WordPress MU

I dont wish to raise alarm uneccessarily but i believe i've just had my wpmu 2.7 development site hacked.

Symptoms:
---------

first noticed new registed user, giving their details as:

'laura' - bloggman@telerymd.org

registered as a 'subscriber' to my development site.

this is odd since it is 'no-show' to search engines (ie. harder, though not impossible for people to find the site).

then i noticed that several existing posts had had the author changed from 'admin' to 'laura' - for all revision dates.

to my knowledge, this shouldnt be possible.

possible causes:
----------------

seems most likely to be an sql injection attack either via core wp functions, or more likely one of the many plugins a have installed.

i am performing further analysis and will post any results here.

VERY interested to hear of anyone experiencing similar hacking attempts.

details of my config are:
-------------------------

base wp version: WPMU 2.7

plugins installed and active (also incorporating minor wpmu compatibility mods of my own):

BDP RSS Aggregator 0.6.3

New and Improved RSS Aggregator - collate RSS feeds and summarise to a page - updates regularly without the need for cron. By Bryan Palmer (bryan@ozpolitics.info).
Deactivate
BDP RSS Aggregator Widgets 0.0.1

Generate sidebar widgets for the RSS Aggregator By Bryan Palmer (bryan@ozpolitics.info).
Deactivate
Bluetrait Event Viewer 1.8.3

BTEV monitors events that occur in your WordPress install. By Michael Dale.
Deactivate
Category Icons 2.0.7

Assign icons to your categories easily. Thanks to the following contributors : Kristian Bollnow, Hugo Chen, Kalin Dimitrov, Dimox, Gianni Diurno, Samuel Kroslak, Jean-Christophe Marie, Andrew Senyshyn, Henrik Schack, Vincent Sparreboom, TechnopodMan, TenderFeel, Oliver Weichhold. By Brahim Machkouri.
Deactivate
CurrentlyWatching 1.0

This plugin shows the currently watching posts by other visitors. This will help the visitor to visit your inner pages as a shuffled manner. The plugin is built with ajax support to pic currently watchin posts. By Sajith.
Deactivate
Dean's FCKEditor For Wordpress 2.5.0

Replaces the default Wordpress editor with FCKeditor By Dean Lee.
Deactivate
Landing sites 1.4.1

When visitors is referred to your site from a search engine, the plugin is showing them related posts to their search on your blog. By The undersigned.
Deactivate
Max Banner Ads 1.3.6

Easily rotate banners and ads in almost anywhere in your wordpress blog without editing the theme. Adjust your settings here. By MaxBlogPress.
Deactivate
Multi Column Category List 1.3

Displays a customizable list of categories in multiple columns By Dagon Design.
Deactivate
OpenSearch 1.0

Add OpenSearch discovery and querying to your WordPress site. By Jeff Waugh.
Deactivate
Optimal Plugin (formerly, OPML Renderer) 0.4c (beta)

Renders valid OPML from any source as an expandable/collapsible list. Usage in code: OPMLRender('url','updatetime','css class','depth','flags'); Usage in pages / posts: !OPMLRender : url,updatetime,css class,depth,flags where ‘updatetime’ is the number of seconds to cache a file before requesting an update, ‘css class’ indicates the CSS class to be applied to the <div> that wraps the rendered outline, ‘depth’ indicates how many levels to initially expand the outline (excluding inclusions), and ‘flags’ is the sum of the display flags you wish to set TRUE (currently, ‘1' = ‘Print a header with links to Expand/Collapse all nodes’ and ‘2' = ‘Print a footer with a link to the source OPML file’). By Dan MacTough.
Deactivate
Pageear 1.0

Free flash pagepeel version build on pageear version 1.2a, please read license agreement / Lizenzvereinbarung By Christian Harz.
Deactivate
printme 1.0.1()

Printme is an easy to use and simple plugin. Enables to show their posts in a printer styled version. By Jorge Alves.
Deactivate
Role Manager 2.2.3

Role Management for WordPress 2.0.x, up to 2.6.x.. By Thomas Schneider.
Deactivate
Role Scoper 1.0.0-rc9.9216

CMS-like permissions for reading and editing. Content-specific restrictions and roles supplement/override WordPress roles. User groups optional. By Kevin Behrens.
Deactivate
scl_rss_scroller 0.1

(SystemCore RSS Scroller Plugin) By rcain.
Deactivate
Search Meter 2.5

Keeps track of what your visitors are searching for. After you have activated this plugin, you can check the Search Meter section in the Dashboard to see what your visitors are searching for on your blog. By Bennett McElwee.
Deactivate
SimplePie Core 1.1.1

