Wordpress MySQL injection

uclaboyz · 09-04-2009, 01:27 PM

Just want to give you guys a heads up for those who run Wordpress blogs:

Wordpress MySQL Injection - Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]

Thanks,
Steve

For your convenience, I'm copying & pasting my blog post here (images won't come through):

Quote:

Just want to write up a quick post on the latest Wordpress MySQL Injection that has seemed to attack many of the Wordpress blogs - including several of my own.

I found out about this problem last night when an email came to me from GetResponse notifying that my blog announcement feeds are no longer working.

I quickly went over to my blogs and noticed my permalink structure has been changed.

Diagnosis:

Put your mouse cursor over a permalink (or over a post title) and see if it has the following string appearing in the URL:

... [see original post for code] ...

/%&(%7B$%7Beval(base64_decode(Array%5BHTTP_EXECCODE %5D))%7D%7D|.+)&%

If so, you have been hacked!

How to Fix:

Login to your Wordpress dashboard and go to Settings -> Permalinks

Change your permalink structure to what you had before.

Now from a SEO stand point of view I had to absolutely make sure that my permalink structure was the same as before, and if you don’t remember what your permalink structure was for your site, simple got to Google and type in:

site:yoursite.com

Then look at one of your blog posts and see how the permalink URL is structured.

Then you want to remove a hidden admin user to your blog. You will most likely not be able to see who this is if you go to Users tab:

manage-usersAs you can see there are 2 Administrators, but I only see myself in the list.

To remove the uninvited guest you are going to have to login to your MySQL (cPanel -> MySQL -> phpMyAdmin) and go to your wp_users table, and sort the ID column to see the latest registered user:

wp_users

You will notice a user without an email address. To further verify that this user has Administrator privilege, go to wp_usermeta table and verify that this user_id has wp_user_level of 10:

wp_usersmetaPrevention:

I’m still keeping an eye out for future attacks. The same attacked happend to one of my Wordpress blogs that has the latest 2.8.4 version on it so I don’t think upgrading to latest version will help prevent this attack from happening to you (but highly recommended to run latest Wordpress version anyway).

globalpro · 09-04-2009, 01:42 PM

Hi,

There was somebody else that posted this problem earlier:

Help! My Blog Posts Now Have Weird Code on the URL

Really stinks. Thread does have some additional info.

Thanks,

John

AllAboutAction · 09-04-2009, 01:56 PM

Quote:

Originally Posted by uclaboyz

Just want to give you guys a heads up for those who run Wordpress blogs:

Wordpress MySQL Injection -

Thanks,
Steve

For those too lazy to click through, the article says that this is affecting versions up through 2.8.4, which is the latest stable release.

The article shows how to clean it up, but doesn't mention a fix.

Thanks for posting this, Steve.

EDIT: Heh, Steve posted his entire post above, making this post redundant. Move along!

Akarin · 09-04-2009, 02:17 PM

Quote:

Originally Posted by AllAboutAction

For those too lazy to click through, the article says that this is affecting versions up through 2.8.4, which is the latest stable release.

The article shows how to clean it up, but doesn't mention a fix.

Thanks for posting this, Steve.

LOL Thanks!

drmani · 09-05-2009, 05:14 AM

An article explaining this in more detail:

Old WordPress Versions Under Attack Lorelle on WordPress

A way to get rid of the 'hidden' admin:

Wordpress Permalink & Rss problems

If you need to do a complete re-install:

How To Completely Clean Your Hacked WordPress Installation | Smackdown!

Apparently, the hack is deep and may affect your database itself, allowing for
future attacks. I took the advice in the first article and did a complete deletion
and reinstall of my blog, after backing up the content and then imported it back
into the new install. It's a pain - but better safe than sorry, right?

All success
Dr.Mani

mvandemar · 09-05-2009, 02:28 PM

Quote:

Originally Posted by AllAboutAction

the article says that this is affecting versions up through 2.8.4, which is the latest stable release.

The article shows how to clean it up, but doesn't mention a fix.

It is possible to have the hidden admin created before the final attack hits. If that is the case then upgrading won't help with everything. However, if your blog was not attacked already, and there is no hidden admin account, then upgrading to 2.8.4 should in fact keep you safe from this round of attacks (not saying that something new won't come out a couple of weeks from now).

From testing that has been done it does not look like fresh installs of 2.8.4 are subject to the specific vulnerabilities that are being used in this set of exploits.

