Wordpress Hacked: Running 2.0.4 by Elliott C. Back

Wordpress Hacked: Running 2.0.4

Posted in My Blog, Web 2.0, Security, Wordpress, Cracking, Hacking, WP by Elliott Back on May 1st, 2007.

Wow! A blog of mine running Wordpress 2.0.4 just got hacked. The attacker, without logging in, was able to inject a bunch of spam links into three of my posts. I caught the attack because I read my own Wordpress feeds, and noticed the update. The IP address the attacker used was 64.252.168.207. Here is the timeline of his penetration into my poor, but out of date, Wordpress installation:

1) Visit Video Games Blog pretending to be Googlebot
2) Visit random pages just to confuse me
3) Visit the three target pages (1, 2, 3)
4) Grab the nonces from wp-admin/post.php?action=edit
5) Use the nonces to do something weird to /wp-admin/inline-uploading.php?action=view
6) Post to the regular edit page

If you don’t want to be hacked, here’s what you need to do:

Upgrade to the latest version of Wordpress (2.0.10 in my case)
Remove crap you don’t need. If you’re not using comments, remove wp-comments-post.php. If you don’t know what xmlrpc is, remove wp-xmlrpc.php as well.
Permission your files. If you are on a shared host, it’s especially important that you don’t make your wp-config world read/writable, or anyone can steal your database login information, or just overwrite it with their own.

If you’re interested, here’s the full server log, as a text file: wordpress-hack-log.txt. The attacker didn’t compromise or access any other services, just used the web interface to insert his spam into my post.

This entry was posted on Tuesday, May 1st, 2007 at 7:57 pm and is tagged with nonces, database login, admin post, web interface, server log, target, attacker, compromise, timeline, hack, penetration, config, video games, ip address, blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

2 Responses to 'Wordpress Hacked: Running 2.0.4'

Ben said:
on May 21st, 2007 at 10:44 am

I got something similar on two of my blogs recently (twice on both ). I am currently running wordpress 2.2

If you have any more advanced ideas of how to stop this sort of thing then I would love to hear them
Queen Bee said:
on August 9th, 2007 at 10:57 am

Do you mind if I link here? I am running an information kiosk on LJ on this kind of attack, because I know of a group who is doing this.

Your Thoughts Go Here:

The Search

search site archives

Wordpress.com Adult Blogs

There's nothing in the terms of service that I can see that would prohibit you from running an adult-themed blog on Wordpress.com, but it seems

Flatpress

Flatpress is like Wordpress running on flat files. It's an interesting idea, and one that could be easily extended to Wordpress.

Car RFID system hacked

Car RFID system hacked: http://it.slashdot.org/article.pl?sid=05/01/29/0233218&tid=172

John McCain’s Hacked Myspace Profile

The McCain staff used a template without permission, so the author changed McCain's political views on the sly. Fight them thieves.

Pingomatic Down

This is starting to get old. First-tier blogging services that we depend on are all going down: This time, though, it tells us something: Error establishing

You Came From

hacks, post, thompson, crack, shop, exploit, millsberry, remove, hack, hacked, database, casey, process, spam, mcafee, money, start, links, hacking, bikini, quickbooks, wordpress, processes, xmlrpc, could

Results by WP From / Where

The Associates

What I will name my children

Elspeth
Faye
Galatea
Halcyon
Phœnix

Elliott C. Back: In Aere Aedificare