WP security breach-- may be my fault, may not be

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

WP security breach-- may be my fault, may not be

Eric A. Meyer
Howdy all,

    Earlier today I got word that I had linkspam showing up in entries
on meyerweb-- they showed up in Bloglines, for example, and also some
people's aggregators showed recent posts as having been modified.
    It turns out someone went in and added link spam to the post
contents of the most recent 30 or so posts.  Here's an example of one
such post, pulled from my wp-cache files:

    http://meyerweb.pastebin.com/706548

The spam shows up at lines 83-121.  Here's another:

    http://meyerweb.pastebin.com/706585

In that case, the spam is at lines 75-113.
    I was able to remove the spam from meyerweb by manually editing
the post contents for each affected post.  In other words, the spam
content had been added to the DB records-- this is not a wp-cache
problem.  That's just where I was able to harvest copies of the
offending content.  It's also not a comment problem; this stuff is
injected into the actual post_content field.
    The spam always shows up after three or so paragraphs, whether
that means the end of the post or somewhere in the middle, which
feels like the work of a regexp or some other pattern search.  I also
tracked down the activity which stuck the spam into my records.
That's here:

    http://meyerweb.pastebin.com/706549

The pattern of accesses also reminds me of a script.  Note there are
two blocks of changes, temporally speaking.  I'm not anywhere close
to the IP block of the accesses in question; they're in the 207.*
block and I'm a good deal lower than that.
    Now for the details of my WP install: I'm running 1.5, as I really
hate the admin interface of 2.0, even with rich editing turned off.
(If it remembered which of those cute little option boxes to leave
expanded, I'd be a lot happier, but never mind that now.)  I'm
willing to upgrade to fix this, though I'd want to wait at least a
few days to see if the problem happens again.  The only plugins
running that I didn't write myself are Akismet and wp-cache.  The
plugins I wrote are all content modifiers, like ordinalizing numbers
from 1-10, outputting a slightly different monthly calendar, and
turning off auto-formatting of posts (but not comments).  I don't
think any of them could be a doorway, but it's hard to be certain.
    I chatted with the #wordpress folks and nobody there seemed to
know what might be happening, with the only real guess being that
maybe my WP admin password was compromised.  I changed my admin
password after the breaches documented above, and will watch my
access logs to see if there are any more attempts.  I don't know for
sure that my password was compromised, though if there's a log
somewhere that I could check for admin logins, I'll gladly do so.  Is
there?
    Like I said, if this sort of thing is a known problem with 1.5,
I'm willing to upgrade to fix it, much though I may curse the
interface afterward.  If this isn't something that's been seen
before, I thought it was worth bringing to your attention.  Thanks
for any insights.

--
Eric A. Meyer  ([hidden email])
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

Joey B
There's a version 1.5.3 in Beta, I think  (
http://www.tamba2.org.uk/T2/archives/2006/03/18/wp-153/ )

If I recall correctly from the little chatter I've heard about it, it
contains some security fixes, and, iirc again, you can get it from SVN
as well.

On 5/8/06, Eric A. Meyer <[hidden email]> wrote:

> Howdy all,
>
>     Earlier today I got word that I had linkspam showing up in entries
> on meyerweb-- they showed up in Bloglines, for example, and also some
> people's aggregators showed recent posts as having been modified.
>     It turns out someone went in and added link spam to the post
> contents of the most recent 30 or so posts.  Here's an example of one
> such post, pulled from my wp-cache files:
>
>     http://meyerweb.pastebin.com/706548
>
> The spam shows up at lines 83-121.  Here's another:
>
>     http://meyerweb.pastebin.com/706585
>
> In that case, the spam is at lines 75-113.
>     I was able to remove the spam from meyerweb by manually editing
> the post contents for each affected post.  In other words, the spam
> content had been added to the DB records-- this is not a wp-cache
> problem.  That's just where I was able to harvest copies of the
> offending content.  It's also not a comment problem; this stuff is
> injected into the actual post_content field.
>     The spam always shows up after three or so paragraphs, whether
> that means the end of the post or somewhere in the middle, which
> feels like the work of a regexp or some other pattern search.  I also
> tracked down the activity which stuck the spam into my records.
> That's here:
>
>     http://meyerweb.pastebin.com/706549
>
> The pattern of accesses also reminds me of a script.  Note there are
> two blocks of changes, temporally speaking.  I'm not anywhere close
> to the IP block of the accesses in question; they're in the 207.*
> block and I'm a good deal lower than that.
>     Now for the details of my WP install: I'm running 1.5, as I really
> hate the admin interface of 2.0, even with rich editing turned off.
> (If it remembered which of those cute little option boxes to leave
> expanded, I'd be a lot happier, but never mind that now.)  I'm
> willing to upgrade to fix this, though I'd want to wait at least a
> few days to see if the problem happens again.  The only plugins
> running that I didn't write myself are Akismet and wp-cache.  The
> plugins I wrote are all content modifiers, like ordinalizing numbers
> from 1-10, outputting a slightly different monthly calendar, and
> turning off auto-formatting of posts (but not comments).  I don't
> think any of them could be a doorway, but it's hard to be certain.
>     I chatted with the #wordpress folks and nobody there seemed to
> know what might be happening, with the only real guess being that
> maybe my WP admin password was compromised.  I changed my admin
> password after the breaches documented above, and will watch my
> access logs to see if there are any more attempts.  I don't know for
> sure that my password was compromised, though if there's a log
> somewhere that I could check for admin logins, I'll gladly do so.  Is
> there?
>     Like I said, if this sort of thing is a known problem with 1.5,
> I'm willing to upgrade to fix it, much though I may curse the
> interface afterward.  If this isn't something that's been seen
> before, I thought it was worth bringing to your attention.  Thanks
> for any insights.
>
> --
> Eric A. Meyer  ([hidden email])
> Principal, Complex Spiral Consulting   http://complexspiral.com/
> "CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
> "Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


--
Joey Brooks
Milk Carton Designs || milkcartondesigns.com
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

Roy Schestowitz-2
___/ On Tue 09 May 2006 01:49:27 BST, [ Joey B ] wrote : \___

> On 5/8/06, Eric A. Meyer <[hidden email]> wrote:
>> Howdy all,
>>
>>     Earlier today I got word that I had linkspam showing up in entries
>> on meyerweb-- they showed up in Bloglines, for example, and also  some
>> people's aggregators showed recent posts as having been modified.


I didn't notice that over here (just re-checked this to confirm). Oddly,
however, a recent item of yours ("Flummmoxed By Frameworks") did now show
up as new, although it *should* have. I am using RSSOwl if that matters.


>>     It turns out someone went in and added link spam to the post
>> contents of the most recent 30 or so posts.  Here's an example of one
>> such post, pulled from my wp-cache files:
>>
>>     http://meyerweb.pastebin.com/706548
>>
>> The spam shows up at lines 83-121.  Here's another:
>>
>>     http://meyerweb.pastebin.com/706585
>>
>> In that case, the spam is at lines 75-113.
>>     I was able to remove the spam from meyerweb by manually editing
>> the post contents for each affected post.  In other words, the spam
>> content had been added to the DB records-- this is not a wp-cache
>> problem.  That's just where I was able to harvest copies of the
>> offending content.  It's also not a comment problem; this stuff is
>> injected into the actual post_content field.
>>     The spam always shows up after three or so paragraphs, whether
>> that means the end of the post or somewhere in the middle, which
>> feels like the work of a regexp or some other pattern search.  I also
>> tracked down the activity which stuck the spam into my records.
>> That's here:
>>
>>     http://meyerweb.pastebin.com/706549


I hope you have added 207.42.135.122 to yours IP deny list. I know I have. I
still run a modified copy of Mingus (1.2) on a few sites. Use of old version
increases the need for caution.

Judging by the patterns, e.g.:

207.42.135.122 - - [08/May/2006:15:24:15 +0000] "GET
/eric/thoughts/wp-admin/edit.php?m=200512&submit=Show+Month HTTP/1.1" 200
19104
"http://meyerweb.com/eric/thoughts/wp-admin/post.php?action=edit&post=699"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.1.4322)"

207.42.135.122 - - [08/May/2006:15:24:21 +0000] "GET
/eric/thoughts/wp-admin/post.php?action=edit&post=698 HTTP/1.1" 200 24473
"http://meyerweb.com/eric/thoughts/wp-admin/edit.php?m=200512&submit=Show+Month"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

There *may* be some backdoor in the handling of
edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
arguments are intended to achieve. Maybe bad handling of exceptions?


>> The pattern of accesses also reminds me of a script.  Note there are
>> two blocks of changes, temporally speaking.  I'm not anywhere close
>> to the IP block of the accesses in question; they're in the 207.*
>> block and I'm a good deal lower than that.
>>     Now for the details of my WP install: I'm running 1.5, as I really
>> hate the admin interface of 2.0, even with rich editing turned off.
>> (If it remembered which of those cute little option boxes to leave
>> expanded, I'd be a lot happier, but never mind that now.)  I'm
>> willing to upgrade to fix this, though I'd want to wait at least a
>> few days to see if the problem happens again.  The only plugins
>> running that I didn't write myself are Akismet and wp-cache.  The
>> plugins I wrote are all content modifiers, like ordinalizing numbers
>> from 1-10, outputting a slightly different monthly calendar, and
>> turning off auto-formatting of posts (but not comments).  I don't
>> think any of them could be a doorway, but it's hard to be certain.
>>     I chatted with the #wordpress folks and nobody there seemed to
>> know what might be happening, with the only real guess being that
>> maybe my WP admin password was compromised.  I changed my admin
>> password after the breaches documented above, and will watch my
>> access logs to see if there are any more attempts.  I don't know for
>> sure that my password was compromised, though if there's a log
>> somewhere that I could check for admin logins, I'll gladly do so.  Is
>> there?
>>     Like I said, if this sort of thing is a known problem with 1.5,
>> I'm willing to upgrade to fix it, much though I may curse the
>> interface afterward.  If this isn't something that's been seen
>> before, I thought it was worth bringing to your attention.  Thanks
>> for any insights.
>
> There's a version 1.5.3 in Beta, I think  (
> http://www.tamba2.org.uk/T2/archives/2006/03/18/wp-153/ )
>
> If I recall correctly from the little chatter I've heard about it, it
> contains some security fixes, and, iirc again, you can get it from SVN
> as well.


This can't do much harm /assuming/ you have not modified  much of  your code
(I know Eric Meyer has "hacked WordPress like it was attacking his family").
Time-wise, it might be worth  going over the changelog for 1.5.3 and,  based
on the log, see if it  fixes the problem at hand. It could return  to attack
via proxies and become detrimental. The only real solution is patching.

With kind regards,

Roy

--
Roy S. Schestowitz
http://Schestowitz.com  |  GNU is Not UNIX  ¦     PGP-Key: 0x74572E8E
  5:35am  up 11 days 12:32,  8 users,  load average: 0.85, 0.74, 0.77
      http://iuron.com - proposing a non-profit search engine

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

Peter Westwood
In reply to this post by Eric A. Meyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric A. Meyer wrote:

> Howdy all,
>
>    Earlier today I got word that I had linkspam showing up in entries on
> meyerweb-- they showed up in Bloglines, for example, and also some
> people's aggregators showed recent posts as having been modified.
>    It turns out someone went in and added link spam to the post contents
> of the most recent 30 or so posts.  Here's an example of one such post,
> pulled from my wp-cache files:
>
>    http://meyerweb.pastebin.com/706548
>
> The spam shows up at lines 83-121.  Here's another:
>
>    http://meyerweb.pastebin.com/706585
>
> In that case, the spam is at lines 75-113.
>    I was able to remove the spam from meyerweb by manually editing the
> post contents for each affected post.  In other words, the spam content
> had been added to the DB records-- this is not a wp-cache problem.
> That's just where I was able to harvest copies of the offending
> content.  It's also not a comment problem; this stuff is injected into
> the actual post_content field.
>    The spam always shows up after three or so paragraphs, whether that
> means the end of the post or somewhere in the middle, which feels like
> the work of a regexp or some other pattern search.  I also tracked down
> the activity which stuck the spam into my records. That's here:
>
>    http://meyerweb.pastebin.com/706549
>

Looking at this I think your admin password was compromised as before
any changes take place there is a login attempt which I believe was
probably sucessfull looking at the next page that was loaded.

Login Attempt:
207.42.135.122 - - [08/May/2006:14:30:06 +0000] "POST
/eric/thoughts/wp-login.php HTTP/1.1" 302 5
"http://meyerweb.com/eric/thoughts/wp-login.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

And load of admin index page:
207.42.135.122 - - [08/May/2006:14:30:10 +0000] "GET
/eric/thoughts/wp-admin/ HTTP/1.1" 200 12936
"http://meyerweb.com/eric/thoughts/wp-login.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

There are then a number of POST's for post editing which would explain
the apperance of the links.

westi
- --
Peter Westwood
http://blog.ftwr.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEYEWXVPRdzag0AcURAuwIAJ0XUla+C/5Du0Bk7DIhAfUytAlnvQCgw+SO
qHOF8yYAqzmelY2sOtDWUhs=
=SU70
-----END PGP SIGNATURE-----

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

Eric A. Meyer
In reply to this post by Roy Schestowitz-2
At 5:42 AM +0100 5/9/06, Roy Schestowitz wrote:

>I hope you have added 207.42.135.122 to yours IP deny list. I know I have.

    Not yet.  I actually want them to try again, so I can see if it's
a password crack or something else.  (I've changed the password.)
I'm willing to undertake the effort of cleaning up after another
successful attack if allowing it helps figure out exactly what
happened.  So far, no posts have been modified since I cleaned up
after the last two attacks and changed my admin password.
    Although if they cracked the admin password, I'd like to know how.
I haven't seen any apparent attempts to brute-force it, and I'm not
sure how it could have been swiped-- and why would someone bother in
the first place?  The effort needed to crack a password on a single
blog just doesn't seem worth the payoff.
    So here's what I have found, little though it may tell anyone:

    http://meyerweb.pastebin.com/708792

That shows All of the instances where there were attempts to access
the WP admin area and the client was redirected to the login page.  I
highlighted the two known breakins, but there's a third that wasn't a
breakin but interested me.  I highlighted it too-- what drew my
attention was the "Show+Month" bit.  So I searched for all instances
of that IP address and came up with:

    http://meyerweb.pastebin.com/708795

So if that was a breakin attempt, it failed.  I just find it
interesting that there's been more than one attempt to get in that
way.  It might be the same person from multiple machines, of course.
    I searched my access logs again for all "Show+Month" entries, but
they were all either the original breakins, this now one I show
above, or my own machines.

>There *may* be some backdoor in the handling of
>edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
>arguments are intended to achieve. Maybe bad handling of exceptions?

    I dunno.  That's why I brought it up here, just in case there was
a previously unknown vulnerability.

>This can't do much harm /assuming/ you have not modified  much of  your code
>(I know Eric Meyer has "hacked WordPress like it was attacking his family").

    Actually, not any more.  I'm running 1.5 and all the 'hacking' is
now in theme files, or else via plugins I wrote for myself.  The core
itself is largely or completely undisturbed.  I did a test upgrade to
2.0 on my local server and there weren't any hiccups in terms of the
install running, so I suspect "completely", but it's been a long time
since I upgraded to 1.5 and so I might have forgotten a tweak or two.

>Time-wise, it might be worth  going over the changelog for 1.5.3 and,  based
>on the log, see if it  fixes the problem at hand. It could return  to attack
>via proxies and become detrimental. The only real solution is patching.

    Unless of course whatever they're doing isn't solved by the latest
version.  I'm assuming that all this isn't an obvious example of a
widely known problem with the 1.5x series, though.

