___/ On Tue 09 May 2006 01:49:27 BST, [ Joey B ] wrote : \___
On 5/8/06, Eric A. Meyer <eric@xxxxxxxxxxxx> wrote:
Earlier today I got word that I had linkspam showing up in entries
on meyerweb-- they showed up in Bloglines, for example, and also some
people's aggregators showed recent posts as having been modified.
I didn't notice that over here (just re-checked this to confirm). Oddly,
however, a recent item of yours ("Flummmoxed By Frameworks") did now show
up as new, although it *should* have. I am using RSSOwl if that matters.
It turns out someone went in and added link spam to the post
contents of the most recent 30 or so posts. Here's an example of one
such post, pulled from my wp-cache files:
The spam shows up at lines 83-121. Here's another:
In that case, the spam is at lines 75-113.
I was able to remove the spam from meyerweb by manually editing
the post contents for each affected post. In other words, the spam
content had been added to the DB records-- this is not a wp-cache
problem. That's just where I was able to harvest copies of the
offending content. It's also not a comment problem; this stuff is
injected into the actual post_content field.
The spam always shows up after three or so paragraphs, whether
that means the end of the post or somewhere in the middle, which
feels like the work of a regexp or some other pattern search. I also
tracked down the activity which stuck the spam into my records.
I hope you have added 18.104.22.168 to yours IP deny list. I know I have. I
still run a modified copy of Mingus (1.2) on a few sites. Use of old version
increases the need for caution.
Judging by the patterns, e.g.:
22.214.171.124 - - [08/May/2006:15:24:15 +0000] "GET
/eric/thoughts/wp-admin/edit.php?m=200512&submit=Show+Month HTTP/1.1" 200
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
126.96.36.199 - - [08/May/2006:15:24:21 +0000] "GET
/eric/thoughts/wp-admin/post.php?action=edit&post=698 HTTP/1.1" 200 24473
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
There *may* be some backdoor in the handling of
edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
arguments are intended to achieve. Maybe bad handling of exceptions?
The pattern of accesses also reminds me of a script. Note there are
two blocks of changes, temporally speaking. I'm not anywhere close
to the IP block of the accesses in question; they're in the 207.*
block and I'm a good deal lower than that.
Now for the details of my WP install: I'm running 1.5, as I really
hate the admin interface of 2.0, even with rich editing turned off.
(If it remembered which of those cute little option boxes to leave
expanded, I'd be a lot happier, but never mind that now.) I'm
willing to upgrade to fix this, though I'd want to wait at least a
few days to see if the problem happens again. The only plugins
running that I didn't write myself are Akismet and wp-cache. The
plugins I wrote are all content modifiers, like ordinalizing numbers
from 1-10, outputting a slightly different monthly calendar, and
turning off auto-formatting of posts (but not comments). I don't
think any of them could be a doorway, but it's hard to be certain.
I chatted with the #wordpress folks and nobody there seemed to
know what might be happening, with the only real guess being that
maybe my WP admin password was compromised. I changed my admin
password after the breaches documented above, and will watch my
access logs to see if there are any more attempts. I don't know for
sure that my password was compromised, though if there's a log
somewhere that I could check for admin logins, I'll gladly do so. Is
Like I said, if this sort of thing is a known problem with 1.5,
I'm willing to upgrade to fix it, much though I may curse the
interface afterward. If this isn't something that's been seen
before, I thought it was worth bringing to your attention. Thanks
for any insights.
There's a version 1.5.3 in Beta, I think (
If I recall correctly from the little chatter I've heard about it, it
contains some security fixes, and, iirc again, you can get it from SVN
This can't do much harm /assuming/ you have not modified much of your code
(I know Eric Meyer has "hacked WordPress like it was attacking his family").
Time-wise, it might be worth going over the changelog for 1.5.3 and, based
on the log, see if it fixes the problem at hand. It could return to attack
via proxies and become detrimental. The only real solution is patching.
With kind regards,
Roy S. Schestowitz
http://Schestowitz.com | GNU is Not UNIX ¦ PGP-Key: 0x74572E8E
5:35am up 11 days 12:32, 8 users, load average: 0.85, 0.74, 0.77
http://iuron.com - proposing a non-profit search engine