Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [wp-hackers] WP security breach-- may be my fault, may not be

At 5:42 AM +0100 5/9/06, Roy Schestowitz wrote:

I hope you have added 207.42.135.122 to yours IP deny list. I know I have.

Not yet. I actually want them to try again, so I can see if it's a password crack or something else. (I've changed the password.) I'm willing to undertake the effort of cleaning up after another successful attack if allowing it helps figure out exactly what happened. So far, no posts have been modified since I cleaned up after the last two attacks and changed my admin password.
Although if they cracked the admin password, I'd like to know how. I haven't seen any apparent attempts to brute-force it, and I'm not sure how it could have been swiped-- and why would someone bother in the first place? The effort needed to crack a password on a single blog just doesn't seem worth the payoff.
So here's what I have found, little though it may tell anyone:


   http://meyerweb.pastebin.com/708792

That shows All of the instances where there were attempts to access the WP admin area and the client was redirected to the login page. I highlighted the two known breakins, but there's a third that wasn't a breakin but interested me. I highlighted it too-- what drew my attention was the "Show+Month" bit. So I searched for all instances of that IP address and came up with:

   http://meyerweb.pastebin.com/708795

So if that was a breakin attempt, it failed. I just find it interesting that there's been more than one attempt to get in that way. It might be the same person from multiple machines, of course.
I searched my access logs again for all "Show+Month" entries, but they were all either the original breakins, this now one I show above, or my own machines.


There *may* be some backdoor in the handling of
edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
arguments are intended to achieve. Maybe bad handling of exceptions?

I dunno. That's why I brought it up here, just in case there was a previously unknown vulnerability.


This can't do much harm /assuming/ you have not modified  much of  your code
(I know Eric Meyer has "hacked WordPress like it was attacking his family").

Actually, not any more. I'm running 1.5 and all the 'hacking' is now in theme files, or else via plugins I wrote for myself. The core itself is largely or completely undisturbed. I did a test upgrade to 2.0 on my local server and there weren't any hiccups in terms of the install running, so I suspect "completely", but it's been a long time since I upgraded to 1.5 and so I might have forgotten a tweak or two.


Time-wise, it might be worth  going over the changelog for 1.5.3 and,  based
on the log, see if it  fixes the problem at hand. It could return  to attack
via proxies and become detrimental. The only real solution is patching.

Unless of course whatever they're doing isn't solved by the latest version. I'm assuming that all this isn't an obvious example of a widely known problem with the 1.5x series, though.


--
Eric A. Meyer  (eric@xxxxxxxxxxxx)
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
wp-hackers@xxxxxxxxxxxxxxxxxxxx
http://lists.automattic.com/mailman/listinfo/wp-hackers

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index