WordPress Security Bulletin

**NexDog** · 05-17-2010, 12:42 AM

Last month a new vulnerability appeared in WordPress which is now spreading across the net pretty fast. Last month's attack was focused on NetSol's servers and last week Godaddy servers got hit very hard - but other hosts are reporting similar issues. So far we've only seen a few isolated cases on our servers but I wanted to let you all know what we've found out so far.

As far as we can see this is mostly limited to Linux servers. The exploit modifies files on your site and injects iframes, javascripts and php include codes that redirect to malware download locations. Kind of similar to Gumblar in appearance but very different in how it works. So far no-one is 100% sure on how this is happening. It can happen to up-to-date versions of WordPress with all plugins up-to-date too. However, you should always keep your core files and plugins up-to-date and the most awesome thing about WordPress is that you can update everything via WP Admin in a few clicks.

Many programs are easily exploitable but the worrying thing about this latest vulnerability is its ability to spread throughout a server. On Linux your main defence against on-server worms is running PHP under FastCGI (available on Plesk 9 servers), running PHP under Safe_Mode (if possible) and using 666 chmod permissions on files requiring 777 (not always possible).

We scanned logs after clients reported WordPress hacks and found evidence of entry via WordPress's xmlrpc.php file. This file is in the root folder of your WordPress installation and you should chmod it 000. Also in WordPress under Settings > Writing disable the XML-RPC function. Apart from that just be vigilant, keep WordPress and plugins up-to-date and if anyone knows any good WordPress security plugins that regularly scan files and email you if malware is found please share with the community on our forum.

**susannad** · 05-17-2010, 07:24 AM

These people here suggest a 'clean up solution'

Sucuri Security: New attack today against Wordpress

what do you think?

**NexDog** · 05-17-2010, 07:40 AM

Read that blog too but there is no solution there. Until someone figures out where the vulnerability is it's all shooting in the dark. I've heard of people installing fresh copies of WP and being hacked the next day.

**susannad** · 05-17-2010, 08:18 AM

Would it help to change keys in wp-config.php?

I hear now it's got to Joomla and PHPBB

bizcoach · 05-17-2010, 09:29 AM

I don't have anything new to add but I wanted to subscribe to this thread so I could get the updates as more information is shared.

Thanks for posting as you get more information.

BillSamuel · 05-17-2010, 06:42 PM

Some of us don't have the option of using chmod with numbers. You need to give what the numbers mean as well as the numbers.

I assume 000 means no permissions at all, and that's how I set the xmlrpc.php file.

**NexDog** · 05-17-2010, 07:04 PM

Susanna, don't think that would help....

The hack affects all PHP sites running under the Apache module so can easily spread to phpbb and Joomla.

Bill, no permissions is correct. You can even rename the file.

**susannad** · 05-17-2010, 11:12 PM

There's this plugin WordPress › Secure WordPress WordPress Plugins

updated on 16th

what do you think?

And this one also WordPress › AntiVirus WordPress Plugins

????

**NexDog** · 05-18-2010, 11:53 PM

Quote:

Originally Posted by susannad

And this one also WordPress › AntiVirus WordPress Plugins

????

Don't rate the first one but that scanner is interesting. I installed it but was disappointed to see it only scans the them files:

/single.php
/functions.php
/page.php
/category-6.php
/footer.php
/comments.php
/header.php
/index.php
/sidebar.php
/randomimages/rotate.php

Wonder why it doesn't scan the core files? Think I'll email the author.

**NexDog** · 05-19-2010, 12:03 AM

This one looks promising:

WordPress › Paranoid911 WordPress Plugins

But I'd hate to get an email with every tiny change. Anyone want to try it?