files that does not have the function current_user_can() at the top can potentially be accessed with the double slash hack.

    I checked 2.8 vs 2.8.4. The function does not exist in the former but it does in the latter.

    @whooami

    It’s easy for webmasters and developers to say nobody should be using the old versions, but WordPress is being used by many people whose passion and professions are NOT maintaining websites and staying informed of the latest security threats. People just want to blog. Most people feel that upgrading their software once a year is good enough. If every blogger was a webmaster, the blogsphere would be nothing but people talking about blogs.

    But this does make me think twice about recommending people to install WP. Those who do not have professional webmasters taking care of their blogs, should not install their own. They should just use the hosted version at wordpress.com.

    dyske,

    youre making a point thats been made already on here dozens of times before..

    Most people feel that upgrading their software once a year is good enough. If every blogger was a webmaster, the blogsphere would be nothing but people talking about blogs.

    Ok, but most people are wrong, and theyre cheap.

    I fail to see what any of that has to do with the topic (6 pages of stuff over hacked sites that werent even running the latest version??))

    I mean no disrespect, but seriously.. clean the affected sites out, upgrade, be done.

    Sorry, I just realized that the exported XML does not contain users table. It just exports all the posts, which are already public information. So, this isn’t so bad.

    … and it doesnt ever contain the users table, anyway. thats not the purpose of it. it doesnt matter WHO exports it.

    I love a mystery, and I, honestly, think its a good idea to know how a site was compromised, but the “catch the little bugger” stuff is really a waste of energy. these attacks are scripted, theyre done from behind chained proxies or from zombie machines, and well.. you get the point.

    Yeah, I’m going to bed now.

    @whoami,

    For bloggers who are not technologists, upgrading is an ordeal. (The magical “Automatic Upgrade” button in the dashboard has NEVER ONCE functioned for me, I always have to do it manually.) The first time I upgraded to 2.8.x a few months ago, it broke my blog, and I had to downgrade to 2.7 to recover.

    I mean no disrespect, but seriously.. clean the affected sites out, upgrade, be done.

    Actually, you mean NOTHING BUT disrespect, in virtually every comment you have posted on this thread. You are a troll.

Viewing 15 replies - 121 through 135 (of 161 total)
  • The topic ‘Question About Possible Hack of Site’ is closed to new replies.