Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Comments: 103 +-   Wordpress.org Warns of Active Worm Hacking Blogs on Saturday September 05, @05:53PM

Posted by timothy on Saturday September 05, @05:53PM
from the in-this-case-the-worms-are-actually-human-beings dept.
security
worms
Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."
story

Related Stories

: by
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Wordpress.org Warns of Active Worm Hacking Blogs 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • "Clever?" (Score:5, Insightful)

    by Solra Bizna (716281) on Saturday September 05, @06:04PM (#29327185) Homepage Journal

    There have been widespread worms that did this sort of thing before (phpBB comes to mind). Does this one do anything novel that makes it deserve the adjective "clever?"

    -:sigma.SB

  • Hey Wordpress... (Score:5, Insightful)

    by pathological liar (659969) on Saturday September 05, @06:07PM (#29327203)

    Maybe you should stop putting the Wordpress version in meta tags on the page? Or at least make it opt(-in)ional?

    • Re: (Score:3, Informative)

      by zn0k (1082797)

      As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.

      • Re:Hey Wordpress... (Score:5, Insightful)

        by StarHeart (27290) * on Saturday September 05, @06:32PM (#29327343)

        I wouldn't say it is snake oil. Putting versions in a page allows you to Google for it. Which makes the attack a lot easier. It also allows the attacker to do reconnaissance a lot less detectably a hold of time, and then spring it on everyone at once.

        • It also allows the attacker to do reconnaissance a lot less detectably a hold of time

          You're at +3 Insightful so I guess this means something, but perhaps not in English . . .

      • I suppose you also think salted passwords are snake oil? Sure, they're not going to stop someone who's brute forcing on-the-fly, but it does make life more complicated for people using rainbow tables.

        I only mention salted passwords because Wordpress uses them [openwall.com] (see wp-includes/class-phpass.php).

          • Salted passwords have nothing to do with what essentially is the same thing as obfuscating banners on web or mail servers. Salted passwords significantly improve security.

            Do you even know what a salted password is? Instead of brute forcing hash(password) you brute force hash(salt + password). Since the salt is always going to be known, brute forcing hash(salt + password) takes no more time then brute forcing hash(password). All it protects against are run-of-the-mill rainbow table attacks

            Obfuscating b

            • who said the salt has to be only appended or prepended? I've built systems where the salt was mixed into the password much like a deck of cards is shuffled. Good luck figuring that out ;-) The pattern of 'shuffle' was constant, so technically just an obfuscation, but a pretty effective one against brute force attacks.

              Besides, the point of a salt isn't to make something unknowable, it's to make it hard to brute-force. I don't know that the statement "the salt will always be known" is a valid one. The
              • I don't know that the statement "the salt will always be known" is a valid one. The fact that it's different for each password is what makes it secure.

                The statements "the salt will always be known" and "it's different for each password" aren't mutually exclusive. You can have a unique salt for each user / password and still always know the salt for each of those users.

                Also, in the case of Wordpress, I imagine the only password an attacker would be interested in would be that of an admin. Presumably you w

      • Re: (Score:2, Interesting)

        by Anonymous Coward
        The idea isn't to hide the fact that you're using Wordpress - it's to hide the fact that you may very well be running an exploitable version of Wordpress.
          • Congrats if it gives you enough extra time to do an update, though yeah, it should have been done immediately. Of course, immediate backups don't always happen even if you are conscientious, e.g. you're on vacation, a worm comes out, a quick fix comes out, but your laying in the sand in some wifi-less slashdot-less world.

  • the problem with one-click upgrades (Score:4, Insightful)

    by Anonymous Coward on Saturday September 05, @06:26PM (#29327317)

    ...newer versions offer fast and simple one-click upgrades

    If wordpress.org is hacked, again [wordpress.org], their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.

    • Slightly better one-click system:
      - Open your favourite shell (click, sometimes)
      - wget the patch file
      - read through the patch file if you think it may be an ownage patch
      - apply patch file
      - ???
      - Profit. Too bad for all those that have to manually apply the patch for lack of patch (or something similar)

    • Re:the problem with one-click upgrades (Score:4, Insightful)

      by jesser (77961) on Saturday September 05, @06:59PM (#29327517) Homepage Journal

      That problem isn't specific to 1-click updates. It exists equally with 0-click updates (like Firefox's minor updates) and 50-click updates (like WordPress used to have).

      You can improve the security of updates by using multiple layers of software protection (e.g. https AND code-signing). You can't improve security by increasing human involvement in the update process and then blaming users who update while the site is hacked. Increasing human involvement just makes it slower and limits the kinds of software protection you can use.

    • Re: (Score:2)

      by jo42 (227475)

      The problem with "simple one-click upgrades" is that the web server, usually Apache, requires full read/write privileges to the directories and files that Wordpress lives in. Talk about a massive gaping security hole.

      • Good luck with all the security holes you're inevitably going to reinvent along the way.
          • If you're taking that approach, you'll probably be okay :). I would argue that such a system, coupled with a basic interface for submitting comments, would definitely qualify as a CMS (with the most commonly used type of CMS being blogging systems), and should be viewed as a blogging platform.

            Most people go the opposite direction and insist on rendering everything dynamically. I like the approach you're considering much better; in fact, it's exactly the approach I took when I wrote the CMS that drives th
  • From TFA: "This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

    So let me get this straight. If I have a blog that doesn't allow other people to
    • It registers a user? I wonder if this why my Wordpress blog, which generally is not of interest to anyone, suddenly has had several requests for new user registrations.

  • maybe if they used their release notification list (Score:1, Insightful)

    by Anonymous Coward

    http://wordpress.org/download/ [wordpress.org]

    When you download Wordpress, you're asked for your email address for release notifications. Shame they don't actually use it:

    http://wordpress.org/support/topic/230558 [wordpress.org]

    What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to

    • Re: (Score:3, Informative)

      by Zancarius (414244)

      What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

      The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check thei

      • Yes, but that assumes you regularly visit your admin panel.

        • Whenever you login as an admin to post, or do something else, that is your default landing spot.

          If you choose not to do anything, because some precious widget might break, or you have a hair appointment in 20 minutes, and continue doing so through numerous point releases, you get what you paid for eh?

          Or as Duncan Chalk said:
                    "Pain is instructive"

            • The OP wasn't talking about people who log into the admin panel and don't upgrade even though they're told they need to - he was talking about people who don't "regularly visit [their] admin panel" in the first people. At that point, punctuality isn't the problem - keeping informed is.

              I understand that contributors/authors who haven't any access to the administrative features won't be able to see the version (but that also assumes they wouldn't be in a position to upgrade either). But really, what's the poi

              • You (and only you) access your Wordpress blog twice a month to make a semi-monthly post.
                You see the admin panel when you log in.
                The admin panel shows you when an update is available.
                Therefore, you may be up to a half a month behind on update notifications delivered through the admin panel.

                A half a month doesn't sound like a big deal but look at the most recent releases:

                • 2.8.1 - July 9, 2009
                • 2.8.2 - July 20, 2009
                • 2.8.3 - August 3, 2009
                • 2.8.4 - August 12, 2009

                They really need an e-mail distribution list for

              • But really, what's the point of using WordPress if you're not going to use the admin panel? It shows a wonderful overview of comments, spam, drafts, and so forth. I would assume that the idea of never visiting the dashboard enough to notice new versions might be applicable to those use cases of individuals who make a post once every 2 months.

                But to be honest I think that's a reasonable use case. It's the kind of use I make of Wordpress. I view my site as more of a homepage than a blog - I use Pages much more than Posts and make changes only rarely. As a result it'll often be several weeks between my visits to the admin page.

                It's a shame; for people like me the notification mailing list would be perfect but for some reason the Wordpress folks don't make use of it. It's odd that they still encourage people to join it as it can give you a false se

  • aghhhh!!! (Score:4, Funny)

    by stokessd (89903) on Saturday September 05, @06:44PM (#29327433) Homepage

    Now even my own blog says that I need to enlarge my Penis!

    • Re: (Score:1, Funny)

      by Anonymous Coward

      A clever worm, regardless the interpretation.

    • Re: (Score:2, Informative)

      by reboot246 (623534)
      And isn't it about time you took the hint? :)
        • Nah, it was never meant to be informative. How would I know his size?
          It was meant to be humorous, but apparently not. :)
  • Scobilizer has been tweeting about the same problem this afternoon.