-Michael

CmdrStidd · 09-05-2009, 03:47 PM

That is one reason you need to have ALL your tsql code in a business layer so that the hackers cannot inject anything into the code to do stuff like this. Any of you who are coders should know what I am talking about. If you are doing sites for clients please make sure that there are at least 2 layers between the surfers and the actual tsql functionality. You should be running a data validation layer and a communications layer to protect your WP and databases from any kind of injection attacks.

emigre · 09-05-2009, 09:56 PM

correct me if I'm wrong but mysql injection prevention should be done by the web host - first line of defence although it wouldn't surprise me if your web host says it's a wordpress problem like they usually do.

KirkMcD · 09-06-2009, 09:35 AM

Quote:

Originally Posted by emigre

correct me if I'm wrong but mysql injection prevention should be done by the web host

If it was the host's responsibilty they wouldn't allow you to install anything that they didn't write.

Quote:

it wouldn't surprise me if your web host says it's a wordpress problem like they usually do.

That's because it is WP's problem.

If you rented a place to live and something you installed broke, would you blame the landlord?

Sattarmalik · 10-30-2009, 12:58 AM

But I would say thanks to thread poster it was informative and some problem solved for me

SeanIM · 10-30-2009, 02:14 AM

Thanks for the heads up...I'm sure there will be another update soon to patch this hole.

09-04-2009, 01:42 PM	#2
globalpro John Burnette War Room Member Join Date: Aug 2007 Location: S.E. USA Posts: 1,049 Thanks: 659 Thanked 208 Times in 175 Posts	Re: Wordpress MySQL injection - latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}\|.+ Hi, There was somebody else that posted this problem earlier: Help! My Blog Posts Now Have Weird Code on the URL Really stinks. Thread does have some additional info. Thanks, John
	Rapid Action Profits Installs, Design and Consulting

09-05-2009, 05:14 AM	#5
drmani Internet Infopreneur War Room Member Join Date: Apr 2008 Location: , , . Posts: 1,405 Blog Entries: 4 Thanks: 631 Thanked 1,630 Times in 601 Posts Social Networking	Re: Wordpress MySQL injection - latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}\|.+ An article explaining this in more detail: Old WordPress Versions Under Attack Lorelle on WordPress A way to get rid of the 'hidden' admin: Wordpress Permalink & Rss problems If you need to do a complete re-install: How To Completely Clean Your Hacked WordPress Installation \| Smackdown! Apparently, the hack is deep and may affect your database itself, allowing for future attacks. I took the advice in the first article and did a complete deletion and reinstall of my blog, after backing up the content and then imported it back into the new install. It's a pain - but better safe than sorry, right? All success Dr.Mani
	Learn Information Marketing at the Infopreneur Blog \| Sign up to our FREE Infopreneur Ezine Connect on G+ \| Buy 'Think, Write & Retire!' \| Get FREE Content For Your Blog or Ezine!

09-05-2009, 03:47 PM	#7
CmdrStidd HyperActive Warrior Join Date: Feb 2009 Location: Cincinnati, OH, USA Posts: 323 Thanks: 68 Thanked 37 Times in 31 Posts	Re: Wordpress MySQL injection - latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}\|.+ That is one reason you need to have ALL your tsql code in a business layer so that the hackers cannot inject anything into the code to do stuff like this. Any of you who are coders should know what I am talking about. If you are doing sites for clients please make sure that there are at least 2 layers between the surfers and the actual tsql functionality. You should be running a data validation layer and a communications layer to protect your WP and databases from any kind of injection attacks.

09-05-2009, 09:56 PM	#8
emigre HyperActive Warrior Join Date: Jul 2007 Location: across the universe Posts: 347 Thanks: 7 Thanked 23 Times in 21 Posts	Re: Wordpress MySQL injection - latest attack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}\|.+ correct me if I'm wrong but mysql injection prevention should be done by the web host - first line of defence although it wouldn't surprise me if your web host says it's a wordpress problem like they usually do.

10-30-2009, 12:58 AM	#10
Sattarmalik Active Warrior Join Date: Jul 2009 Posts: 31 Thanks: 3 Thanked 1 Time in 1 Post	Re: Wordpress MySQL injection But I would say thanks to thread poster it was informative and some problem solved for me
	Powerful Auto Blogging Software

10-30-2009, 02:14 AM	#11
SeanIM Don't think about rabbits War Room Member Join Date: Nov 2005 Location: ...between my left and right ear. Posts: 768 Blog Entries: 1 Thanks: 38 Thanked 69 Times in 53 Posts	Re: Wordpress MySQL injection Thanks for the heads up...I'm sure there will be another update soon to patch this hole.
	Interested in how to publish with SEO in mind and also into the Social Media space? It's merging and I'll have another updated product out on this soon. - Sean Mitchell For now you can checkout Social Search Exposed