WordPress hacked? Stop using CHMOD 777 !
Attention folks getting hacked. I feel horrible every time I read this (a few times a year now!) Let me give you my 2 cents.
If WP or plugins tell you to chmod 777 entire directories (in your web directory) so they can change one file for you instead of you doing it by hand, this is likely why/how you are getting hacked, if you can’t find the reason otherwise. It works hand-in-hand with other exploits.
When I read that mysterious extra files are appearing in folders, there’s only two ways this is happening:
1. You left directories as chmod 777 that are web accessible
2. You stored your FTP password somewhere
SO STOP DOING IT!
Any directory that absolutely must be chmod 777 (ie. attachment uploading) should be stored outside of the web root. It’s unbelievable dangerous to have a web facing directory that is chmod 777.
If you chmod 777 your entire plugins directory, you’re a moron (or at least following very bad advice).
Another big problem both WordPress and even it’s little sister bbPress has, is that the `config.php` files are web readable if PHP is bypassed somehow – no attempt is made to block them via `.htaccess` – your MySQL password is in there in plain text, which is very handy to evil hackers.
Either one of these should help stop that in `.htaccess`
RewriteEngine On
RewriteCond %{SCRIPT_FILENAME} config\.php$ [NC]
RewriteRule .* - [F]
or
<Files ~"config\.php">
Order allow,deny
Deny from all
</Files>
You can test before and after by trying to access the config file from the web. Before, you’ll get a PHP message. After, you’ll get a direct message from the server that it’s forbidden. Meanwhile WordPress/bbPress will continue to work fine.
Unfortunately nothing can stop a hacker if they are able to place a file onto your server into a chmod 777 directory, then read your `config.php` file via PHP (htaccess won’t help), gain the mysql password, then use that to directly write to the MySQL table, changing whatever they want. Hence 777 being so important to NOT use.
ps. also a good idea is my mini-plugin to block long GET requests:
http://ckon.wordpress.com/2008/11/11/simple-wordpress-and-bbpress-security-plugin-to-block-long-requests/
Though with the newest WordPress/bbPress you may have to double the allowed query length to 512 bytes instead of 256.
every WordPress install vulnerable to new security hack
Remember the mysterious babloo/blyat attack that hit many blogs including xkcd and is continuing in the wild? Here’s how they did it:
coresecurity.com : WordPress Privileges Unchecked
It’s just mind boggling that the WordPress people:
1. knew about it since June 4th
2. took OVER A FULL MONTH to release a fix (June 4th – July 8th)
3. left ALL previous versions of WordPress flapping in the wind
4. there is no advisory as to how to manually patch existing installs
bbPress 1.0 is possibly affected by this vulnerability now that it uses the WP core
bbPress 0.9 might be immune
added 7/13
I don’t know if this is a reasonable security patch for existing WP installs but the logic seems to make sense to me so far. It might break plugins like subscribe-to-comments or anything else that interacts with regular users through the admin interface.
The problem seems to be this line in admin.php
include(ABSPATH . PLUGINDIR . "/$plugin_page");
Since there is not a natural, singular action before it to hook (it adds the plugin name) the file will have to be edited, and maybe add something like this BEFORE the above line:
if ( ! current_user_can('level_2') ) {
wp_die(__('You are not allowed here.'));
}
This only allows Authors and above to use plugins via the admin menu.
The WP legacy where regular members are allowed into the admin area, but with reduced privileges, has always been very messy. And this is (yet another time) where it’s coming to haunt WP adopters. The good news is at least bbPress learned from the mistake and does it differently.
babloo/blyat spammer attack on many WordPress blogs
I’ve learned recently that a number of WordPress powered blogs (including xkcd) were hit by some kind of spammer attack (bablooO aka babloo-O).
It injected many spam links into the database before the “read more” part of a post.
I am trying to figure out how this happened so it can be prevented from happening again, if it’s a plugin vulnerability or from WP’s xmlrpc.
So if anyone has more details please let me know. I do know it was not tied to any specific version, I have found the signature on WP 2.3 2.5 2.7 & 2.7.1
(sometimes the signature says “blyat” instead of “babloo”)
Movabletype doesn’t report security issues
Every so often I come across a comment on the web about how Movabletype “doesn’t have the security issues” that WordPress does, which really annoys me. No one likes bugs but to be misinformed about security is wrong.
The reality is this couldn’t be further from the truth – Movabletype has had at least three security issues this year but Movabletype is to blame for hiding/lying about the situation with no vulnerability reports and leaving people in the dark until they have a fix. So which is worse, warning people ahead of time there’s a vulnerability and not being petty about how it will make you look – or just not telling the users while the hackers already know how to exploit the problem?
Essentially no one researches Movabletype security vulnerabilities anymore – perhaps the user base has become too small, perhaps hackers aren’t even bothering because they can’t find sites using it worth hacking.
Want proof? It’s simple. Go to any site that tracks security vulnerability announcements. Here’s an example, securnia: (more…)