    • Re: (Score:1)

      by maxume (22995)

      Hey, he can't spend all day on the toilet.

    • Scoble's blog was hosted by Wordpress.com for about four years. During that time he wasn't hacked once. When Scoble was hired to pimp Rackspace, his blog moved to a box at Rackspace, and evidently no-one at Rackspace keeps up with security patches. Not a good look for a hosting company.

  • Why people don't update (Score:2, Insightful)

    by Anonymous Coward

    The reason most siteowners are slow or never update is because it's a huge pain in the butt.

    This applies to almost all CMS's, forums, and similar software.

    While a one-click solution sounds nice, the real problem is that almost any large board has a number of plug-ins and modifications to get it where it needs to be.

    Once those mods/plugins are installed, the one-click updates no longer work.

    SEO URL's?
    Custom themes?
    Anti-bot measures?

    All of these things can completely render an "easy update" useless.

    The people

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      The WordPress "one click update" is annoying, too. Instead of fetching the package it needs from a URL, unpacking it in a temporary directory, and copying the files it needs locally, it requires an FTP login and password.

      • Re: (Score:2)

        by zonky (1153039)
        No, that is a very good idea, because apache shouldn't have write permissions to your core wordpress files- using a seperate ftp account login means you're elevating to overwrite files a good idea indeed.

        • Re: (Score:2)

          by ukyoCE (106879)

          Yep, this. I tried to do the upgrade and was a little surprised when it asked for FTP login information. I had never even tried the "automatic upgrade" because I knew making my entire wordpress install modifiable by apache was a blatantly bad idea.

          The use of the FTP account to do it makes a good deal of sense, and is about the best they can do.

          Honestly the manual upgrade is so easy as to be laughable anyway, but for the frequency of WP updates, anything that makes it easier is still a good thing.

    • Re:Why people don't update (Score:5, Informative)

      by phoebe (196531) on Saturday September 05, @09:33PM (#29328391)

      There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.

      If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?

      Wordpress 2.3.3 [ubuntu.com] in 8.04 LTS Universe repository.

      • Packages are aren't actively maintained for security fixes should be removed from the repositories.

        • Re:Why people don't update (Score:5, Informative)

          by choongiri (840652) on Saturday September 05, @10:30PM (#29328685) Homepage Journal

          *sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)

          Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.

          • I've verified that the OP's assessment of the situation is valid with respect to WordPress (a fresh install from the repos exposes unpatched vulnerabilities long after patches are released to correct the situation).

            I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.
              • Yeah, I thought about that right after I whacked "submit" :). I do try to abstain from bringing the company into general discussions like this, but in this case I think the reference was merited.

      • Re: (Score:2)

        by xdroop (4039)

        Why don't people upgrade? Well in my case, I didn't upgrade because I knew that upgrading would immediately kill both the aftermarket theme and several of the aftermarket plugins that I was using, some of which had a huge amount of non-trivial data stored in them. All the plug-ins and theme bits came from WordPress-blessed sites, which made the time-bomb nature of their unsupportedness even more frustrating. After fighting through several minor updates and then looking at a major one, I just gave up, exp

  • I personally use www.SimpleScripts.com for this exact reason. I use a ton of open source software for my websites and it is hard to keep track of all the updates made to them. SimpleScripts emails me every time an update comes out and it provides me a one click upgrade to the latest version for Wordpress, phpBB and Drupal which are the 3 systems I use the most.

    • Yeah, but you actually CARE. Anyone who runs a Wordpress blog is greeted, in mile-high-flaming letters, with "YOUR WORDPRESS VERSION IS OUT OF DATE, CLICK HERE TO UPDATE" whenever he logs in to the CMS when it's running a version other than current. The hole being exploited by this worm was fixed about six months ago.

      In other words, the people who are getting hit by this worm have been ignoring the reminders to upgrade for at least half a year.

  • Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently.

    If only Matt stopped breaking backwards compatibility, I would be up to date constantly. In the last few years I've seen several things breaking as matty decided to rename hooks and stuff. Therefore, all important functions of my sites must be checked before actually upgrading...
Search
Executive ability is prominent in your make-up.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.