The MU forums have moved to


  1. rcain
    Posted 15 years ago #

    I dont wish to raise alarm uneccessarily but i believe i've just had my wpmu 2.7 development site hacked.


    first noticed new registed user, giving their details as:

    'laura' -

    registered as a 'subscriber' to my development site.

    this is odd since it is 'no-show' to search engines (ie. harder, though not impossible for people to find the site).

    then i noticed that several existing posts had had the author changed from 'admin' to 'laura' - for all revision dates.

    to my knowledge, this shouldnt be possible.

    possible causes:

    seems most likely to be an sql injection attack either via core wp functions, or more likely one of the many plugins a have installed.

    i am performing further analysis and will post any results here.

    VERY interested to hear of anyone experiencing similar hacking attempts.

    details of my config are:

    base wp version: WPMU 2.7

    plugins installed and active (also incorporating minor wpmu compatibility mods of my own):

    BDP RSS Aggregator 0.6.3

    New and Improved RSS Aggregator - collate RSS feeds and summarise to a page - updates regularly without the need for cron. By Bryan Palmer (
    BDP RSS Aggregator Widgets 0.0.1

    Generate sidebar widgets for the RSS Aggregator By Bryan Palmer (
    Bluetrait Event Viewer 1.8.3

    BTEV monitors events that occur in your WordPress install. By Michael Dale.
    Category Icons 2.0.7

    Assign icons to your categories easily. Thanks to the following contributors : Kristian Bollnow, Hugo Chen, Kalin Dimitrov, Dimox, Gianni Diurno, Samuel Kroslak, Jean-Christophe Marie, Andrew Senyshyn, Henrik Schack, Vincent Sparreboom, TechnopodMan, TenderFeel, Oliver Weichhold. By Brahim Machkouri.
    CurrentlyWatching 1.0

    This plugin shows the currently watching posts by other visitors. This will help the visitor to visit your inner pages as a shuffled manner. The plugin is built with ajax support to pic currently watchin posts. By Sajith.
    Dean's FCKEditor For Wordpress 2.5.0

    Replaces the default Wordpress editor with FCKeditor By Dean Lee.
    Landing sites 1.4.1

    When visitors is referred to your site from a search engine, the plugin is showing them related posts to their search on your blog. By The undersigned.
    Max Banner Ads 1.3.6

    Easily rotate banners and ads in almost anywhere in your wordpress blog without editing the theme. Adjust your settings here. By MaxBlogPress.
    Multi Column Category List 1.3

    Displays a customizable list of categories in multiple columns By Dagon Design.
    OpenSearch 1.0

    Add OpenSearch discovery and querying to your WordPress site. By Jeff Waugh.
    Optimal Plugin (formerly, OPML Renderer) 0.4c (beta)

    Renders valid OPML from any source as an expandable/collapsible list. Usage in code: OPMLRender('url','updatetime','css class','depth','flags'); Usage in pages / posts: !OPMLRender : url,updatetime,css class,depth,flags where ‘updatetime’ is the number of seconds to cache a file before requesting an update, ‘css class’ indicates the CSS class to be applied to the <div> that wraps the rendered outline, ‘depth’ indicates how many levels to initially expand the outline (excluding inclusions), and ‘flags’ is the sum of the display flags you wish to set TRUE (currently, ‘1' = ‘Print a header with links to Expand/Collapse all nodes’ and ‘2' = ‘Print a footer with a link to the source OPML file’). By Dan MacTough.
    Pageear 1.0

    Free flash pagepeel version build on pageear version 1.2a, please read license agreement / Lizenzvereinbarung By Christian Harz.
    printme 1.0.1()

    Printme is an easy to use and simple plugin. Enables to show their posts in a printer styled version. By Jorge Alves.
    Role Manager 2.2.3

    Role Management for WordPress 2.0.x, up to 2.6.x.. By Thomas Schneider.
    Role Scoper 1.0.0-rc9.9216

    CMS-like permissions for reading and editing. Content-specific restrictions and roles supplement/override WordPress roles. User groups optional. By Kevin Behrens.
    scl_rss_scroller 0.1

    (SystemCore RSS Scroller Plugin) By rcain.
    Search Meter 2.5

    Keeps track of what your visitors are searching for. After you have activated this plugin, you can check the Search Meter section in the Dashboard to see what your visitors are searching for on your blog. By Bennett McElwee.
    SimplePie Core 1.1.1

    Does little else but load the core SimplePie API library for any extension that wants to utilize it. Go to Options?SimplePie Core for more details. By Ryan Parman and Geoffrey Sneddon.
    SimplePie Plugin for WordPress 2.2.1

    A fast and easy way to add RSS and Atom feeds to your WordPress blog. Go to Settings?SimplePie for WP to adjust default settings. By Ryan Parman.
    Smart 404 0.3

