Update: The specific versions of WordPress affected have been 2.9.2, 2.9.1, 2.9, and some version of 2.8 which I wasn’t specific on checking.
Last week, I noticed my blogs were acting up – they’d hang when trying to upload an image, post a blog… random things. I fired up Firebug and noticed I had several requests going to a jumbled mess of letters and a domain associated with spam.
I opened up my header.php file in the Theme Editor and a massive block of injected PHP was there to greet me. Balls. As it turns out, this is a massive exploit in the WordPress text editor that causes admin pages to re-direct to spyware sites. So far, every one of my sites and my clients’ sites have been hit – sometimes you can’t even log in.
Basic instructions to fix an affected site:
- Download your wp-content folder and your wp-config.php file via FTP
- Replace all of your wordpress files with a clean version (replace any of a different size)
- Then for each .PHP file in your wp-content folder and also the wp-config file, look for a big block of encrypted text at the top… delete that block – it will be in every theme file, every config file, etc.
- Upload the newly cleaned files (replacing any of a different size)
- To prevent this type of attack, add everything between the –’s (NOT including the –’s) to your .htaccess file in the wordpress main directory (after any # END statements and a blank line.
–
# BEGIN Stop Bots
RewriteEngine On
RewriteCond %{THE_REQUEST} .*['"`!$<>;].* [OR]
RewriteCond %{THE_REQUEST} .*%22.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%27.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%60.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3C.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3E.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3B.*
RewriteRule $ – [l,F]
SetEnvIf Request_URI “‘” bad_bot=1
SetEnvIf Request_URI ‘”‘ bad_bot=1
SetEnvIf Request_URI ‘`’ bad_bot=1
SetEnvIf Request_URI ‘%22′ bad_bot=1
SetEnvIf Request_URI ‘%27′ bad_bot=1
SetEnvIf Request_URI ‘%60′ bad_bot=1
<Limit HEAD GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>
# END Stop Bots
–
If your blog has been affected by this and you have no clue how to fix it, feel free to contact me and I’ll help walk you through it.
{ 7 comments… read them below or add one }
This is not related in anyway to TinyMCE (tinymce is just javascript), your blog was hacked some other way.
Steve,
I’m not entirely sold on that. Both the Wiki software AND WordPress (and for that matter, my other PHP installations) that utilize TinyMCE were hacked. My other PHP installations that did not utilize TinyMCE were not hacked. Keep in mind, these were all GoDaddy hosted and BlueHost hosted (mixed bag on both servers).
There’s a bit of confusion as to how exactly it happens, but the security logs DO show sniffing for TinyMCE and then an execution of some sort.
-Nick
A major site that I manage had Tiny_MCE in its back-end and suffered the idnetical symptoms of PHP-injection that you mentioned. This is not a WordPress blog, but a custom made site, and PHP and HTML files were infected across the entire site.
I’m implementing your fix as I type this, crossing fingers.
implementing tinymce forces security holes that the developers would rather you not know about
FWIW, I’m seeing a lot of persistent, direct browse attempts to “/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=” on my blogs (always from Russian IPs, it seems). I really only noticed because of a ‘who’s online’ type plugin I installed recently.
There’s little doubt that these URLs are deliberate, and TinyMCE does have a history of being an attack vector (e.g. the Joomla version back in 2008 with its example page). So, in short, TinyMCE *was* a vector in the past and may well be again, ‘just javascript’ or not.
I don’t think you understand, TinyMCE is pure JavaScript, unless you have installed something “custom”, there are plenty of vulnerabilities in 3rd party TinyMCE plugins.
With pure Javascript, I mean that the exact same “exploit” could be done even with Javascript turned off in the browser.
If you Google a bit, you will see that there are virtually no reported issues with the Wordpress versions you mention (other than actually ISP hosts being hacked).
So the question becomes, what is different on your installs compared to a normal Wordpress install?
Can you post the execution line you mentioned here?
I have noticed many queries sniffing for tinymce. It is very likely that there is a hole hackers are sniffing for.
-Sam