Hidden Administrator Attack Hitting Outdated WordPress Sites

by Ben Cook on September 5, 2009

WordPress community on Defcon 3!

If you haven’t updated your WordPress installation to version 2.8.4, take a minute and go do so now.

As Lorelle explains, a new attack seems to be making the rounds amongst older versions of WordPress and wreaking havoc across the web.

Apparently the hack will not only create a new administrator for your site, but also penetrates the database making it much more difficult to restore if you’re a victim. Once your database is infected, even if you backup WordPress on a regular basis, those backups would likely also be tainted.

Given WordPress’ recent tendency to update every other week, I know a lot of bloggers held off making the latest update, figuring they’d just be doing the same thing in a couple of weeks. However, 2.8.4 has been out for nearly a month and this hack isn’t something you want to tangle with.

How Can I Tell If I’ve Been Hacked?

According to Lorelle:

“there are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”

Also, my man Michael over at Smackdown has a great post on how to completely clean your WordPress installation if you’ve suffered an attack, however, with this particular attack you need to be sure that you’re NOT working with an infected database. You can either use an older DB that hasn’t been impacted, or just work with WordPress’ content export feature.

Using the latter option won’t be pretty as you’ll probably need to reactivate your plugins and could lose some settings for things such as SEO Smart Links, but it’s better than having a hacked site.

Basically, getting hacked is a real pain in the ass so don’t be an idiot and take the time to go update your sites if you haven’t already done so.

Update: Matt has a post on all the whole WordPress security issue that touches on a lot of topics including a bit of web security philosophy but his main point is the same as mine, keep your installations up to date.

He does stray off into a little bit of self righteous don’t blame us, we’re just a community of dedicated open-sourcers which is true to a large degree. But, as I’ve said before, Matt and Automattic make a lot of money off WordPress and it’s time they invest some serious resources into security. If Matt and the other developers can’t predict what schemes hackers will try, hire one to help you do just that.

Ok, I’ll step off my soap box for now, but only because I want you to stop reading, and go update!

Image Source: Vinit

{ 0 comments… add one now }

Previous post:

Next post: