If you haven’t yet upgraded to the latest version of WordPress 2.8.4, then it is bout time you did. Self-hosted WordPress installs prior to this version is under attack and the potential damage to its users is high. Matt writes,
Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts. [source]
Lorelle enumerates some symptoms to know if your site has been affected by the worm:
There are two clues that your WordPress site has been attacked.
There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.
WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.
Upgrade now!
Author: Jayvee Fernandez
Jayvee Fernandez has done his rounds in blog postings. He served as Technology Channel Editor for b5Media Inc and has founded the leading blog advertising and word of mouth network called BlogBank in the Philippines.
And now, he’s gone full circle, landing back with The Blog Herald, the resource that gave him his first blogging job in 2005.
I upgraded to 2.8.4 as soon as it came out, but this past week I got e-mail notifications of several “new users.” I became immediately suspicious, especially since I have no link available whereby the public can sign up to be a user … there’s no need to be registered as a user on my blog since anyone can read it and all comments are moderated. So I unchecked “Anyone can register” in the General Settings, deleted all users except my wife and me, and changed the password.
I’m hoping I am now safe. I see no other signs of anything odd, but then I don’t know enough about WordPress.org code and databases to get into the bowels of the thing to know if anything else is going on. I guess I’ll just wait and hold my breath?
I updated immediately after seeing this issue. ;)
As soon as I found out about this issue I updated straight away.