WordPress Under Attack: Reason to Upgrade to 2.8.4

Filed as News on September 6, 2009 8:21 am

If you haven’t yet upgraded to the latest version of WordPress 2.8.4, then it is bout time you did. Self-hosted WordPress installs prior to this version is under attack and the potential damage to its users is high. Matt writes,

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. [source]

Lorelle enumerates some symptoms to know if your site has been affected by the worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

Upgrade now!

Tags: , , ,

This post was written by

You can visit the for a short bio, more posts, and other information about the author.


Submissions & Subscriptions

Submit the post to Reddit, StumbleUpon, Digg or Del.icio.us.

Did you like it? Then subscribe to our RSS feed!



  1. By Rob posted on September 6, 2009 at 5:21 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    I upgraded to 2.8.4 as soon as it came out, but this past week I got e-mail notifications of several “new users.” I became immediately suspicious, especially since I have no link available whereby the public can sign up to be a user … there’s no need to be registered as a user on my blog since anyone can read it and all comments are moderated. So I unchecked “Anyone can register” in the General Settings, deleted all users except my wife and me, and changed the password.

    I’m hoping I am now safe. I see no other signs of anything odd, but then I don’t know enough about WordPress.org code and databases to get into the bowels of the thing to know if anything else is going on. I guess I’ll just wait and hold my breath?

    Reply

  2. By Jayce posted on September 9, 2009 at 8:56 am
    Want an avatar? Get a gravatar! • You can link to this comment

    I updated immediately after seeing this issue. ;)

    Reply

  3. By Jamie Allsop posted on September 9, 2009 at 2:17 pm
    Want an avatar? Get a gravatar! • You can link to this comment

    As soon as I found out about this issue I updated straight away.

    Reply

    Your words are your own, so be nice and helpful if you can. If this is the first time you're posting a comment, it might go into moderation. Don't worry, it's not lost, so there's no need to repost it! We accept clean XHTML in comments, but don't overdo it please.

    Current day month ye@r *