For several hours runs a massive attack on various blogs WordPress. The attack injects malicious code (SQL injection) in your database and modify the bonds of your items by adding unnecessary code to the end of your links.
They seem to all versions of WordPress are affected! This attack makes your blog so completely "broken" and addresses no longer work.
Nicolas, one of our reviewers, recommends installing Bad Behavior. Bad Behavior is a plugin that allows you to block bad requests sent to your server to prevent a possible attack on your blog not updated! This plugin would prohibit all unauthorized external applications. It blocks the possible SQL injection. No conflict with Askimet and other internal components of WordPress.
Via Ayuda WordPress
Some techniques are available to hide the version used on your WordPress installation. But about 90% of blogs using WordPress is still some files, unnecessary hosted on the server. The file "reame.html" is a simple file showing the version used and other information. Just simply edit or delete this file, and can hide the version used.
Ouvez the \ \ "wp-cache-phase1.php \ \" your folder and find the line 34 (for WP-Cache) or line 56 (for WP-Super Cache). This line contains the following code.
if (($ meta = unserialize (@ file_get_contents ($ meta_pathname)))) return;
After finding this line of code, you simply paste the following code (just after)
require_once (ABSPATH. "wp-content/plugins/Bad-Behavior/bad-behavior-generic.php '); If you have any doubts about the possible attack of your WordPress installation, check the following files:
- "Index.php"
- "Wp-config.php"
- "Wp-content/uploads/pass.php"
If you find unusual or malicious code in these files, protect yourself immediately! Watch for different users of your blog and see if the change in the structure of your links.
12:42 (j +2): It seems that the function eval () was changed in the core of WordPress ten days ago, but the current version (2.8.4) does not change. The new "WP_MatchesMapRegex" should solve the problem in future versions of WordPress.
14:00: A member of the WordPress community confirms that new versions of WordPress are also affected!
'I can confirm this worked hacked (at least partially) on my site running 2.8.4 - cpjolicoeur
00:54: According to the official blog of WordPress, the vulnerability was fixed since version 2.7.1. Earlier versions that are so affected.
23:30: According to the site containing the source files of WordPress (Core), the fault is very familiar to developers, the status was changed to plug the breach in version 2.8 and then changed again for version 2.9.
Update: This ticket has been changed to be permanently incorporated in version 2.8.5.
23:15: To counter a possible attack, temporarily disable the registration of your WordPress blog. The function "eval", once exploited, malicious code injected through the recording module.
23:05: This vulnerability exploits the "eval" of your server. For a safety issue, this feature is disabled on some servers.
23:00: From the same source, this vulnerability is present since version 2.7.1 of WordPress and should be corrected in a future version, 2.8.5. This version should happen sooner than expected. The files affected are: "rewrite.php" - and "classes.php" file "includes" for your installation (wp-includes /).
The function eval (): This feature lets you store code in a database for subsequently, to use its contents.
Thank you for this information, more information about the affected versions?
The credo of the current developers WP is more like a race for new features to the building code. This kind of misadventure (known fault but neglected) does not surprise me. Too bad.
Always good to know, I'm going to atentte block entries!
Following the next episode!
Thank you for the information. I just protect my blog at the moment.
it every week now!
Sure, it's a bit difficult these problems with wordpress, they released versions of every month but in the end nothing really improved ...
(passing on any news website wordpress-en is as always to fill ..)
[...] I am not alone: massive attack against WordPress blogs! A small mail at 1 & 1 and hop [...]
Too late
I 've been right.
1 day for everyone back on their feet and do in the Update 2.8. Sheet!
According to this post, version 2.8.4 would be partially targeted by the fault.
My sites are all updated in WP 2.8.4, I do not be in danger.
The Bad Behavior plugin allows you to also protect against SQL injections and other bizarre requests and bad bots. No problem with Akismet.
http://wordpress.org/extend/plugins/bad-behavior/
Thank you for this little plugin: p I updated the article!
I ReBlogger information.
The main problem is that ba behavior is a filter on IP addresses provenance queries. Addresses are on a blacklist or greylist on an online service. Just like akismet, if the central server goes down, all plugin rejected en bloc, could not verify anything. Also I have had many cases of people (including me) who can not access or comment on a blog because their ip is on a greylist. Only solution, reboot your DSL box and hope that your ISP you file a new ip immediately, or wait renew ip. If you have a static IP, you're brown and you'll have to contact the sites that manage lists to make you remove it super long and boring ...
Now I think for those who have dedicated hosting, it is easier to secure server-side to allow only requests from localhost, which will only serve to disable trackbacks (and can be config if xmlrpc default server)
Hello,
My block has been affected by the attack. I had the pb links changed, the admin "invisible" and I just noticed that I can neither activate or deactivate any pluggin. Another effect of this attack?
Carole, check although you did not file wp-pass.php in the "uploads". If so remove it.
Thank you. Finally I turned everything, everything in the trash! including the db ... And I reinstalled everything, with a db backed up a few days before the attack, making the SHIFT WP.
Hopefully now I'll be quiet
Thank you for this detailed article
I think I have escaped but knock on wood ... I installed Bad Behavior plugin to protect me. Thank you for the advice.
Great article thank you!
But if I understand correctly, from the moment we have not checked "anyone can register" it is not protected?
From my level of information, I would not be so categorical about the fact that if we did not check it is secure.
If a person is on (proof required), I think this information will interest many people. And I agree with David on the little, very little information on this subject.
The French site begins to speak. But after a certain person and based on evidence found in the source code of WordPress 2.8.4, the function eval () (is always present. The official blog (us) said that everything goes well for the last version, I doubt it.
After that, off the record of his blog, can slow the process (perhaps), but in any case is all we are currently with the plugins blocking requests sensitive. As the French first blog to have reported the attack, I try to give you as much information as possible
I also found these plugins:
- Wordpress Firewall PlugIn.
- InspectorWordpress PlugIn.
Rem: I have not tested.
And m ****!
We'll have more to do 15 updates.
I cross my fingers I'll install Bad Behavior
Gael
Very interesting article on WordPress security: Protecting your WordPress the big bad wolf
I love wordpress but it is a safety issue Gruyere. A note on the penultimate fault, everyone has provided, including, Lorelle and creator of wordpress but I saw nowhere where she is coming!? Ca, no news on it. An audit of the code should be done given the many developers but we are still waiting