Does little else but load the core SimplePie API library for any extension that wants to utilize it. Go to Options?SimplePie Core for more details. By Ryan Parman and Geoffrey Sneddon.
Deactivate
SimplePie Plugin for WordPress 2.2.1

A fast and easy way to add RSS and Atom feeds to your WordPress blog. Go to Settings?SimplePie for WP to adjust default settings. By Ryan Parman.
Deactivate
Smart 404 0.3

Rescue your viewers from site errors! When content cannot be found, Smart 404 will use the current URL to attempt to find matching content, and redirect to it automatically. Smart 404 also supplies template tags which provide a list of suggestions, for use on a 404.php template page if matching content can’t be immediately discovered. By Michael Tyson.
Deactivate
User Photo 0.9.4

Allows users to associate photos with their accounts by accessing their “Your Profile” page. Uploaded images are resized to fit the dimensions specified on the options page; a thumbnail image is also generated. New template tags introduced are: userphoto_the_author_photo, userphoto_the_author_thumbnail, userphoto_comment_author_photo, and userphoto_comment_author_thumbnail. Uploaded images may be moderated by administrators. This plugin is developed at Shepherd Interactive for the benefit of the community. By Weston Ruter.
Deactivate
WP-Cumulus 1.19

Flash based Tag Cloud for WordPress By Roy Tanck.
Deactivate
There is a new version of WP-Cumulus available. View version 1.20 Details or upgrade automatically.
WP-EMail 2.40

Allows people to recommand/send your WordPress blog’s post/page to a friend. By Lester 'GaMerZ' Chan.
Deactivate
WP-o-Matic 1.0RC4-6

Enables administrators to create posts automatically from RSS/Atom feeds. By Guillermo Rauch.
Deactivate
Yet Another Related Posts Plugin 2.1.6

Returns a list of the related entries based on a unique algorithm using titles, post bodies, tags, and categories. Now with RSS feed support! By mitcho (Michael Yoshitaka Erlewine).

------------------

suggest anyone using similar config/plugins be on the lookout for similar attacks.

please post here if you suspect or discover anything similar. i will post further details once i have completed furter scans and penetration testing.

please post here if you suspect or discover anything similar.

No, please don't as you;ve just told everyone how our sites can be hacked. Please follow procedure:

http://wordpress.org/about/contact/

Please see the bit about security.

And please turn off the CAPS LOCK.

Adding modlook so that this can be removed.

edit: Thank you though for taking the time to research this and look into what happened to your site. That's a plus.

thanks for the infos, great catch, keep the infos posted, hq is sleeping in.

@tdjcbe: so that's how YOU solve problems - silencing those that report them, criticizing the way they report them. what kind of an irritating troll are you, ridiculing them by giving them a plus, bugger off.

http://lesterchan.net/portfolio/programming/php/#wp-ban
post lauras ip so i can add it to my blacklist.

i installed wpmu 2.7 i had just downloaded before on a local server and then took some time off to dowmload and install every single plugin in your list. i am checking all the scripts in the plugins.
list every theme you have installed, as themes often have backdoors implemented.

hi overclockwork

thanks for the support.

i'll pop over and give you the ip. should have some more details of scanning by tomorrow.

@tdjcbe: perhaps you would prefer not to know, then u can be the ONLY one to have their site hacked. presumably by the same reasoning, or lack of it, you would prefer not to know if there is a bomb in your house. good luck with that. CAPS were there for a reason - to draw you attention to it - because its IMPORTANT. i have said nothing about 'how' they did it, just a possibility that is well known, and in this case at least someone out there right now has been successful. you have been warned.

ps. the theme i have installed is a modded Cutline 3-Column Split 1.1 by Chris Pearson - pretty safe in itself i would have thought, used it many times before.

rcain, overclockwork - tdjcbe is correct. The first thing you should have done is contact security at wordpress.org. He's not trolling.

Unfortunately the report is vague enough that it's impossible to tell where the hacker got in. Was it through one of those plugins, a vulnerability in 2.7 or was it through an earlier version of MU (I presume it's not the latter as rcain says it's a dev server)

Regardless, thanks for reporting it rcain.

hi doncha
thanks for the reply. i shall know in future. perhaps a notice on at the head of security section of forum would make this clearer.

my report is as 'unvague' as i can make it at this stage i'm afraid - i clearly state it is MPU 2.7 (not earlier).

i thought it better to give a public warning than none at all, since this is current hacking activity, which tends to spread amongst the blackhat community once successful.

@overclockworked - couldnt find where to post the offending ip on your site i'm afraid. for the record it was 79.138.222.27

i now have relevent weblog entries and Donchas' exploit scanner output - they do seem to cast some further light on what happend. i will mail them to security@wordpress.org as you suggest.

in the meantime i have blocked all entry to my dev site save for my pwn ip, though i can see already the hacker has made several further attempts.

please be assured it was not my intention to spread alarm, merely awareness and caution.

thanks again for the feedback.

I would say that it was one of your plugins that created some vulnerability, not WPMU core.

I noticed you have Role Manager and Role Scoper. Did you play with these?

hi venturemaker
yep, good call, i agree these are likely candidates, and yes, i have modded them to work with wpmu - successfully, so i thought.

my top suspects currently are:
role-manager/scoper with/breaking:
- optimal opml plugin - since its beta and uses iframe
- wpmu xmlrpc.php since i understand its suffered from (similar) xss exploits historically.

i'm disabling these two plugins just in case.
theres also an wp xml rps xss header exploit test published (milworm i think) that i can carry out.

i'll post any results either way here.

errata: above: should have added '...after consultation with forum (security) mods...' - of course. ;)

rcain - have you emailed security @ wordpress.org yet? I haven't seen an email yet and I'm wondering if I should start digging into Gmail's spam folder for it.

Did you check your server logs? Is there anything suspicious?

doncha - email def went out to that address this end, no bounce. had txt file attachments - maybe caught your filters. will email you a test/resend now. (thanks for being there :))

venturemaker - logs show the access and the registration, some possibly suspicious gets of non-existant files, though some are expected since my site in midst development. quite possible my plugins have broken/bypassed something that was fixed already in core - i have some suspicions.

see what doncha thinks before i start guessing too wildly.

rcain, if you don't mind I would love to also get that email, I have a modded WPMU install and if this is something in the core I will need to research and fix it. I just recently got a new user from the telerymd.org domain, I banned that domain, but if this spreads I will be spending hours putting out fires, I'd rather just remove the fuel.

you can send that email to me at support@keepconnectedlive.com if you don't mind.

Thank you very much, and thanks for bringing this issue up.

Yup, would be good to know what is going on with all this...
rcain, care to share the second part of the story? :)

easysleeper, VentureMaker: I looked at his logs (not much there, his site is very quiet) and found nothing that rang alarm bells.

Hardly any POST requests besides from his own IP, and the one POST to wp-signup.php not from that IP is only followed by a dozen or so GET requests that look perfectly normal to me.

There are plenty of bots attacking his server, but they're nothing to worry about.

I am very confident that if an attacker got into his site, it wasn't through WordPress MU. It may be as simple as a malfunctioning plugin from the list above. Unfortunately I don't have time to audit each one.

(Sorry for not responding earlier!)

Thanks :)

hi chaps

apologies for the delay in my response - v.busy.

very much as Doncha has already said above - thanks for that Doncha :)

Having looked at all the log evidence and trawling through my codex i am pretty sure ive spotted the culprit, on this occassion:

as Doncha has said, it doesnt appear to be anything to do with either
a) wp/wpmu core, or
b) any of the major pulgins and templates I listed above.

(though some opf my plugins are still on the 'remote' suspect list, until i hammer them some more.)

so we can all breath a small (qualified) sigh of relief. :)

the actual ingress vector i am pretty sure came in the form of a small news scroller script i integrated without due care and attention.

the script in question takes ascii parameters from browser javascript and send it to php/ajax app where it got used UNSANITIZED in subsequent php string ops and echo back. classic xss no-no!

importantly, this has raised this issue of 'secure/sanitized data-streams in wp apps' and 'how to implement them properly'.

this is a critical topic for ALL plugin and theme writers.

Doncha has suggested this link here to the wp core api's responsible for this area - they must be duly observed -

http://codex.wordpress.org/Data_Validation

i am reassured that basic wp install makes a good job of security filtering, and that most 'established' plugins and themes are compliant with the policy/api's.

however, this should be a warning to plugin writers and theme makers everywhere that it is ALL TOO EASY to circumvent/jeopardize all this good filtering technlogy.

this site (below) i have found excelent for technical advice/recommendations on what to cover against & how -

http://ha.ckers.org/xss.html

..links to this, which also looks worthy -

http://www.owasp.org/index.php/Main_Page

std php libraries also exist to assist, eg - http://uk.php.net/strip-tags and others.

i am assured nothing exists in the above mentioned set of techniques that isn't already implented one way or another by core wp apis.

however, this stresses how we must be forever diligent in proper usage, test, inspection and ongoing vigilance. let my experience be a warning to others.

thanks for the supporting the thread everyone. hope your code all checks out ok also.

sleep soundly :)

rob.

Thanks for coming back with a detail report. :)