-
HACKED! How To Fix This WordPress Worm That’s Been Going Around
0
September 8th, 2009RecommendationGrrrr.
These blogs of mine were affected by the recent wordpress worm that has been spreading across the internet ..
BattlingForHealth.com
AndYouWill.com
CatLvr.com
FishLvr.com
BirdLvr.com
PapillonLvr.com
HorseLvr.com
and this one – HART-Empire.comWhat Happened?
Everybody is linking here on twitter and around the web .. so I will do that too ..
Please Read: Lorelle on WordPress – Old WordPress Versions Under Attack (Sep 4/2009)
Basically, all the permalinks from the above blogs had this attached to it:
/[old-permalink-post-title]/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/
How widespread has it been? Even Scobleizer was hit!
WordPress offers some advice – but it doesn’t really offer a solution (that I can find).
HOW TO FIX YOUR BLOG IF YOU ARE AFFECTED
The best fix that I found was on Andy Sowards blog –
UPDATED! Breaking: WordPress MySQL injection – how to fix latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
Let Me Recap: It’s not that hard to do.
1) Fix your Permalinks (settings/permalinks/update)
> You can do this in your blog .. just remove the custom permalink modification by this worm2) Check and Remove (if exists) any new Administrators – could be hidden.
> You can do this from your blog, or see via phpMyAdmin in your cPanelDo Yourself A Favor
If you haven’t been hit with this wordpress worm, upgrade to the latest wordpress version 2.8.4.
If you have been hit with this wordpress worm, upgrade to the latest wordpress version 2.8.4.
There is always good reason to keep upgrading to the latest version, and it’s all security and peace of mind. WordPress makes it so easy to upgrade now – all you have to do is push a button – so, there should be no reason why you wouldn’t want to have the latest version around.
Tags: hacked, wordpress wormThese Posts May (or may not) Be Related!
11 responses to “HACKED! How To Fix This WordPress Worm That’s Been Going Around” 
-
Thanks for the info. This is the reason, as you say, that is good to keep blog software updated, and WordPress releases a lot of quick security updates, so there is no reason to not do it. 🙂
.-= ** Check out greven´s last blog .. Wallpapers of the Week =-. -
Of all the 8 blogs affected, I didn’t see any new USER added with administrator privileges .. this is both looking at the “next number” to see if it is hidden and directly via phpMyAdmin. I did delete any ‘subscriber’ users and names that I did not recognize however.
We were out at the cottage this weekend, and on Friday the blogs were okay. Had I been online more, I probably would have seen all the tweets and warnings and upgrade before my blogs were affected – I believe that to be true. Oh well!
-
WordPress 2.8.4 which addresses the issue was released on August 12th, long before you went on a trip to the cottage.
wordpress.org/development/2009/08/2-8-4-security-release/
However, I think you’ve learned your lesson. Also wanted to mention that if a blog has been compromised, the solution is to not upgrade to 2.8.4 since that won’t do any good but to just wipe out the site and start over with a fresh database, fresh administrator accounts, etc on the latest version. At least this way, you can have the peace of mind of there not being any backdoors on your installation.
.-= ** Check out Jeffro´s last blog .. WordPress Idea Roundup =-. -
Jeff .. on every blog that was affected, it wasn’t an issue that I started with e.g. 2.8.2 or 2.8.3 and didn’t upgrade to 2.8.4. latest version. When I choose to upgrade to the next version 2.8+ I keep it up to date. My understanding that even that 2.8.4 link vulnerability was a result of the 2.8.3 upgrade.
The selected blogs in question were the ones that I chose to keep at the highest 2.7+ versions – which, I thought were safe – and deliberately did NOT upgrade until certain plugins caught up in development. If I knew older version were at risk with virus or worms and saw all the warnings I would certainly have disabled my affected plugins and upgraded during the interim.
With 60’ish blogs, i don’t screw around here 🙂
PS it was 30c at the cottage, and wasn’t paying attention to the tweets.
-
Sorry to hear you got hit by that one man!
And I agree with Jeff – timely upgrades are a must.
Alex
.-= ** Check out Alex Sysoef´s last blog .. Expert WordPress Automated Blog Installer =-. -
The Entrecard blog got hit by this one at the weekend too. Luckily I either use Blogger or create sites in HTML / CSS, so it didn’t target anything of mine.
.-= ** Check out John | English Wilderness´s last blog .. Common Blue Damselfly =-. -
I was dragging my heels on the latest wordpress update, but I had the good sense to do it sometime last week.
Boy, what a relief that I didn’t have to contend with this one. I am glad that others will be prepared with the fix you offered.
.-= ** Check out Jay Zuck´s last blog .. Jason, Where Have You Been? =-. -
Great tutorial on getting rid of those nasty worms. We’ve seen it happen to a few blogs and it can be a pain to fix.
-
Thanks for the info.I always try to keep my WordPress blogs updated to the latest version, but some important plugins may not work after that because they are not compatible with the newest WP version.So it´s a little dilemma…
-Tom Lindstrom
-
It is also easy to backup and transfer all your websites from one server to another server if you have cPanel installed`;,
-
try www.guru.com/ I used to be listed on there – it’s all well established and both client and developer are well protected.
Leave a reply
About HART-Empire
Welcome! ...
I discuss blogging, empire and pretty much anything that affects the operation of the HART-Empire Network in this blog.. More ..
New Blog? Need Help? Ask for Peter and say HART sent ya!
The Usual Stuff
greven September 8th, 2009 at 09:42