One of my hosting clients contacted me today about an issue he was having with his Wordpress install (version 2.1.2) being hacked and over 50 spam links added to his blogrolls. The links were to a page on the Texas A&M University website :
http://csworkshops.tamu.edu/Templates/_notes/cache/accutane/index.html
The link is a re-direct to a prescription drug peddling site :
http://trustedtablets.com
Which is apparenty a UK owned domain :
 |
Administrative Contact: RX Partners Eagloff, Jessica jessicaeagloff@yahoo.co.uk 145-157 St John Street 2nd Floor London, GB EC1V 4PY GB +44-131-516-7104x112 Fax:+44-131-516-7104 |
That has an IP (77.91.230.8) which is suspiciously hosted in Russia :
|
person: Dmitry Lazarev inetnum: 77.91.230.0 - 77.91.230.63 address: WEBALTA / Internet Search Company address: Andropova pr. 22 address: Moscow, Russia address: 115533 phone: +7 495 234 0000 e-mail: dlazarev@webalta.ru nic-hdl: DL2474-RIPE mnt-by: RU-WEBALTA-MNT source: RIPE # Filtered |
I checked my hosting clients logfiles for entries to “GET /wp-admin/link-add.php” which is what will be logged whenever a Wordpress admin calls the page to add a new link. That is followed by an entry for “POST /wp-admin/link.php” which is the submission form post for a new link, and the end result is an entry for “GET /wp-admin/link-add.php?added=true”. Well, what I found was about 50 calls to “POST /wp-admin/link.php” without any calls in the proper order for a normal transaction through the Wordpress dashboard. Obviously somebody had discovered an bug in the Wordpress software and was using it to use an automate HTTP POST’s to exploit “link.php”.
To exploit this bug in Wordpress, a hacker must have registered as a user with the blog in question and I’ll go no further into how the exploit is carried out in case there are any potential losers who reading this article who would like to know how to carry this out. Anyway, here’s what you can do to prevent this type of attack from happening on your Wordpress blog.
First, disable user registration to your blog by unchecking “Anyone can register” under “Options” in your Wordpress dashboard. If you need to have other users on your blog, you can manually add them in your user managment section of your dashboard.
Second, follow this link Changeset 6256 - WordPress Trac and apply the changes to your “/wp-admin/link.php” file.
If you have any problems figuring out how to apply the changes, feel free to contact me via the contact form and I’ll gladly assist anybody (any small donations or backlinks would be appreciated), additionally, if anybody reading this is looking for a proactive, reliable place to host your Wordpress blog for $5 per month, again, contact me via the contact form. I only host Wordpress blogs and SMF forums, but whenever there is a patch or fix (or when I create a new hack or find a great new plugin), everybody hosting with me gets the updates.
Hopefully this helps prevent anybody from being hacked.
[…] you’re using WordPress you should disable open registration, or make modification before hackers fill up your […]
This was happening to my one blog and I sent Dave a message to help me and he fixed my site in 10 minutes. He is a great guy :-)
Thanks,
Marcus Washington
Just about any site can be hacked and expecially if you are using a free script such as wordpress that hackers can tear down to see how to get bpast the built in securities. As one hack is stopped… another is created . Its too bad that some people think that they are somehow cool if they tamper with other peoples property.
i have the same problem. i found your post at google. thanks for sharing!