    Rescue your viewers from site errors! When content cannot be found, Smart 404 will use the current URL to attempt to find matching content, and redirect to it automatically. Smart 404 also supplies template tags which provide a list of suggestions, for use on a 404.php template page if matching content can’t be immediately discovered. By Michael Tyson.
    User Photo 0.9.4

    Allows users to associate photos with their accounts by accessing their “Your Profile” page. Uploaded images are resized to fit the dimensions specified on the options page; a thumbnail image is also generated. New template tags introduced are: userphoto_the_author_photo, userphoto_the_author_thumbnail, userphoto_comment_author_photo, and userphoto_comment_author_thumbnail. Uploaded images may be moderated by administrators. This plugin is developed at Shepherd Interactive for the benefit of the community. By Weston Ruter.
    WP-Cumulus 1.19

    Flash based Tag Cloud for WordPress By Roy Tanck.
    There is a new version of WP-Cumulus available. View version 1.20 Details or upgrade automatically.
    WP-EMail 2.40

    Allows people to recommand/send your WordPress blog’s post/page to a friend. By Lester 'GaMerZ' Chan.
    WP-o-Matic 1.0RC4-6

    Enables administrators to create posts automatically from RSS/Atom feeds. By Guillermo Rauch.
    Yet Another Related Posts Plugin 2.1.6

    Returns a list of the related entries based on a unique algorithm using titles, post bodies, tags, and categories. Now with RSS feed support! By mitcho (Michael Yoshitaka Erlewine).


    suggest anyone using similar config/plugins be on the lookout for similar attacks.

    please post here if you suspect or discover anything similar. i will post further details once i have completed furter scans and penetration testing.

  2. tdjcbe
    Posted 15 years ago #

    please post here if you suspect or discover anything similar.

    No, please don't as you;ve just told everyone how our sites can be hacked. Please follow procedure:

    Please see the bit about security.

    And please turn off the CAPS LOCK.

    Adding modlook so that this can be removed.

    edit: Thank you though for taking the time to research this and look into what happened to your site. That's a plus.

  3. overclockwork
    Posted 15 years ago #

    thanks for the infos, great catch, keep the infos posted, hq is sleeping in.

    @tdjcbe: so that's how YOU solve problems - silencing those that report them, criticizing the way they report them. what kind of an irritating troll are you, ridiculing them by giving them a plus, bugger off.
    post lauras ip so i can add it to my blacklist.

  4. overclockwork
    Posted 15 years ago #

    i installed wpmu 2.7 i had just downloaded before on a local server and then took some time off to dowmload and install every single plugin in your list. i am checking all the scripts in the plugins.
    list every theme you have installed, as themes often have backdoors implemented.

  5. rcain
    Posted 15 years ago #

    hi overclockwork

    thanks for the support.

    i'll pop over and give you the ip. should have some more details of scanning by tomorrow.

    @tdjcbe: perhaps you would prefer not to know, then u can be the ONLY one to have their site hacked. presumably by the same reasoning, or lack of it, you would prefer not to know if there is a bomb in your house. good luck with that. CAPS were there for a reason - to draw you attention to it - because its IMPORTANT. i have said nothing about 'how' they did it, just a possibility that is well known, and in this case at least someone out there right now has been successful. you have been warned.

  6. rcain
    Posted 15 years ago #

    ps. the theme i have installed is a modded Cutline 3-Column Split 1.1 by Chris Pearson - pretty safe in itself i would have thought, used it many times before.

  7. donncha
    Key Master
    Posted 15 years ago #

    rcain, overclockwork - tdjcbe is correct. The first thing you should have done is contact security at He's not trolling.

    Unfortunately the report is vague enough that it's impossible to tell where the hacker got in. Was it through one of those plugins, a vulnerability in 2.7 or was it through an earlier version of MU (I presume it's not the latter as rcain says it's a dev server)

    Regardless, thanks for reporting it rcain.

  8. rcain
    Posted 15 years ago #

    hi doncha
    thanks for the reply. i shall know in future. perhaps a notice on at the head of security section of forum would make this clearer.

    my report is as 'unvague' as i can make it at this stage i'm afraid - i clearly state it is MPU 2.7 (not earlier).

    i thought it better to give a public warning than none at all, since this is current hacking activity, which tends to spread amongst the blackhat community once successful.

    @overclockworked - couldnt find where to post the offending ip on your site i'm afraid. for the record it was

    i now have relevent weblog entries and Donchas' exploit scanner output - they do seem to cast some further light on what happend. i will mail them to as you suggest.

    in the meantime i have blocked all entry to my dev site save for my pwn ip, though i can see already the hacker has made several further attempts.

    please be assured it was not my intention to spread alarm, merely awareness and caution.

    thanks again for the feedback.

  9. VentureMaker
    Posted 15 years ago #

    I would say that it was one of your plugins that created some vulnerability, not WPMU core.

    I noticed you have Role Manager and Role Scoper. Did you play with these?

  10. rcain
    Posted 15 years ago #

    hi venturemaker
    yep, good call, i agree these are likely candidates, and yes, i have modded them to work with wpmu - successfully, so i thought.

    my top suspects currently are:
    role-manager/scoper with/breaking:
    - optimal opml plugin - since its beta and uses iframe
    - wpmu xmlrpc.php since i understand its suffered from (similar) xss exploits historically.

    i'm disabling these two plugins just in case.
    theres also an wp xml rps xss header exploit test published (milworm i think) that i can carry out.

    i'll post any results either way here.

  11. rcain
    Posted 15 years ago #

    errata: above: should have added '...after consultation with forum (security) mods...' - of course. ;)

  12. donncha
    Key Master
    Posted 15 years ago #

    rcain - have you emailed security @ yet? I haven't seen an email yet and I'm wondering if I should start digging into Gmail's spam folder for it.

  13. VentureMaker
    Posted 15 years ago #

    Did you check your server logs? Is there anything suspicious?

  14. rcain
    Posted 15 years ago #

    doncha - email def went out to that address this end, no bounce. had txt file attachments - maybe caught your filters. will email you a test/resend now. (thanks for being there :))

    venturemaker - logs show the access and the registration, some possibly suspicious gets of non-existant files, though some are expected since my site in midst development. quite possible my plugins have broken/bypassed something that was fixed already in core - i have some suspicions.

    see what doncha thinks before i start guessing too wildly.

  15. easysleeper
    Posted 15 years ago #

    rcain, if you don't mind I would love to also get that email, I have a modded WPMU install and if this is something in the core I will need to research and fix it. I just recently got a new user from the domain, I banned that domain, but if this spreads I will be spending hours putting out fires, I'd rather just remove the fuel.

    you can send that email to me at if you don't mind.

    Thank you very much, and thanks for bringing this issue up.

  16. VentureMaker
    Posted 15 years ago #

    Yup, would be good to know what is going on with all this...
    rcain, care to share the second part of the story? :)

  17. donncha
    Key Master
    Posted 15 years ago #

    easysleeper, VentureMaker: I looked at his logs (not much there, his site is very quiet) and found nothing that rang alarm bells.

    Hardly any POST requests besides from his own IP, and the one POST to wp-signup.php not from that IP is only followed by a dozen or so GET requests that look perfectly normal to me.

    There are plenty of bots attacking his server, but they're nothing to worry about.

    I am very confident that if an attacker got into his site, it wasn't through WordPress MU. It may be as simple as a malfunctioning plugin from the list above. Unfortunately I don't have time to audit each one.

    (Sorry for not responding earlier!)

  18. VentureMaker
    Posted 15 years ago #

    Thanks :)

  19. rcain
    Posted 15 years ago #

    hi chaps

    apologies for the delay in my response - v.busy.

    very much as Doncha has already said above - thanks for that Doncha :)

    Having looked at all the log evidence and trawling through my codex i am pretty sure ive spotted the culprit, on this occassion:

    as Doncha has said, it doesnt appear to be anything to do with either
    a) wp/wpmu core, or
    b) any of the major pulgins and templates I listed above.

    (though some opf my plugins are still on the 'remote' suspect list, until i hammer them some more.)

    so we can all breath a small (qualified) sigh of relief. :)

    the actual ingress vector i am pretty sure came in the form of a small news scroller script i integrated without due care and attention.

    the script in question takes ascii parameters from browser javascript and send it to php/ajax app where it got used UNSANITIZED in subsequent php string ops and echo back. classic xss no-no!

    importantly, this has raised this issue of 'secure/sanitized data-streams in wp apps' and 'how to implement them properly'.

    this is a critical topic for ALL plugin and theme writers.

    Doncha has suggested this link here to the wp core api's responsible for this area - they must be duly observed -

    i am reassured that basic wp install makes a good job of security filtering, and that most 'established' plugins and themes are compliant with the policy/api's.

    however, this should be a warning to plugin writers and theme makers everywhere that it is ALL TOO EASY to circumvent/jeopardize all this good filtering technlogy.

    this site (below) i have found excelent for technical advice/recommendations on what to cover against & how -

    ..links to this, which also looks worthy -

    std php libraries also exist to assist, eg - and others.

    i am assured nothing exists in the above mentioned set of techniques that isn't already implented one way or another by core wp apis.

    however, this stresses how we must be forever diligent in proper usage, test, inspection and ongoing vigilance. let my experience be a warning to others.

    thanks for the supporting the thread everyone. hope your code all checks out ok also.

    sleep soundly :)


  20. andrea_r
    Posted 15 years ago #

    Thanks for coming back with a detail report. :)

About this Topic