Update: The specific versions of WordPress affected have been 2.9.2, 2.9.1, 2.9, and some version of 2.8 which I wasn’t specific on checking.
Last week, I noticed my blogs were acting up – they’d hang when trying to upload an image, post a blog… random things. I fired up Firebug and noticed I had several requests going to a jumbled mess of letters and a domain associated with spam.
I opened up my header.php file in the Theme Editor and a massive block of injected PHP was there to greet me. Balls. As it turns out, this is a massive exploit in the WordPress text editor that causes admin pages to re-direct to spyware sites. So far, every one of my sites and my clients’ sites have been hit – sometimes you can’t even log in.
Basic instructions to fix an affected site:
- Download your wp-content folder and your wp-config.php file via FTP
- Replace all of your wordpress files with a clean version (replace any of a different size)
- Then for each .PHP file in your wp-content folder and also the wp-config file, look for a big block of encrypted text at the top… delete that block – it will be in every theme file, every config file, etc.
- Upload the newly cleaned files (replacing any of a different size)
- To prevent this type of attack, add everything between the –’s (NOT including the –’s) to your .htaccess file in the wordpress main directory (after any # END statements and a blank line.
–
# BEGIN Stop Bots
RewriteEngine On
RewriteCond %{THE_REQUEST} .*['"`!$<>;].* [OR]
RewriteCond %{THE_REQUEST} .*%22.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%27.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%60.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3C.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3E.* [NC,OR]
RewriteCond %{THE_REQUEST} .*%3B.*
RewriteRule $ – [l,F]
SetEnvIf Request_URI “‘” bad_bot=1
SetEnvIf Request_URI ‘”‘ bad_bot=1
SetEnvIf Request_URI ‘`’ bad_bot=1
SetEnvIf Request_URI ‘%22′ bad_bot=1
SetEnvIf Request_URI ‘%27′ bad_bot=1
SetEnvIf Request_URI ‘%60′ bad_bot=1
<Limit HEAD GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>
# END Stop Bots
–
If your blog has been affected by this and you have no clue how to fix it, feel free to contact me and I’ll help walk you through it.
{ 2 comments… read them below or add one }
This is not related in anyway to TinyMCE (tinymce is just javascript), your blog was hacked some other way.
Steve,
I’m not entirely sold on that. Both the Wiki software AND WordPress (and for that matter, my other PHP installations) that utilize TinyMCE were hacked. My other PHP installations that did not utilize TinyMCE were not hacked. Keep in mind, these were all GoDaddy hosted and BlueHost hosted (mixed bag on both servers).
There’s a bit of confusion as to how exactly it happens, but the security logs DO show sniffing for TinyMCE and then an execution of some sort.
-Nick