WordpresZ 2.6.4

@whooami – re: wp-admin/index.php – I could pull the 2.5.1 version from a backup, however even after a 2.6.3 upgrade, the dashboard is still showing the injected hack.

I too find it disturbing that the dashboard can be attacked in this way – whilst I’m technically savvy, I’ve not spent a lot of time tracing how this might happen. Lines 112-118 reveal little more than blank lines and closing divs – definitely wp-admin/index.php, yes?

Since the injected content is still there, I’m backing up my install just now.

camurphy – I just emailed you.

camurphy: Zip up a copy of that backup and email it to me, if you would be so kind. I’d like to see where the hack is and possibly how it got there. Database content too. otto at ottodestruct com. You can leave out the wp-content/uploads directory and such, if it’s just got image files and similar in it.

I’m like CAMURPHY.
I was running 2.6.3 when my dashboard maliciously changed.
No new plugins.
No new themes.
No other suspicious activity.
I re-installed 2.6.3 and the fake link was still there.
I manually changed it back but I’m as nervous as hell.

I’ve got a 2.6.3 WordPress install that’s been hacked as well. I’ve got different symptoms though.

My RSS feeds all have the following after the closing rss tag:
vpn Which of course creates an invalid feed.

And a number of suspicious files have shown up in my root WordPress directory. Files named: trex_5.php and 8.php that don’t belong there.

Desperately need some help here.

@kenpeace – the fake link in the dashboard appears via entries in wp_options. I appreciate from your earlier post that “PHP is not an option”, however hopefully my clean up notes here aren’t too technical:

https://www.craigmurphy.com/blog/?p=896

My dashboard is now “normal” after I cleared out the records mentioned in my post.

Apart from looking at new themes, I too had no new plug-ins and have a fairly strict read-only policy on my server folders.

I’m concerned that you noted “no new themes” – I had been checking out around 20 new themes over the last 14-21 days, many of which were for another blog folder on the same folder. I had initially thought that it was a dodgy theme that had got the better of me (assuming it’s possible for a theme to do such things).

HTH

Rgs
–Craig

Just as an extra note, it may not be true, but it seems that this hack uses the snoopy vulnerability that was fixed in 2.6.3. If that is the case, everybody upto 2.6.2 should pay extra attention.

The diff I ran against the compromised code was against WP2.6.3.

The only difference was the one I stated above. I just re-ran it to confirm.

BTW, it’s not number of users > 5 it’s:

if ($user_id > 5)

It looks like it creates a log with the domain, cookies and cookie expiration of a logged in user for later review…

Still curious about the update notification!

Q

Still curious about the update notification!

A?

WordPress uses Snoopy to fetch the feeds shown in the Dashboard.

October 23, 2008
WordPress 2.6.3
By Ryan Boren. Filed under Releases.
A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If you don’t want to download the whole release to get the security fix, you can download the following two files and copy them over your 2.6.2 installation.

wp-includes/class-snoopy.php
wp-includes/version.php

Which lead me to the conclusion stated in the previous post.

See also:
https://westi.wordpress.com/2008/11/06/wordpresz/
“westi” is one of the lead WP devs.

I see. Thanks Moshu.

I’m not sure that they necessarily used the Snoopy hole. That bug was not easily remotely exploitable as far as I can see, and if exploited it gave a shell access, not a database access.

I got ahold of a copy of the db from Craig, and the basic “hack” here was that the dashboard links widget has the URL changed to https://www.wordpresz.org/rss/ (now a dead site). This is how they got the link to appear for him.

I’m still at a loss as to how they got that option to change though.

May some body tell me kindly, how can I get full posts published on my website instead of 2/3 lines. Thanks in advance.
Rajesh

@desirachh,

start your own topic – don’t post to unrelated threads. And most of all: read the documentation that was written for beginners like you. (scroll up > Docs)

I’m still at a loss as to how they got that option to change though.

another problem, perhaps, SQL injection?

of course, if they could do that, they wouldnt need the 2.6.4 version to get passwords. Unless, they just wanted to see if what they were doing could be done.

you would think.