At 5:42 AM +0100 5/9/06, Roy Schestowitz wrote:
I hope you have added 184.108.40.206 to yours IP deny list. I know I have.
Not yet. I actually want them to try again, so I can see if it's
a password crack or something else. (I've changed the password.)
I'm willing to undertake the effort of cleaning up after another
successful attack if allowing it helps figure out exactly what
happened. So far, no posts have been modified since I cleaned up
after the last two attacks and changed my admin password.
Although if they cracked the admin password, I'd like to know how.
I haven't seen any apparent attempts to brute-force it, and I'm not
sure how it could have been swiped-- and why would someone bother in
the first place? The effort needed to crack a password on a single
blog just doesn't seem worth the payoff.
So here's what I have found, little though it may tell anyone:
That shows All of the instances where there were attempts to access
the WP admin area and the client was redirected to the login page. I
highlighted the two known breakins, but there's a third that wasn't a
breakin but interested me. I highlighted it too-- what drew my
attention was the "Show+Month" bit. So I searched for all instances
of that IP address and came up with:
So if that was a breakin attempt, it failed. I just find it
interesting that there's been more than one attempt to get in that
way. It might be the same person from multiple machines, of course.
I searched my access logs again for all "Show+Month" entries, but
they were all either the original breakins, this now one I show
above, or my own machines.
There *may* be some backdoor in the handling of
edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
arguments are intended to achieve. Maybe bad handling of exceptions?
I dunno. That's why I brought it up here, just in case there was
a previously unknown vulnerability.
This can't do much harm /assuming/ you have not modified much of your code
(I know Eric Meyer has "hacked WordPress like it was attacking his family").
Actually, not any more. I'm running 1.5 and all the 'hacking' is
now in theme files, or else via plugins I wrote for myself. The core
itself is largely or completely undisturbed. I did a test upgrade to
2.0 on my local server and there weren't any hiccups in terms of the
install running, so I suspect "completely", but it's been a long time
since I upgraded to 1.5 and so I might have forgotten a tweak or two.
Time-wise, it might be worth going over the changelog for 1.5.3 and, based
on the log, see if it fixes the problem at hand. It could return to attack
via proxies and become detrimental. The only real solution is patching.
Unless of course whatever they're doing isn't solved by the latest
version. I'm assuming that all this isn't an obvious example of a
widely known problem with the 1.5x series, though.
Eric A. Meyer (eric@xxxxxxxxxxxx)
Principal, Complex Spiral Consulting http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
wp-hackers mailing list