--
Eric A. Meyer  ([hidden email])
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

David Chait
Eric A. Meyer wrote:
|    I dunno.  That's why I brought it up here, just in case there was
| a previously unknown vulnerability.
and
|    Unless of course whatever they're doing isn't solved by the latest
| version.  I'm assuming that all this isn't an obvious example of a
| widely known problem with the 1.5x series, though.

If you really feel that's the case, and there's been no evidence to the
contrary, then I'd recommend we stop this thread, you remove the pastebin
stuff, and contact the security list.  Just IMHO from other similar recent
discussions where that was the end suggestion...

-d

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

Roy Schestowitz-2
___/ On Wed 10 May 2006 05:29:11 BST, [ David Chait ] wrote : \___

> Eric A. Meyer wrote:
> |    I dunno.  That's why I brought it up here, just in case there was
> | a previously unknown vulnerability.
> and
> |    Unless of course whatever they're doing isn't solved by the latest
> | version.  I'm assuming that all this isn't an obvious example of a
> | widely known problem with the 1.5x series, though.


In  the  mean time, one safe(r) approach might be to chmod  600  edit.php
whenever you do not modify content. This will have future cracking attem-
pts  logged  (unlike   IP-based banishment) and  prevent your  site  from
being defaced.


> If you really feel that's the case, and there's been no evidence to the
> contrary, then I'd recommend we stop this thread, you remove the pastebin
> stuff, and contact the security list.  Just IMHO from other similar recent
> discussions where that was the end suggestion...


I  believe  it's  a  distribution  rather  than  a  list.  An  E-mail   to
[hidden email] will reach Matt, Ryan and the others, once there is
proof  to suggest a threat has become concrete. Possibilities to confute a
hole  as  it  stands: weak admin password;  code  modification  (including
plug-ins);   packet  sniffing/interception  that  led  to  content   being
injected.

Best wishes,

Roy

--
Roy S. Schestowitz, Ph.D. Candidate (Medical Biophysics)
http://Schestowitz.com  |  Open Prospects   ¦     PGP-Key: 0x74572E8E
  2:40pm  up 12 days 21:37,  8 users,  load average: 0.19, 0.30, 0.28
      http://iuron.com - knowledge engine, not a search engine

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: WP security breach-- may be my fault, may not be

Mark Jaquith
In reply to this post by Eric A. Meyer
On May 8, 2006, at 8:29 PM, Eric A. Meyer wrote:

>    I chatted with the #wordpress folks and nobody there seemed to  
> know what might be happening, with the only real guess being that  
> maybe my WP admin password was compromised.  I changed my admin  
> password after the breaches documented above, and will watch my  
> access logs to see if there are any more attempts.  I don't know  
> for sure that my password was compromised, though if there's a log  
> somewhere that I could check for admin logins, I'll gladly do so.  
> Is there?

Eric, WordPress 1.5 (and even 1.5.2) has security issues that could  
allow someone to change your WP password without your knowledge.

Did you just go into WordPress and change the password, or did you  
log out and see if the password had been changed?  See, the way one  
of the attacks works (the one I'm thinking it could have been), is  
that you are tricked into visiting a page that uses devious methods  
to submit a form (on your behalf, using your WP cookie) that changes  
your password.  If done right, you won't even realize this has  
happened because your WP login cookie will be updated with the hash  
of the new password, and so your access to your blog won't be  
interrupted.  It is possible that this happened, and that when you  
changed your password, you weren't changing it from what you  
thought... it may have already been changed without your knowledge.

Grep your access log for all POSTs to /wp-admin/profile.php ... note  
that the IP you'll be looking for is your own, but the referer will  
be blank or from an external site.

Something like:

grep -i 'POST /eric/thoughts/wp-admin/profile\.php' access_log

Or, maybe you picked a relatively simple password and they guessed  
it... but that'd definitely show up in the logs as suspicious.  What  
I'd recommend doing immediately is upgrading to http://
svn.automattic.com/wordpress/branches/1.5/  This has several CSF  
fixes, and will at least prevent people from being able to just  
change your password.  Long term, I'd start looking into upgrading to  
the 2.0 branch.

--
Mark Jaquith
http://txfx.net/


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers