Wordpress Hacked: Running 2.0.4

Posted in Cracking, Hacking, My Blog, Security, WP, Web 2.0, Wordpress by Elliott Back on May 1st, 2007.

Wow! A blog of mine running Wordpress 2.0.4 just got hacked. The attacker, without logging in, was able to inject a bunch of spam links into three of my posts. I caught the attack because I read my own Wordpress feeds, and noticed the update. The IP address the attacker used was 64.252.168.207. Here is the timeline of his penetration into my poor, but out of date, Wordpress installation:

1) Visit Video Games Blog pretending to be Googlebot
2) Visit random pages just to confuse me
3) Visit the three target pages (1, 2, 3)
4) Grab the nonces from wp-admin/post.php?action=edit
5) Use the nonces to do something weird to /wp-admin/inline-uploading.php?action=view
6) Post to the regular edit page

If you don’t want to be hacked, here’s what you need to do:

Upgrade to the latest version of Wordpress (2.0.10 in my case)
Remove crap you don’t need. If you’re not using comments, remove wp-comments-post.php. If you don’t know what xmlrpc is, remove wp-xmlrpc.php as well.
Permission your files. If you are on a shared host, it’s especially important that you don’t make your wp-config world read/writable, or anyone can steal your database login information, or just overwrite it with their own.

If you’re interested, here’s the full server log, as a text file: wordpress-hack-log.txt. The attacker didn’t compromise or access any other services, just used the web interface to insert his spam into my post.

This entry was posted on Tuesday, May 1st, 2007 at 7:57 pm and is tagged with nonces, database login, admin post, web interface, server log, target, attacker, compromise, timeline, hack, penetration, config, video games, ip address, blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

Viewing 2 Comments

Ben 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I got something similar on two of my blogs recently (twice on both :( ). I am currently running wordpress 2.2

If you have any more advanced ideas of how to stop this sort of thing then I would love to hear them

reply edit reblog flag

http://www.binarymoon.co.uk/

Queen Bee 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Do you mind if I link here? I am running an information kiosk on LJ on this kind of attack, because I know of a group who is doing this.

reply edit reblog flag