docputer

If you?re running a self-hosted WordPress (WordPress) blog that isn?t up-to-date (version 2.8.4), you?re advised to upgrade immediately to the latest version of the software to avoid an ongoing attack. Users of WordPress.com hosted blogs are not affected.
This message came from Lorelle at Wordpress after it was discovered that a nasty attack is exploiting security holes in previous versions of the blogging software, creating a new ?hidden? Administrator account and getting right down to the database level. These attacks are said to be ?growing by the hour?. Lorelle writes:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFER ER%5D))%7D%7D|.+)&%/. The keywords are ?eval? and ?base64_decode.?

The second clue is that a ?back door? was created by a ?hidden? Administrator. Check your site users for ?Administrator (2)? or a name you do not recognize. You will probably be unable to access that account.

All users are advised to upgrade to the latest version of WP, while those already affected are in for a trying weekend: you?ll likely need to export your all your content with the built-in XML WordPress export, uninstall and reinstall WordPress and re-import the content. It?s a nasty attack that goes all the way into the database, so exporting the database will result in exporting the hacked code too.

For those unaffected: upgrade today.
http://mashable.com/2009/09/05/wordpress-attack/

Cyber Fucker

Thx for the info! Sounds like wordpress is having more and more security holes recently...

__________________

TheSenator

ok...I plugged up my site months ago....


Another layer of security is renaming your table prefix.

Use this tool to help you.
http://semperfiwebdesign.com/custom-...security-scan/

__________________
ISeekGirls.com since 2005

Killswitch - BANNED FOR LIFE

Wordpress is a pile of shit anyway.

Jdoughs

If you're running an old version you are just asking for it, this doesn't affect anyone who is up to date with updates.

__________________
LinkSpun - Premier Adult Link Trading Community - ICQ - 464/\281/\250
Be Seen By New Webmasters/Affiliates * Target out webmasters/affiliates based on niches your sites are for less than $20 a month.
AmeriNOC - Proudly hosted @ AmeriNOC!

Hotrocket

I'm pretty sure fris posted about this like 2 weeks ago...lol

Agent 488

i'm pretty sure it was another hack ... lol.

Scotty.T

I'm pretty sure fris' post about this 2 weeks ago was a different exploit.

__________________
.

ladida

Those are just shell parameters that can be changed at any time. Wouldn't call those keywords for detection, rather the chars infront, which looks like they found a regexp and escaped from it (%&(%7B$%7B).

__________________
agentGFY *at* gmail.com

woj

these hacks happen all the time, nothing new

__________________
Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000
Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager
Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager