Now Reading
WordPress Under Attack: Reason to Upgrade to 2.8.4

WordPress Under Attack: Reason to Upgrade to 2.8.4

If you haven’t yet upgraded to the latest version of WordPress 2.8.4, then it is bout time you did. Self-hosted WordPress installs prior to this version is under attack and the potential damage to its users is high. Matt writes,

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. [source]

Lorelle enumerates some symptoms to know if your site has been affected by the worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

See Also
G7 Conference blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

Upgrade now!

View Comments (3)
  • I upgraded to 2.8.4 as soon as it came out, but this past week I got e-mail notifications of several “new users.” I became immediately suspicious, especially since I have no link available whereby the public can sign up to be a user … there’s no need to be registered as a user on my blog since anyone can read it and all comments are moderated. So I unchecked “Anyone can register” in the General Settings, deleted all users except my wife and me, and changed the password.

    I’m hoping I am now safe. I see no other signs of anything odd, but then I don’t know enough about code and databases to get into the bowels of the thing to know if anything else is going on. I guess I’ll just wait and hold my breath?

Scroll To Top