Marc J
07-09-2009, 02:05 PM
If you are using Wordpress you must make sure you upgrade it to 2.8.4 IMMEDIATELY or remove it from your site entirely. Details on how to upgrade are located here: http://codex.wordpress.org/Upgrading_WordPress
Last night a number of people on Twitter and blogs mentioned that their Wordpress sites were acting up. Specifically that permalinks were broken and showing up with weird code.
There are two clues that your WordPress site has been attacked:
1) There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER %5D))%7D%7D|.+)&%/. The keywords are "eval" and "base64_decode" (Check your permalinks in Admin > Settings > Permalinks).
2) A "back door" was created by a "hidden" Administrator. Check your site users for "Administrator (2)" or a name you do not recognize. You will probably be unable to access that account.
Wordpress has identified that there are hackers out there, hacking sites that aren't using the most-current version of Wordpress (versions below 2.8.4 as of 05/09/2009 -- there are rumours that 2.8.5 is due to be released imminently so keep an eye out for that too).
If you have not yet been hacked, UPGRADE NOW! Immediately. Stop reading this, really, and go upgrade. Again, details on how to upgrade are located here: http://codex.wordpress.org/Upgrading_WordPress
If you have been hacked, sorry, you're going to be busy! Upgrading alone will not fix a hacked site. Mashable.com's alert said: "You'll likely need to export your all your content with the built-in XML WordPress export, uninstall and reinstall WordPress and re-import the content. It's a nasty attack that goes all the way into the database, so exporting the database will result in exporting the hacked code too."
Not sure how to do that? It's not that difficult, but it is very time-consuming.
I cannot stress how important it is to get your Wordpress installation up-to-date. Remember: If your scripts are out-of-date then your site is insecure and could be hacked at any moment.
Last night a number of people on Twitter and blogs mentioned that their Wordpress sites were acting up. Specifically that permalinks were broken and showing up with weird code.
There are two clues that your WordPress site has been attacked:
1) There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER %5D))%7D%7D|.+)&%/. The keywords are "eval" and "base64_decode" (Check your permalinks in Admin > Settings > Permalinks).
2) A "back door" was created by a "hidden" Administrator. Check your site users for "Administrator (2)" or a name you do not recognize. You will probably be unable to access that account.
Wordpress has identified that there are hackers out there, hacking sites that aren't using the most-current version of Wordpress (versions below 2.8.4 as of 05/09/2009 -- there are rumours that 2.8.5 is due to be released imminently so keep an eye out for that too).
If you have not yet been hacked, UPGRADE NOW! Immediately. Stop reading this, really, and go upgrade. Again, details on how to upgrade are located here: http://codex.wordpress.org/Upgrading_WordPress
If you have been hacked, sorry, you're going to be busy! Upgrading alone will not fix a hacked site. Mashable.com's alert said: "You'll likely need to export your all your content with the built-in XML WordPress export, uninstall and reinstall WordPress and re-import the content. It's a nasty attack that goes all the way into the database, so exporting the database will result in exporting the hacked code too."
Not sure how to do that? It's not that difficult, but it is very time-consuming.
I cannot stress how important it is to get your Wordpress installation up-to-date. Remember: If your scripts are out-of-date then your site is insecure and could be hacked at any moment.