Disqus - Latest Comments for bradyk

Re: Wordpress, MediaTemple, and an Injection Attack

Ray Schamp — Sun, 15 Nov 2009 18:31:09 -0000

FWIW, I'm Cluster 1, Storage 6. I believe MT when they say this wasn't a WP exploit as much as a MT exploit. How did they know how to access all the rest of the domains on my account without knowing how MT's hosting is set up? Why is the common thread MT customers rather than WP in general?

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Sun, 15 Nov 2009 17:22:19 -0000

Hm... I didn't think about the Cluster bit. I used to be on 02, now I'm on 05, but maybe you're on to something?

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Ray Schamp — Fri, 13 Nov 2009 16:22:29 -0000

I think you're right, keep us posted. I'm following up on mine too.

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Fri, 13 Nov 2009 16:01:55 -0000

I don't buy that. FTP, SSH, etc. should all be prevented from being recipients of dictionary-attacks.

I think there's a larger issue at hand, and I'm having (mt) look into it.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Ray Schamp — Fri, 13 Nov 2009 09:56:26 -0000

Media Temple just replied to me with this:

The actual attack occurred because your FTP password was hacked. On November 9th we noticed an increase in the number of FTP connection attempts to several of our (gs) Grid-Service accounts; some of the attempts were successful and some were not. Once gaining FTP access, the attacker then made the changes to your WordPress files. To prevent this happening again, you need to change your FTP password. This particular hack was not caused by a WordPress vulnerability. However, it is always a good idea to keep Wordpress as up-to-date as possible, because new hacks are being tested constantly, and the older your software is, the more vulnerable you are.

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Fri, 13 Nov 2009 00:40:52 -0000

Interesting...

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Thu, 12 Nov 2009 17:47:20 -0000

That looks like it only works for verified users... the whole point here is that they did it without being a user.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Thu, 12 Nov 2009 17:45:51 -0000

As I said in the post, "infected posts" are ones that had the link redirection effect, where older posts (made before the attack) didn't. I also said that this was with 2.8.5.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Chris — Thu, 12 Nov 2009 17:13:40 -0000

What are you calling 'infected posts'? Meaning they had obvious malicious links in them?

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Thu, 12 Nov 2009 17:06:14 -0000

Wow, that's brutal.

I should start using SVN for my Wordpress sites... that *would* make life alot easier.

Congrats on the genius move!

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Thu, 12 Nov 2009 16:49:38 -0000

No problem.

I'm not entirely sure where - my solution was to copy the infected posts (through the Wordpress GUI) into a separate editor, delete the posts, and then repost them with the same back-dated URLs.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Ray Schamp — Thu, 12 Nov 2009 16:49:35 -0000

I just finished reverting all the code on all 80 of my websites hosted on MT. It may be caused by a Wordpress hole, but then the script injected this code into every PHP file it could find in each of my "domains/<website>/html" directories. It didn't seem to go deeper than that, for some reason. Also, in the directories that contained an index.php file, if the .htaccess file was not there, the script created it.

The goal of the script seemed to be putting a hidden, 0px x 0px absolutely positioned collection of links to porn on your site, so you wouldn't notice. Then, it redirects search traffic (since your website will now get indexed for searches of porn) to that "you-search.in" site (Mine had a different URL).

Thanks for posting this — it got me on the right track to fixing my account. Thank God for svn! I could see exactly what they did to my stuff.

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Wed, 11 Nov 2009 03:11:42 -0000

As has already been mentioned above, I'm not sure about moving forward, and there's an explanation for how it moved through all the hosted domains.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Tue, 10 Nov 2009 18:17:50 -0000

Wordpress, and MediaTemple, seem to agree with me that this is a Wordpress issue. There could be a similar hack for Drupal - it wouldn't be impossible.

Also, once the file gets onto your server somehow, it could potentially edit/trash/thrash any file on that server, regardless of code source.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Tue, 10 Nov 2009 00:41:46 -0000

Glad to hear it.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Mon, 09 Nov 2009 15:47:12 -0000

The .htaccess code gets inserted to all subdomains of the originator, as far as I can tell... for example, it started in "kyle-brady.com" and spread to "status.kyle-brady.com" (Wordpress) and then "projects.kyle-brady.com" (not Wordpress).

Other than that, not much can spread if they don't run Wordpress or use PHP.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Charlene — Mon, 09 Nov 2009 15:36:19 -0000

Sorry Kyle. Busy day.

By the way the problem was solved removing the code. The code is being inserted into sites that don't run PHP at all. Not sure why, checking with MT who are being their usual unhelpful selves with me.

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Mon, 09 Nov 2009 13:15:19 -0000

I hadn't until just now, because I didn't think of that, but... yes, the only users are legitimate ones.

Both as Wordpress users and MySQL users.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Mon, 09 Nov 2009 13:09:48 -0000

"Kyle".

My name is even in the URL.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Matt W. — Mon, 09 Nov 2009 12:29:43 -0000

Have you confirmed you're the only two users in MySQL? There was an exploit earlier where a user was inserted then hidden in the WP admin via javascript. I'm not saying you're wrong, just mentioning it in case you want to check on it.

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Mon, 09 Nov 2009 09:38:12 -0000

The logs only go back so far, and what we want has been lost at this point, but there's only two users - myself and admin, neither of which have been compromised.

The whole point here is that this can happen without the proper auth - don't you think I'd be approaching this differently if it was an "OMG SOMEONE HAS MY PASSWORD!" issue?

Yes.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

openid-13232 — Mon, 09 Nov 2009 09:03:12 -0000

What's needed to examine this deeper is the actual POST from the Apache log.
The 1st check in the upload.php is to see if the current_user can upload a file, if not WordPress will die.

I'm not sure how your blog is setup, multiple users can upload, only you can upload, but check if that IP has logged into your blog before the POST.

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Mon, 09 Nov 2009 03:46:09 -0000

Fair enough, but I don't run very many plugins, and they're all pretty standard at that - nothing that would handle file uploads before WP does auth.

And half of them are ones I wrote anyway.

--Kyle

Re: Wordpress, MediaTemple, and an Injection Attack

Dion — Mon, 09 Nov 2009 03:38:12 -0000

It doesnt matter what file it was post'd to, it could still be a dodgy plugin handling the request before WP has run its authentication steps..

There has been someone else with the same issue a week or so ago, i'm not sure what came out of that..

Its merely speculation unless you've go access to some deailed log files though (And i dont)..

Re: Wordpress, MediaTemple, and an Injection Attack

bradyk — Mon, 09 Nov 2009 02:02:20 -0000

No, it's definitely a Wordpress flaw, and at the very core of the Wordpress code... they put the POST request to a standard /wp-admin/upload.php.

So it has nothing to do with (mt) or plugins, and everything to do with Wordpress itself - that's why I contacted their security team and filed a bug report.

--Kyle