28 {{ upvoteCount | shortNum }}
28 {{ upvoteCount | shortNum }}

Wordpress MySQL injection

by uclaboyz
10 replies
Just want to give you guys a heads up for those who run Wordpress blogs:

Wordpress MySQL Injection - Permalink hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]

Thanks,
Steve

For your convenience, I'm copying & pasting my blog post here (images won't come through):

Just want to write up a quick post on the latest Wordpress MySQL Injection that has seemed to attack many of the Wordpress blogs - including several of my own.

I found out about this problem last night when an email came to me from GetResponse notifying that my blog announcement feeds are no longer working.

I quickly went over to my blogs and noticed my permalink structure has been changed.

Diagnosis:

Put your mouse cursor over a permalink (or over a post title) and see if it has the following string appearing in the URL:

... [see original post for code] ...

/%&(%7B$%7Beval(base64_decode(Array%5BHTTP_EXECCODE %5D))%7D%7D|.+)&%

If so, you have been hacked!

How to Fix:

Login to your Wordpress dashboard and go to Settings -> Permalinks

Change your permalink structure to what you had before.

Now from a SEO stand point of view I had to absolutely make sure that my permalink structure was the same as before, and if you don't remember what your permalink structure was for your site, simple got to Google and type in:

site:yoursite.com

Then look at one of your blog posts and see how the permalink URL is structured.

Then you want to remove a hidden admin user to your blog. You will most likely not be able to see who this is if you go to Users tab:

manage-usersAs you can see there are 2 Administrators, but I only see myself in the list.

To remove the uninvited guest you are going to have to login to your MySQL (cPanel -> MySQL -> phpMyAdmin) and go to your wp_users table, and sort the ID column to see the latest registered user:

wp_users

You will notice a user without an email address. To further verify that this user has Administrator privilege, go to wp_usermeta table and verify that this user_id has wp_user_level of 10:

wp_usersmetaPrevention:

I'm still keeping an eye out for future attacks. The same attacked happend to one of my Wordpress blogs that has the latest 2.8.4 version on it so I don't think upgrading to latest version will help prevent this attack from happening to you (but highly recommended to run latest Wordpress version anyway).
#and% or #attack #injection #latest #mysql #wordpress #wordpress hack #wordpress injection
  • Profile picture of the author globalpro
    Hi,

    There was somebody else that posted this problem earlier:

    http://www.warriorforum.com/main-int...-code-url.html

    Really stinks. Thread does have some additional info.

    Thanks,

    John
    {{ DiscussionBoard.errors[1151589].message }}
  • Profile picture of the author AllAboutAction
    Originally Posted by uclaboyz View Post

    Just want to give you guys a heads up for those who run Wordpress blogs:

    Wordpress MySQL Injection -

    Thanks,
    Steve
    For those too lazy to click through, the article says that this is affecting versions up through 2.8.4, which is the latest stable release.

    The article shows how to clean it up, but doesn't mention a fix.

    Thanks for posting this, Steve.

    EDIT: Heh, Steve posted his entire post above, making this post redundant. Move along!
    Signature

    {{ DiscussionBoard.errors[1151639].message }}
    • Profile picture of the author Akarin
      Originally Posted by AllAboutAction View Post

      For those too lazy to click through, the article says that this is affecting versions up through 2.8.4, which is the latest stable release.

      The article shows how to clean it up, but doesn't mention a fix.

      Thanks for posting this, Steve.
      LOL Thanks!
      {{ DiscussionBoard.errors[1151703].message }}
    • Profile picture of the author mvandemar
      Originally Posted by AllAboutAction View Post

      the article says that this is affecting versions up through 2.8.4, which is the latest stable release.

      The article shows how to clean it up, but doesn't mention a fix.
      It is possible to have the hidden admin created before the final attack hits. If that is the case then upgrading won't help with everything. However, if your blog was not attacked already, and there is no hidden admin account, then upgrading to 2.8.4 should in fact keep you safe from this round of attacks (not saying that something new won't come out a couple of weeks from now).

      From testing that has been done it does not look like fresh installs of 2.8.4 are subject to the specific vulnerabilities that are being used in this set of exploits.

      -Michael
      {{ DiscussionBoard.errors[1154561].message }}
  • Profile picture of the author CmdrStidd
    That is one reason you need to have ALL your tsql code in a business layer so that the hackers cannot inject anything into the code to do stuff like this. Any of you who are coders should know what I am talking about. If you are doing sites for clients please make sure that there are at least 2 layers between the surfers and the actual tsql functionality. You should be running a data validation layer and a communications layer to protect your WP and databases from any kind of injection attacks.
    {{ DiscussionBoard.errors[1154705].message }}
  • Profile picture of the author emigre
    correct me if I'm wrong but mysql injection prevention should be done by the web host - first line of defence although it wouldn't surprise me if your web host says it's a wordpress problem like they usually do.
    {{ DiscussionBoard.errors[1155411].message }}
    • Profile picture of the author KirkMcD
      Originally Posted by emigre View Post

      correct me if I'm wrong but mysql injection prevention should be done by the web host
      If it was the host's responsibilty they wouldn't allow you to install anything that they didn't write.

      it wouldn't surprise me if your web host says it's a wordpress problem like they usually do.
      That's because it is WP's problem.

      If you rented a place to live and something you installed broke, would you blame the landlord?
      {{ DiscussionBoard.errors[1156518].message }}
  • Profile picture of the author Sattarmalik
    But I would say thanks to thread poster it was informative and some problem solved for me
    Signature
    Easy Home Remedies
    {{ DiscussionBoard.errors[1332120].message }}

Trending Topics