I’m running 4 Wordpress blogs, for me and my friends. All of them are updated to latest version of Wordpress as soon as a new one is available.
One of them, Maomium, was hacked last night. Someone created a user account on it then stole my admin identity to post content. As soon as I discovered the hack, I’ve put the blog down and changed all passwords which may have been exposed to the hacker (database, etc…).
Before the hack happened, my apache log show me that a person was looking for blogs powered by Wordpress 2.2 and open to registration:
123.76-136-217.adsl-dyn.isp.belgacom.be www.maomium.com - [07/Jun/2007:00:51:55 +0200] "GET /category/wordpress/ HTTP/1.1" 200 2960 "http://www.google.be/search?hl=fr&q=%22powered+by+wordpress+2.2%22+Register&btnG=Rechercher&meta=" "Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
This person was my hacker. As you can see he’s a belgian guy and his broadband provider is Belgacom, to which I sent an abuse request. He register himself as Waryas with his myv4you@hotmail.com email. I know that, thanks to the email Wordpress send me each time someone register. Then google told me that this hack was not his first.
If you want to disect his behaviour, you can download my apache log.
This event show us that the Wordpress vulnerablility regarding guest account registration is still there. So the advice given by CountZero must be applied !
This is caused by http://trac.wordpress.org/ticket/4357 and releasing this as part of WordPresss 2.2.1 is a top priority.
A patched version of xmlrpc.php that fixes this exploit can be immediately downloaded from here:
http://trac.wordpress.org/browser/branches/2.2/xmlrpc.php?rev=5584&format=raw
Thanks a lot Lloyd to confirm the issue. Before writting this post I searched Trac for a bug report related to my problem, without success.
I saw your comment on the ticket. I’m sorry to spread the bad news. But now it’s too late: my post was sent to many search engines…
Next time I found something as serious as this issue, I’ll try to contact the dev team first, by mail or through IRC.
Wow. That’s fast ! Thanks !
An official 2.2.1 release candidate that fix this security issue and more is available.
The final v2.2.1 is out and fix this issue.
Would it be correct to think that this hack only affects WordPress installs that are open to registration? None of my blogs are. One of my main issues with WordPress at this point is the upgrade process…it would be really nice if they instituted some sort of upgrade system to make the whole process easier. I have four or five blogs to upgrade now, and it kind of ticks me off.
Though, I’ve been using WP for at least 3 years now, it’s become second nature, it sure would be hard to leave.
Yes, that’s right !
But it’s not a good idea to skip this update simply because your Wordpress is not open to registration. As you can see in the v2.2.1 press release, this version also fix several bugs and vulnerabilities…
very interesting
Do yourself a huge favor and take the version number out of your templates, no one really needs to know what you’re running. People will just google for vulnerable versions, and can even automate the attack.
I totally agree with you Tyler. This should be a strong recommandation to any template maker.
BTW, starting from RC1, K2 (the theme I use on this blog) will no longer show the Wordpress version number to the user. Sadly, it will be still there in the html code. So it’s a good start but not a solution at all…